Kiwi
Premium
join:2003-05-26
USA | reply to Name Game
Re: Microsoft Security Advisory (935423) Vulnerability in Window
Ah, confirmed Trojan  |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Name Game
Eset has been detecting since Friday morning. Eset has a blog on the exploit.
»eset.com/threat-center/blog/
The list of AV protecting at SANS is NOT up to date. Symantec has been protecting since yesterday and has an Advisory out.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by Mele20  :Eset has been detecting since Friday morning. Eset has a blog on the exploit. » eset.com/threat-center/blog/The list of AV protecting at SANS is NOT up to date. Symantec has been protecting since yesterday and has an Advisory out. Never heard of those companies..but I know Microsoft is detecting the animated curser.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to NICK ADSL UK
Thee is a worm now propogating from China using the exploit code.
Kaspersky protects against it. I haven't heard about any other AV vendors protecting yet.
»www.cisrt.org/enblog/read.php?68.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | reply to Name Game
Did yu forget a smilie?
I'm sure you have heard of Eset (NOD32) and we all know about Norton! So, that was meant as a sarcastic reply? |
|
Kiwi
Premium
join:2003-05-26
USA
 ·Comcast
 ·Aristotle Internet
| said by Mele20 :Did yu forget a smilie? I'm sure you have heard of Eset (NOD32) and we all know about Norton! So, that was meant as a sarcastic reply? I don't know the site you linked, but there is no worm code there, it's all trojan based MD5 hash. Not sure I would venture out of known waters  |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Mele20
said by Mele20 :Did yu forget a smilie? I'm sure you have heard of Eset (NOD32) and we all know about Norton! So, that was meant as a sarcastic reply? I think they are all working on the ones they can find.. ..but so far it really seems to be a no show..and a few duds.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
anidat
| reply to Mele20
\"Kaspersky protects against it. I haven\'t heard about any other AV vendors protecting yet.\"
Is this what you are talking about?
»www.symantec.com/security_respon···-3019-99 |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| No, I am talking about the new WORM not the Trojan that the Chinese Internet Security Response Team is saying is being seen in China. I gave the link to the CISRT site but for those suspicious of it, I got the link both from GRC News groups and from »www.websense.com/securitylabs/al···rtID=763 |
|
bettywont
Premium
join:2004-09-11
Montreal, QC | reply to Name Game
Name Game and all thanks
If anyone applied the patch does it show up in the ''ADD/REMOVE'' Where exactly does it show up, please!! |
|
Kiwi
Premium
join:2003-05-26
USA
·Comcast
·Aristotle Internet
| reply to Mele20
It's a trojan. No matter the alternate flavours of site reference. OK, someone link an actual site; without the http [So others don't get infected].
I happily took care of worms and virus activity on the fly; until it was no longer fun [Large numbers]. I still don't have a complete grip on root kits, but I do on Trojans, malware, spyware and viruses.
The bottom line is this is no more extreme than anything else. Provided locked sites are not involved, I still don't have a real problem with this threat.
On the whole this is still a surfing habit issue. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| I don't think that Websense would provide a link to an infected site. If they did and Fx turns out to be vulnerable then I guess I got infected (as I have not applied the temporary patch).
Yes, it is a TROJAN, but there is a WORM now also that is playing off the TROJAN. Maybe I am just not explaining it well. |
|
Kiwi
Premium
join:2003-05-26
USA
·Comcast
·Aristotle Internet
| It's a Trojan. I would like to get a link though, but not something that would infect others; meaning leave the http out.
I don't have a problem going to bad sites, though that's not my normal habit. My habits are simple. Based on research, I don't go to marginal sites; sometimes it becomes necessary |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to AB
On the Javascript question: It's not important, but Argle Bargle I believe you misread the article. JS was used for redirection according to the sentence in one paragraph quoting Andreas Marx, and other later mentions of Javascript either refer to the redirection or to previous attacks. It is written unclearly.
But the important point is, Javascript is not necessary to the attack. And therefore, turning off Javascript will not protect against it. You can see this in the code sample in my post, and from the samples in the Gecko documentation page, and in the proof of concept page which Mele linked to: in each case, all it takes is CSS lines to deliver the malicious file.
It's true that Javascript could be used to enhance an attack, for example by redirection, by using JS to write out CSS lines, or in some other way, but it's not really an issue here.
Credit to Modemhead for pointing out the Gecko documentation page. It confirms that Mozilla browsers won't cause execution of the malicious files, unless maybe in very recent versions if that page is outdated. But my version of Seamonkey is current and it did not respond to an .ani file, as I recounted above. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to NICK ADSL UK
The POC mentioned in »Re: Microsoft Security Advisory (935423) Vulnerability in Window
I was doing it wrong. You have to leave off the .html and add .ani instead. When I did that, Fx gave me a page with a bunch of question marks, some text and some gibberish.
When I tried it on IE, it promptly offered to download an animated cursor file. I downloaded it to disk and saved it in my Downloaded Programs folder. I then tried to use Explorer to navigate to the file which I intended to scan with Avira. I couldn't even get into that folder before Explorer crashed. I have Hardware DEP on Opt Out so it looks to me that DEP is not a protection.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
1 edit | You weren't doing it wrong. The POC page is hxxp://sicotik.com/ink/test.html. This is a regular HTML page except that it has a CSS statement specifying the .ani file. This is the way the exploit would normally work. The result should be nothing but a regular page on Firefox. With IE the expected result will vary depending on IE version, Windows version, service pack and hardware.
If you substitute .ani for .html then you're just linking to the .ani file directly instead of letting the browser get it when instructed to by the page. Being a binary it will just display as junk on Firefox; but IE will offer to download and run it.
Edit: Readers, don't use that link if you don't know what you're doing. It's not malicious, but it might crash some programs. If you're just wanting to know how to avoid infection, use Firefox instead of IE until Microsoft puts out a patch and you've installed it, and avoid Microsoft email programs. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
1 edit | reply to swhx7
said by swhx7 :On the Javascript question: It's not important, but Argle Bargle I believe you misread the article. JS was used for redirection according to the sentence in one paragraph quoting Andreas Marx, and other later mentions of Javascript either refer to the redirection or to previous attacks. It is written unclearly. But the important point is, Javascript is not necessary to the attack. And therefore, turning off Javascript will not protect against it. You can see this in the code sample in my post, and from the samples in the Gecko documentation page, and in the proof of concept page which Mele linked to: in each case, all it takes is CSS lines to deliver the malicious file. It's true that Javascript could be used to enhance an attack, for example by redirection, by using JS to write out CSS lines, or in some other way, but it's not really an issue here. Credit to Modemhead for pointing out the Gecko documentation page. It confirms that Mozilla browsers won't cause execution of the malicious files, unless maybe in very recent versions if that page is outdated. But my version of Seamonkey is current and it did not respond to an .ani file, as I recounted above. Name : Exploit:W32/Ani.C
Alias: TROJ_ANICMOO.AX, Trojan-Downloader.Win32.Ani.g, Exploit:W32/Ani.D, Troj/Animoo-U, Exploit-ANIfile.c trojan, Exploit:W32/Ani.E
Size: Random
Type: Trojan-Downloader, Exploit
Category: Malware
Platform: W32
Date of Discovery: March 29, 2007
Radar
Summary
Exploit:W32/Ani.C is a trojan that exploits a vulnerability in Windows animated cursor handling, .ANI files, in order to download and install other Malware to the system.
Detailed Description
Ani.C is a trojan that takes advantage of a Vulnerability in Windows Animated Cursor Handling (Security Advisory 935423), in order to download other malicious files from the Internet.
These malicious animated cursor (.ANI) files can be hosted on websites and can trigger code execution upon visiting such sites. They can also be embedded in specially crafted e-mails or attachments within the e-mail that upon reading or previewing can cause the system to execute the code.
This trojan was seen hosted at the following site:
ht tp://newasp.com.cn/[REMOVED].jpg
Other sites found also links or loads the malicious .ANI file:
ht tp://newasp.com.cn/[removed].htm
ht tp://bc0.cn/[removed].js
Upon successful execution, this trojan may download other malware via the Internet and execute it on the system. Below are the download sites used:
ht tp://newasp.com.cn/[removed].exe - Trojan-PSW:W32/Agent.IM
ht tp://61.218.38.35/images/[removed].exe -
Trojan-Downloader:Win32/Tiny.GG
ht tp://220.71.76.xxx/wincf.exe - Trojan-Downloader:W32/Small.EKV
»www.f-secure.com/v-descs/exploit···_c.shtml
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to swhx7
OK. I see what you are saying. Thanks.
I was just going on what someone said on the GRC Newsgroup. But doing it to link directly to the file was ok in the sense that I was able to download it and and demonstrate that Explorer does crash when it gets anywhere near the location of that file. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to Mele20
Microsoft has its priorities well placed ...
said by Mele20 :I have always read my incoming email in OE in Plain Text. That has been excellent protection until this. Alexander Sotirov from Determina recommends reading ALL MAIL with Telnet. That is sure going to be fun. I use a really old version of Mailwasher (2.0.28 beta) to screen, preview and scrub junk while it's on my ISP's POP server. It's been quite effective and requires minimal effort.
What really gripes me is that Microsoft has not issued a fix for this, but I just saw the second non-patch Tuesday WGA update notification. MS didn't wait for patch Tuesday to issue these "high priority updates".
[sarcasm]
But I'm sure that WGA updates must be a more meaningful priority for users than these insignificant little security holes. But at least I know if my systems become infected, they'll be using "genuine copies" of a vulnerable OS.
[/sarcasm]
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy... |
|
NICK ADSL UK
Premium,MVM
join:2004-02-22
| reply to NICK ADSL UK
Re: Microsoft Security Advisory (935423) Vulnerability in Window
Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
Published: March 31, 2007
Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.
As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.Microsoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
Revisions:
• March 29, 2007: Advisory published
• March 29, 2007: Advisory revised to add additional information regarding Outlook 2007 in the Mitigations Section. The Workarounds Section also updated to clarify impact and use of plain text email on Windows Mail and Outlook Express
• March 31, 2007: Advisory revised to add additional information regarding Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2 in the “Related Software” section.
»www.microsoft.com/technet/securi···423.mspx
--
Wilders Security Forum Admin
Microsoft MVP-Windows Security
|
|
