Anatomy of an animated cursor attack
Image 1 of 9
The source of the problem
Earlier this week, Microsoft shipped an emergency out-of-band patch to block zero-day attacks against a code execution hole in the way Windows handles animated cursor (.ani) files. This gallery provides a visual look at elements of the hacker attacks, including malicious Web sites, the exploit in action and the adult-themed spam-run linked to the attacks.rn
rnAnimated cursors are a feature that allows a series of frames to appear at the mouse pointer location instead of a single image. The Animated Cursors feature is designated by the .ani suffix. rn
Image source: F-Secure.
Detecting an exploit site
Exploit Prevention Labs offers a LinkScanner service that pinpoints Web-based exploits. This image shows that a prominent news site was rigged with a .ani exploit.
The Firefox attack vector
Determina researcher Alexander Sotirov proved that .ani exploits could be launched against Firefox users. This shows an exploit against Firefox running on Windows Vista. rn
Image source: Determina.
Maliciously rigged site
Evidence shows that several Chinese sites were rigged with IFRAME exploits launching .ani attacks. rn
Source: Websense Security Labs.
Forums delivering payloads
A Chinese Web forum launches drive-by downloads on vulnerable Windows users.rn
Source Websense Security Labs.
Another iFrame exploit
More evidence of Chinese sites rigged with .ani exploits.rn
Source Websense Security Labs.
Hot Britney pics
At the height of the attacks, e-mail spam lures promising “hot Britney pics” were being used.rn
rnSource: Websense Security Labs.
Exploit timeline
From the first public report by malware-test on March 27 until today, the day after MS07-017 was released, you can see nearly day on day doubling or worse.rn
Source: Arbor Networks.
Microsoft ships an emergency update
On April 3, a week after the first attack reports surfaced, Microsoft shipped an out-of-band update that includes patches for seven vulnerabilities.