E-mail Scam Using .ANI Exploit Proves a Point
PERSPECTIVE Just days after BetaNews responded to a reader inquiry about the Windows Animated Cursor exploit, asking how it affects users who don't use animated cursors, by hypothetically suggesting a phishing site could e-mail .ANI files disguised as revealing pictures of celebrity Britney Spears, researchers at WebSense Security Labs discovered an apparent e-mail spamming source which does precisely that.
Apparently users began receiving e-mails with the subject line, "Hot Pictures of Britiney Speers" (note the intentional misspelling to bypass filters). Users clicking on the embedded links were apparently taken to one of any number of Web sites that utilize so-called obfuscated JavaScript - the replacement of easy-to-read code with mangled symbols that can still be parsed by the interpreter - to redirect users to a single site. There, the .ANI animated cursor exploit BetaNews reported on last week is delivered as a Trojan horse file.
As I explained to BetaNews reader maximum last Friday, "In the video you might have seen [on YouTube], the document that triggered the crash loop doesn't appear on the desktop to be an .ANI file. It looks like something that anyone could name, 'Click here for more pictures of Britney Spears' underpants.' So it doesn't have to pass itself off as a cursor file in order to be malicious."
Engineers at Sophos Labs then independently verified the existence of the phishing sites and gave an exclusive identity to the Trojan, calling it Troj/Iffy-A. No information has been given yet as to its unique behavior, if it has any. The company says the central Web site from which the exploit is launched, is located (once again) in Russia. It also acknowledged that this is far from the first e-mail/Trojan pairing to use Spears or any other celebrity's (misspelled) name as an enticement.
Sophos' senior technology consultant issued this warning yesterday: "The message is simple: You must patch your computers against this vulnerability now or risk infection. Hackers are exploiting people's tardiness in rolling out updates and looking to infect as many PCs as they can. Microsoft issued a patch for the problem yesterday, but the hackers will continue to take advantage of the critical security loophole for as long as they can."
But just before that warning was issued, a problem crept up which may extend those hackers' window of opportunity: Microsoft acknowledged a problem that stems from the patch it issued for Windows systems that were vulnerable to the .ANI file exploit.
A new hotfix has been issued for systems negatively impacted after the patch was installed, including those susceptible to giving users cryptic "Illegal System DLL Relocation" messages after restarting.
The British journal Virus Bulletin reported today that Microsoft may issue a "Patch Tuesday" fix for the fix after all, next Tuesday. In the meantime, we at BetaNews will be extra careful from now on, in case we end up giving Russian "phishermen" any new bad ideas.