By Sharon Gaudin
April 4, 2007
There are problems with the patch Microsoft released Tuesday for a
critical .ANI vulnerability, and hackers have launched a new spam
campaign to take advantage of the flaw by promising nude pictures of
Britney Spears to lure users to malicious sites.
Deborah Hale, a handler with the Internet Storm Center, reported in the
site's daily diary on Wednesday that researchers there are receiving
reports of users having problems with the patch, which Microsoft pushed
out a week earlier than its normal monthly Patch Tuesday release.
Microsoft confirmed a problem with the patch and provided a hotfix, or a
patch for the patch, when the patch was first released.
Hale noted that other issues have arisen, as well, and Microsoft is
Microsoft reported that computers running Microsoft Windows XP with
Service Pack 2, the Realtek HD Audio Control Panel may not start after
the patch is installed. They also may receive an error message about an
illegal system DLL relocation. The problem stems from files having
conflicting base addresses, according to the Microsoft advisory.
A Microsoft spokesman said in an e-mail that Microsoft was first aware
of the issues around the update for Windows XP SP2 during the testing
process for the patch. He also said the number of customers affected by
the glitch appears "limited" at this point, but the company is
recommending that users appply the hotfix.
While IT managers and consumers deal with the patch, hackers are losing
no time in continuing their onslaught of attacks against the
Sophos, a security company, reported Wednesday morning that attackers
launched a new spam campaign aimed at luring users to malicious Web
sites where their unpatched systems can be infected with malware.
The lure? The e-mails are promising users nude pictures of pop star
Britney Spears if they follow the link to a Web site. Initially, the
e-mails only contained text, but in the past day or so they've begun to
contain an embedded image of a scantily clad Spears.
Sophos reported in an advisory that the malicious site contains the
Iffy-A Trojan that points to another piece of malware, which contains
the zero-day .ANI exploit. Sophos detects this Trojan as Animoo-L.
"The message is simple: You must patch your computers against this
vulnerability now or risk infection," said Graham Cluley, senior
technology consultant for Sophos, in a statement. "Hackers are
exploiting people's tardiness in rolling out updates and looking to
infect as many PCs as they can. Microsoft issued a patch for the problem
yesterday, but the hackers will continue to take advantage of the
critical security loophole for as long as they can."
Security researchers warned on Tuesday that despite the patch, attacks
against the vulnerability would only escalate in the coming weeks and
The dramatic rise in malicious activity isn't going to die down because
Microsoft issued a patch, said Craig Schmugar, a threat researcher with
McAfee, in an interview earlier this week. "Getting the patch out early
definitely was the right call to make," he said. "There's been a big
uptick in exploit activity. It'll get worse. The release of a patch
isn't the end of the issue. Now that rootkits are posted publicly, more
and more hackers will find them and this will just get worse."
In just the past few days, analysts at Websense, a security company,
have found more than 700 Web sites that are spreading the .ANI exploit.
Researchers also have found an exploit being sent out in a spam
campaign, and automated rootkits are popping up online to let even
unsavvy hackers build their own exploit malware.
The .ANI vulnerability involves the way Windows handles animated cursor
files and could enable a hacker to remotely take control of an infected
system. The bug affects all the recent Windows releases, including its
new Vista operating system. Internet Explorer is the main attack vector
for the exploits.
Users are being infected after visiting a malicious Web page that has
embedded malware designed to take advantage of the flaw. They also can
be infected if they open a specially crafted e-mail message or if they
open a malicious e-mail attachment sent by a hacker.
Subscribe to InfoSec News