New Windows .ANI Attacks Promise Pix Of Paris Hilton And Porn Stars

Exploits of the .ANI bug are surging as Russian organized crime teases users with promises of photos of Paris Hilton and a porn star.

Sharon Gaudin, Contributor

April 12, 2007

4 Min Read
InformationWeek logo in a gray background | InformationWeek

Elements of Russian organized crime have taken the lead in exploiting Microsoft's .ANI bug, and the hackers are trying to lure users to malicious Web sites with new promises of nude pictures of celebrities like Paris Hilton and porn star Jenna Jameson.

The lures are being spammed out by the same underground hackers group that last week used a similar ploy with promises of pictures of a a naked Britney Spears, according to Sophos, Inc., a security company with U.S. headquarters in Burlington, Mass.

The spammed out e-mail messages have subject lines like, "Hot pictures of Paris Hilton nude" and contain an embedded image, not of the hotel heiress who is famous for being famous, but of porn star Jenna Jameson. If users click on the image in the e-mail, the link takes them to a Web site containing the Iffy-B Trojan, which then points the user's computer to another piece of malware that tries to exploit the Microsoft vulnerability.

"The problem is that consumers and businesses may not yet have patched themselves against this vulnerability, and clicking on unsolicited e-mails like these could lead them to a nasty malware infection," said Graham Cluley, senior technology consultant for Sophos, in a written statement.

Microsoft released an emergency patch for the .ANI bug last week. Security professionals, though, are concerned that users who are slow to patch will become new victims as attacks on the vulnerability continue to surge. Dan Hubbard, VP of security company Websense, said in an interview that the patch hasn't slowed the creation of new exploits. They're still coming online at an alarming rate.

"We're seeing a little over 2,000 sites that have exploits or point to exploit code in one way or anther," said Hubbard, who last week reported that there were 700 malicious sites online. "The patch definitely helped. It went from 100% of people with Internet Explorer being vulnerable to a smaller subset. It didn't slow the attacks. It just made their success rate lower." Hubbard noted that the nude Britney Spears spam campaign has been the most successful .ANI exploit, which most likely inspired the hackers to launch the nude Paris Hilton and Jenna Jameson campaign.

He also noted that when the .ANI exploits first hit the Web, they were nearly all coming out of China, and the attacks were mainly compromising servers in that region. The hackers were looking to steal online gamers' credentials, focusing on people who play Lineage, which hasn't caught on so much in the United States, but is highly popular in China.

"The credentials are worth a lot of money," said Hubbard. "In some cases, they're worth more than a stolen credit card. There are full-on auctions where they run up the price of the credentials."

A skilled gamer's user name and password fetches quite a bit of money in underground circles. The skills and trinkets, which are the game's virtual weapons and privileges, that users amass as they move up to higher gaming levels also are stolen and sold. Hubbard explains that whoever buys the stolen credentials and trinkets assumes that user's ID in the shared game.

"I know it may seem odd that it's worth so much money, but if somebody is spending 35 to 50 hours a week on it, is it a game or a serious part of their lives?" asks Hubbard.

But gaming thieves are no longer behind the majority of the .ANI exploits.

The emphasis has started to shift toward members of Russia's organized crime, who are creating malicious Web sites and spamming out e-mail lures in an attempt to steal users' bank account information, Hubbard said. Once a user visits a malicious site or opens a malicious e-mail attachment and their machine is infected, the hacker lies in wait for the victim to go to an online banking site. Once he or she starts online banking, the hackers can swipe personal and financial information.

Even though the hacker group is out of Russia, Hubbard said most of the legitimate sites they've hijacked to surreptitiously implant malicious code on them are based in the U.S. None of the hijacked sites are Top 1,000 sites, though, he added.

The .ANI vulnerability lies in the way Windows handles animated cursor files and could enable a hacker to remotely take control of an infected system. The bug affects all the recent Windows releases, including its new Vista operating system. Internet Explorer is the main attack vector for the exploits. Mozilla's open-source browser Firefox also is at risk, but so far researchers haven't seen attacks focusing on it.

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights