Anti Rootkit Blog

On the 28th March details of a Windows Vulnerability involving ANI files were posted on the Internet. This vulnerability started out as just another vulnerability but it wasnt long before it was obvious that it was different, public exploit code had already been published and the hole was being attacked.

There was a lot of activity from Internet Security companies who had found that the vulnerability was being exploited on web sites dotted around the world but mainly in China. A specially crafted ANI file ( An Animated Cursor File ) could be embedded within a hacked or dubvious website and when a user visited the page their PC would become infected without them knowing anything. You might say well I dont visit dodgy websites so I’m ok but tell that to the surfers who recently got infected via the Superbowl Site by a Keylogger / Backdoor.

As of the 3rd of April Websense were tracking 450 Unique websites that are serving out the code to unsuspecting users. The bogus code was found on every webpage within these sites.

When a user visits one of these sites the bogus Animated Cursor file is loaded which in turn can run any program it wants. Currently there are various payloads being sent out via the exploit. The payloads include Keyloggers for stealing Credit Card details from users, Botnet host software which makes the users PC part of a Botnet ( a centrally controlled network of computers) which are probably sending out Spam, more dodgy Animated Cursors or being used in DDoS attacks.

Since the vulnerability became public hackers are are trying to come up with new ways of fooling people into downloading a malicious ANI file and recently spam emails with subject lines like “Hot pictures of Britiney Speers” have been sent out hoping to fool users into clicking on a link in the email that would bring the user to a hacked PHP site which would serve up the malicious code. Explabs have also reported that along with the malicious payload a rootkit is also being used to hide any trace of infection from the user. The Rustock Rootkit is an example of a rootkit being used.

The following Video shows how a specially created toolkit creates a malicious ANI file and runs the dir command using the file.

Public PoC ( Proof Of Concept ) Code has been released by jamikazu which will allow Calc.exe to run. Again, calc.exe could easily be replaced by a malicious piece of code.

All Microsoft users should go to Microsoft Windows Update and get this dangerous hole patched quickly. If you have Automatic Update enabled then you more than likely had your system updated on Tuesday 3rd April.

This vulnerability also affects Windows Vista. Determina have put together a nice viseo that shows how an attacker might take over a Windows Vista PC using the ANI file vulnerability.

http://www.determina.com/security.research/flash/ani.html

If you have recently received an email enticing you to click on a link and see new photos of Britney Spears and you ”mistakingly” clicked on the link then I think you should download one of the FREE Antirootkit scanners from http://www.antirootkit.com/software/index.htm and check your system for the presence of a Rootkit.

Keep Safe

regards

Steo
http://www.antirootkit.com/

References:

Microsoft Security Advisory (935423) - Vulnerability in Windows Animated Cursor Handling

Download the ANI File patch from Microsoft

Britney fears: troubled pop star exploited by Microsoft ANI vulnerability

Public PoC Code Disclosure (Code Execution - Calc.exe)

Large scale compromise with ANI exploit code

Have you ever wondered how the experts analyse Malware and Rootkits? Well ZaiRoN has submitted an excellent article titled “Malware analysis: Nailuj sys file“. It is a very good analysis of malware that was found around 9th January 2007. The approach from ZaiRoN is one with beginners in mind and indeed he does a very good job of making it easy for relative beginners to understand.

The article goes into detail on how the malware gets into the registry, how it hides itself from the Operating System and how it gets to Auto Start.

Many thanks to ZaiRoN for submitting the article.

Keep Safe

Steo
www.antirootkit.com

References: Malware analysis: Nailuj sys file

Some of you may have received an email today saying that “U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel” or that “230 dead as storm batters Europe”. If you did and clicked on the attachment then you have been infected by the Storm-Worm and your PC is now more than likely part of a Botnet.

Large amounts of the worm were spammed out early this morning to Europe and then to North America.

Some of the subjects of the spammed emails were crafted to coincide with current events in the news. The subjects included:

U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
230 dead as storm batters Europe.
British Muslims Genocide
Naked teens attack home director.
A killer at 11, he’s free at 21 and kill again!

The emails arrived with no text, only an attachment which seems to look like a video of the event discribed in the Subject.

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

When the attachment is run it drops a file called wincom32.sys which is a kernel mode rootkit.

It installs itself as a service with the name “wincom32″ by creating the following registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\
Root\LEGACY_WINCOM32] 

This kernel mode driver acts as an advanced payload injector with sophisticated methods such as seen with Rustock.

The worm then tries to contact various IP addresses and tells the Botnet leaders that it is infected. It is then placed on a list of infected machines so that spyware and other malware can be installed at a later date when the Botnet owner wants. The machines that are unsuitable for the Botnet are also placed in a list so as not to visit them again.

The type of Botnet being setup here is called a “Peer to Peer” Botnet. It is different to the normal “Command and Control” Botnet. It shows us that malware authors are taking a new direction when it comes to their Botnets. It is harder to shut down a Peer to Peer than a Command and Control Botnet.

References:
Trojan.Peacomm: Building a Peer-to-Peer Botnet
http://www.f-secure.com/v-descs/small_dam.shtml
YouTube Video showing the speed and extent of the spread of the Storm-Worm

Keep Safe
regards
Steo
www.antirootkit.com

A worm alert has been issued by Eeye Research. Dubbed Big Yellow the worm targets a vulnerability in the following Symantec products..Symantec AntiVirus 10.0.x for Windows (all versions)
Symantec AntiVirus 10.1.x for Windows (all versions)
Symantec Client Security 3.0.x for Windows (all versions)
Symantec Client Security 3.1.x for Windows (all versions)

More on this interesting development along with an indepth analysis of the worm code can be found on the Eeye Research Site http://research.eeye.com/html/alerts/AL20061215.html

Eeye provide a free copy of Blink Personal Edition to home users…

Blink® Personal EditioneEye Digital Security’s Blink® Personal Edition combines intrusion prevention, application and network firewall, identity theft protection, and vulnerability assessment into a single, unified client security solution. With Blink, you are ensured both proactive and reactive protection against the broad methods of attack and compromise used by hackers to gain access to your system and personal data.

www.antirootkit.com