Saturday, March 31, 2007

ANI madness... The Internet is dangerous again

Hi folks,

By now (Saturday evening), probably everyone is aware that there is a new 0-day afoot.


The summary is that a few days ago, McAfee and Trend both blogged about a new IE 0-day, involving Animated Cursors (ANI files) and Microsoft confirmed it. Interestingly, it was initially being deployed by the same group that hacked the Superbowl and made it do drive-by-downloads of a World Of Warcraft password stealer. It's by no means clear what the new payload is at this point, but it's probably another WoW password stealer.

That wouldn't matter so much if that was all it was going to be, but the world took several dangerous turns today. First a couple of different proof's of concept for the exploit were publicly posted, and then, to make things even easier, a web site has been found which is an online generator for the exploitive ANI... In other words, you just plug in your website, and payload URL, and it generates the ANI for
you!


What this means is that it will now be a piece of cake for every would-be malicious webmeister to add this stuff to their websites, and their payloads will mostly rootkits, and generally much nastier than a password stealer for some game. If one listens carefully, one can almost hear the keyboards clacking in St Petersburg. The next few days will be very tricky indeed.

Watch this spot, folks, and we'll keep you posted.

Cheers

Roger