Spammers feast on ANI vulnerability

Microsoft moved to fix the critical .ANI vulnerability that affects roughly a dozen of its most popular products, including Vista, but spammers and malware brokers are already tapping into the flaw to infect unprotected machines.

Most enterprises should already be aware of the problem, and IT departments are likely scrambling to get Microsoft's security update in place, but attackers have likely been hammering away at the widespread vulnerability for months, according to security experts.

The IT community became aware of the .ANI glitch  -- which affects the manner in which roughly a dozen Microsoft Windows products handle malformed animated cursor files -- as a wave of spam and malware attacks hit the Internet after April 1.

However, experts say the problem -- which was first reported to Redmond, Wash.-based Microsoft in Dec. 2006 -- has likely been assailed for some time by attackers seeking to maintain a much lower profile.

Rated by Secunia as an extremely critical flaw -- the Copenhagen-based security software maker's most severe vulnerability ranking -- experts say that the .ANI glitch is currently being exploited in a wide variety of formats that are likely to ensnare a large number of PCs worldwide with malware, adware, and botnet programs.

Microsoft also issued fixes for seven other security vulnerabilities in addition to the .ANI problem in an ahead-of-schedule patch delivered on April 3.

Researchers at San Diego-based Websense reported the discovery of over 450 unique sites hosting .ANI-based spyware threats, adding up to tens of thousands of URLs infected with the malware. Unprotected end users visiting those sites will be redirected and hit with a password-stealing spyware program labeled as "ad.exe" which most anti-virus programs cannot catch, Websense reported.

Experts have also highlighted the rapid emergence of a new wave of attacks that are infecting end users who merely open e-mails or attachments laced with the viruses.

In one of the most popular iterations of the e-mail-based threats, users are being sent spam messages that advertise links to URLs hosting lurid images of embattled pop singer Britney Spears.

Users targeted in the campaign receive e-mail with the subject line "Hot Pictures of Britiney Speers" that has been written in HTML to help avoid filtering tools. After opening the infected spam e-mail, people who then click on the links are redirected to malware sites that host JavaScript code believed to be controlled by servers used by Russian cyber-criminals.

Roger Thompson, chief technology officer at Exploit Prevention Labs, based in Marietta, Georgia, said that the attacks being served up by that group run the full gamut of threats, from botnet software to sophisticated root kits.

The expert said that the root kit, dubbed 200.exe, eventually calls out to an account on Microsoft's Hotmail servers to announce itself and seek out additional malware to download onto infected machines. Thompson said the spam attacks started in earnest on April 1.