There are problems with the patch Microsoft released Tuesday for a critical .ANI vulnerability, and hackers have launched a new spam campaign to take advantage of the flaw.

Sharon Gaudin, Contributor

April 4, 2007

4 Min Read

There are problems with the patch Microsoft released Tuesday for a critical .ANI vulnerability, and hackers have launched a new spam campaign to take advantage of the flaw by promising nude pictures of Britney Spears to lure users to malicious sites.

Deborah Hale, a handler with the Internet Storm Center, reported in the site's daily diary on Wednesday that researchers there are receiving reports of users having problems with the patch, which Microsoft pushed out a week earlier than its normal monthly Patch Tuesday release. Microsoft confirmed a problem with the patch and provided a hotfix, or a patch for the patch, when the patch was first released.

Hale noted that other issues have arisen, as well, and Microsoft is investigating them.

Microsoft reported that in computers running Microsoft Windows XP with Service Pack 2, the Realtek HD Audio Control Panel may not start after the patch is installed. They also may receive an error message about an illegal system DLL relocation. The problem stems from files having conflicting base addresses, according to the Microsoft advisory.

A Microsoft spokesman said in an e-mail that Microsoft was first aware of the issues around the update for Windows XP SP2 during the testing process for the patch. He also said the number of customers affected by the glitch appears "limited" at this point, but the company is recommending that users appply the hotfix.

While IT managers and consumers deal with the patch, hackers are losing no time in continuing their onslaught of attacks against the vulnerability.

Sophos, a security company, reported Wednesday morning that attackers launched a new spam campaign aimed at luring users to malicious Web sites where their unpatched systems can be infected with malware.

The lure? The e-mails are promising users nude pictures of pop star Britney Spears if they follow the link to a Web site. Initially, the e-mails only contained text, but in the past day or so they've begun to contain an embedded image of a scantily clad Spears.

Sophos reported in an advisory that the malicious site contains the Iffy-A Trojan that points to another piece of malware, which contains the zero-day .ANI exploit. Sophos detects this Trojan as Animoo-L.

"The message is simple: You must patch your computers against this vulnerability now or risk infection," said Graham Cluley, senior technology consultant for Sophos, in a statement. "Hackers are exploiting people's tardiness in rolling out updates and looking to infect as many PCs as they can. Microsoft issued a patch for the problem yesterday, but the hackers will continue to take advantage of the critical security loophole for as long as they can."

Security researchers warned on Tuesday that despite the patch, attacks against the vulnerability would only escalate in the coming weeks and months.

The dramatic rise in malicious activity isn't going to die down because Microsoft issued a patch, said Craig Schmugar, a threat researcher with McAfee, in an interview earlier this week. "Getting the patch out early definitely was the right call to make," he said. "There's been a big uptick in exploit activity. It'll get worse. The release of a patch isn't the end of the issue. Now that toolkits are posted publicly, more and more hackers will find them and this will just get worse."

In just the past few days, analysts at Websense, a security company, have found more than 700 Web sites that are spreading the .ANI exploit. Researchers also have found an exploit being sent out in a spam campaign, and automated rootkits are popping up online to let even unsavvy hackers build their own exploit malware.

The .ANI vulnerability involves the way Windows handles animated cursor files and could enable a hacker to remotely take control of an infected system. The bug affects all the recent Windows releases, including its new Vista operating system. Internet Explorer is the main attack vector for the exploits.

Users are being infected after visiting a malicious Web page that has embedded malware designed to take advantage of the flaw. They also can be infected if they open a specially crafted e-mail message or if they open a malicious e-mail attachment sent by a hacker.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights