RSSE-mail Scam Using .ANI Exploit Proves a Point
By Scott M. Fulton, III | Published April 5, 2007, 10:00 AM
PERSPECTIVE Just days after BetaNews responded to a reader inquiry about the Windows Animated Cursor exploit, asking how it affects users who don't use animated cursors, by hypothetically suggesting a phishing site could e-mail .ANI files disguised as revealing pictures of celebrity Britney Spears, researchers at WebSense Security Labs discovered an apparent e-mail spamming source which does precisely that.
Apparently users began receiving e-mails with the subject line, "Hot Pictures of Britiney Speers" (note the intentional misspelling to bypass filters). Users clicking on the embedded links were apparently taken to one of any number of Web sites that utilize so-called obfuscated JavaScript - the replacement of easy-to-read code with mangled symbols that can still be parsed by the interpreter - to redirect users to a single site. There, the .ANI animated cursor exploit BetaNews reported on last week is delivered as a Trojan horse file.
As I explained to BetaNews reader maximum last Friday, "In the video you might have seen [on YouTube], the document that triggered the crash loop doesn't appear on the desktop to be an .ANI file. It looks like something that anyone could name, 'Click here for more pictures of Britney Spears' underpants.' So it doesn't have to pass itself off as a cursor file in order to be malicious."
Engineers at Sophos Labs then independently verified the existence of the phishing sites and gave an exclusive identity to the Trojan, calling it Troj/Iffy-A. No information has been given yet as to its unique behavior, if it has any. The company says the central Web site from which the exploit is launched, is located (once again) in Russia. It also acknowledged that this is far from the first e-mail/Trojan pairing to use Spears or any other celebrity's (misspelled) name as an enticement.
Sophos' senior technology consultant issued this warning yesterday: "The message is simple: You must patch your computers against this vulnerability now or risk infection. Hackers are exploiting people's tardiness in rolling out updates and looking to infect as many PCs as they can. Microsoft issued a patch for the problem yesterday, but the hackers will continue to take advantage of the critical security loophole for as long as they can."
But just before that warning was issued, a problem crept up which may extend those hackers' window of opportunity: Microsoft acknowledged a problem that stems from the patch it issued for Windows systems that were vulnerable to the .ANI file exploit.
A new hotfix has been issued for systems negatively impacted after the patch was installed, including those susceptible to giving users cryptic "Illegal System DLL Relocation" messages after restarting.
The British journal Virus Bulletin reported today that Microsoft may issue a "Patch Tuesday" fix for the fix after all, next Tuesday. In the meantime, we at BetaNews will be extra careful from now on, in case we end up giving Russian "phishermen" any new bad ideas.
Anyone who opens "Hot Pix of Brtiney Speers" deserves to get infected. Thats just plain dumb.
Score: 0
|Considering hot and Spears shouldn't be in the same sentence..yep.
Score: 0
|Scott M. Fulton, III: you have a thing for Britney, don't you.
Score: 0
|You gotta love when news sites pat themselves on the back...nothing more professional then that.
I can see it now on MSNBC:
"Nuke going off in NY proves MSNBC point too well:
Just days after informing our users on how to aquire nukes, terrorists aquired the nukes and blew it up in NY. We hate (or not) to tell the world we (MSNBC) told you so, but WE TOLD YOU SO!! We DO know what we're talking about! HAHA!"
Score: 0
|Yeah, the editors here are great. If it's not copy and paste previous news to give weak news some meat, it's gloating or bashing. This one gets them all in.
Score: 0
|i think i'm going to have to fast on betanews before mix07.
putting smf3 and me in the same room after reading an article like this would not be a good idea.
Score: 0
|Anybody who opens emails from addresses they don't know about - and especially perverted emails deserves to be exploited. And people who would do this, would open just about anything anyway.
Score: 0
|Neoprimal you are wrong. Nobody deserves to be exploited. Not someone's children, not someone's aging parents or relatives, not someone who uses a computer in an honest way. There are milllions of computer users who are just living thier lives, paying thier taxes, supporting thier families, helping thier friends and neighbors....good people who don't deserve bad things to happen to them from criminals.
Score: 0
|As a support person in the IT world, I see this more as an education issue, or more directly a lack thereof. We require training and licenses to operate cars, it might not be a bad thing for computer ownership, or at least internet usage.
When people operate cars without training or licenses, bad things happen to them and others. Similar consequences happen when people use computers without proper education.
Score: 0
|I'm also a support person in IT. I think people should actually *think*. Opening an email because it promises explicit pictures and then complaining about being infected is kinda like going into a red light district and then complaining about STDs. There can be honest mistakes (such as when it looks legit and comes from a friend), but this is stupidity and I can't really feel sorry for them.
Score: 0
|I don't think kids and grandparents and innocent people would open emails which claim to show or have anything to do with 'Britney Spears Underpants', therefore I unfortunately maintain my p.o.v that they deserve to be exploited.
Now, you ARE right that innocent people don't deserve to be exploited, but lets be realistic here - nowadays people are pelted with the fact that they need to be mindful and careful with the emails they decide to open. Don't open emails from addresses you don't recognize and from people you don't know - it's SOOOO simple. So, why would ANYONE go ahead and do it? Kids you say? Kids don't go out and drive cars....parents/guardians need to show the same amount of respect with securing the internet because I tell you this, much worse things can happen to kids/old folks who don't know how to deal with being online.
Score: 0
|You're not living up to your alias.
In the real world, the folks who put forth the effort and take responsibility deserve what they get....as do those who don't.
I don't care how loving, honest, and good you are. If you're an idiot, you'll be used and abused. That simple.
Score: 0
|