Security

Anatomy of an animated cursor attack

By · April 6, 2007, 4:10 AM PST

Image 1 of 9

  • The source of the problem

    Earlier this week, Microsoft shipped an emergency out-of-band patch to block zero-day attacks against a code execution hole in the way Windows handles animated cursor (.ani) files. This gallery provides a visual look at elements of the hacker attacks, including malicious Web sites, the exploit in action and the adult-themed spam-run linked to the attacks.

    Animated cursors are a feature that allows a series of frames to appear at the mouse pointer location instead of a single image. The Animated Cursors feature is designated by the .ani suffix.

    Image source: F-Secure.

  • Detecting an exploit site

    Exploit Prevention Labs offers a LinkScanner service that pinpoints Web-based exploits. This image shows that a prominent news site was rigged with a .ani exploit.

  • The Firefox attack vector

    Determina researcher Alexander Sotirov proved that .ani exploits could be launched against Firefox users. This shows an exploit against Firefox running on Windows Vista.

    Image source: Determina.

  • Maliciously rigged site

    Evidence shows that several Chinese sites were rigged with IFRAME exploits launching .ani attacks.

    Source: Websense Security Labs.

  • Forums delivering payloads

    A Chinese Web forum launches drive-by downloads on vulnerable Windows users.

    Source Websense Security Labs.

  • Another iFrame exploit

    More evidence of Chinese sites rigged with .ani exploits.

    Source Websense Security Labs.

  • Hot Britney pics

    At the height of the attacks, e-mail spam lures promising "hot Britney pics" were being used.

    Source: Websense Security Labs.

  • Exploit timeline

    From the first public report by malware-test on March 27 until today, the day after MS07-017 was released, you can see nearly day on day doubling or worse.

    Source: Arbor Networks.

  • Microsoft ships an emergency update

    On April 3, a week after the first attack reports surfaced, Microsoft shipped an out-of-band update that includes patches for seven vulnerabilities.

The source of the problem

Earlier this week, Microsoft shipped an emergency out-of-band patch to block zero-day attacks against a code execution hole in the way Windows handles animated cursor (.ani) files. This gallery provides a visual look at elements of the hacker attacks, including malicious Web sites, the exploit in action and the adult-themed spam-run linked to the attacks.

Animated cursors are a feature that allows a series of frames to appear at the mouse pointer location instead of a single image. The Animated Cursors feature is designated by the .ani suffix.

Image source: F-Secure.

Related Topics:
Security Software CXO Hardware Mobility Data Centers Cloud
Show Comments