Monday, April 02, 2007

When Cursors Attack

Black-hat hackers have begun to exploit an unpatched Windows vulnerability that can be used to compromise PCs or send them into an interminable crash loop.

Is it suspected that bad guys spent the weekend seeding web sites and spam emails with the attack in preparation for the start of the working week, so be on your toes this morning.

The vulnerability is in how pretty much all modern versions of Windows handle animated cursors in the ANI file format. Microsoft has known about it since December 20, but has yet to release a patch.

Several security watchers, including the SANS Institute, raised their blanket threat levels on Friday - a fairly rare occurrence - after exploit code was found online and a number of attacks emerged.

"The result is that by simply going to a web site a user's computer can be completely compromised. In excess of 200 million Windows users are likely to be at risk," said Randy Abrams, director of technical education at antivirus vendor Eset.

McAfee Inc said late Friday it "has detected many web sites linking to other sites that attempt to exploit this vulnerability. We have also observed a spam run that tries to lure its recipients to web sites hosting code exploiting this vulnerability."

The company had earlier in the week posted a video showing how an exploit could be crafted that would spin Windows Vista into a crash-loop, where Windows Explorer would crash, reboot then crash again, indefinitely.

But it appears now that the exploit is being used to deliver malware that can turn PCs into bots under the control of the attackers.

Trend Micro Inc has been aware of a Trojan program, which it calls Anicmoo, exploiting the vulnerability since Thursday. Microsoft called these attacks "very limited" and "targeted".

But, based on McAfee's observation of a spam run linking to the exploit, it appears the attacks are no longer being narrowly targeted. It's also not a denial-of-service payload any more, it's a full code-execution attack.

Fully patched Vista and XP are vulnerable to the attack, regardless of Service Pack level. Internet Explorer 7 running on Vista in Protected Mode is not affected, according to Microsoft.

As the attack comes in through the browser or HTML email in Outlook, one workaround is to switch Outlook to display email as text-only.

eEye Digital Security Inc and the Zeroday Emergency Response Team both released unofficial patches for the problem. These, as usual, are not officially endorsed by Microsoft.

Several antivirus vendors, including Microsoft, have also released signatures for the malware that uses the exploit code.

According to Microsoft, the vulnerability was discovered and quietly revealed to Microsoft by Determina Inc in December. McAfee found the in-the-wild attacks last week.

"We have been working on this investigation since December to fully understand the issue and have been working to develop a comprehensive update," Microsoft's Christopher Budd said on the Microsoft Security Response Center blog.
Virus Prevention