Anatomy of an animated cursor attack

By ryan naraine April 5, 2007, 11:33 AM PDT

Image
1
of 9

The source of the problem

Earlier this week, Microsoft shipped an emergency out-of-band patch to block zero-day attacks against a code execution hole in the way Windows handles animated cursor (.ani) files. This gallery provides a visual look at elements of the hacker attacks, including malicious Web sites, the exploit in action and the adult-themed spam-run linked to the attacks.rn

rnAnimated cursors are a feature that allows a series of frames to appear at the mouse pointer location instead of a single image. The Animated Cursors feature is designated by the .ani suffix. rn

Image source: F-Secure.

Detecting an exploit site

Exploit Prevention Labs offers a LinkScanner service that pinpoints Web-based exploits. This image shows that a prominent news site was rigged with a .ani exploit.

The Firefox attack vector

Determina researcher Alexander Sotirov proved that .ani exploits could be launched against Firefox users. This shows an exploit against Firefox running on Windows Vista. rn

Image source: Determina.

Maliciously rigged site

Evidence shows that several Chinese sites were rigged with IFRAME exploits launching .ani attacks. rn

Source: Websense Security Labs.

Forums delivering payloads

A Chinese Web forum launches drive-by downloads on vulnerable Windows users.rn

Source Websense Security Labs.

Another iFrame exploit

More evidence of Chinese sites rigged with .ani exploits.rn

Source Websense Security Labs.

Hot Britney pics

At the height of the attacks, e-mail spam lures promising “hot Britney pics” were being used.rn

rnSource: Websense Security Labs.

Exploit timeline

From the first public report by malware-test on March 27 until today, the day after MS07-017 was released, you can see nearly day on day doubling or worse.rn

Source: Arbor Networks.

Microsoft ships an emergency update

On April 3, a week after the first attack reports surfaced, Microsoft shipped an out-of-band update that includes patches for seven vulnerabilities.

By ryan naraine

Account Information

Contact ryan naraine

Your message has been sent
|
See all of ryan's content

Cybersecurity demands and the stakes of failing to properly secure systems and networks are high. While every organization’s specific security needs form a unique and complex blend of interconnected requirements, numerous security fundamentals almost always apply to each of these groups. It stands to reason that cybersecurity pros who effectively identify network and systems risks ...

In this guide from TechRepublic Premium we’re going to explore the various things you can do with a Linux server. We won’t leave out any steps, so you won’t have to refer to another tutorial to complete the process. The only step we will leave out is the installation of Linux, as we’ll assume you ...

If you want to deploy applications into a Kubernetes cluster, be warned — it’s not the easiest task. There are a lot of moving pieces that go into these scalable containers. Don’t you wish you had a complete roadmap, from start to finish, to walk you through the process of deploying the Kubernetes cluster, deploying ...