"This spam ring has a nasty set of encrypted exploits, and it is clearly all Russian in origin, as the sites that are being used are written in Russian," he said. "They're also using a new [malware] encryption style that we only first saw about a month ago; they're rapidly adding new exploits to these encrypted attacks, and the .ANI-based stuff is just the latest."
Thompson said that many machines have already been infected using the attack, and that he believes many more will come under control of the malware before systems can be patched, including many corporate users.
"With the embedded HTML they will catch people; there's no need to download anything. These are thoughtful attackers and they are gaining command and control right over port 80, and straight through the firewall," he said. "If there's a patch that you've missed they're going to get you, and we believe this is all still gathering steam."
The expert said that the .ANI threats may have actually first been created by Chinese hackers attempting to steal people's passwords to the World of Warcraft online video game, with other attackers subsequently modifying the code for their own means.
Other experts said the attacks will likely result in new hordes of widespread botnets, which will allow attackers to piggyback even more spam and malware campaigns onto their existing threats.
Since the .ANI flaw is present on so many relevant Microsoft products, botnet herders will likely flock to take advantage of the flaw, said Max Cacares, director of product management at penetration testing specialists Core Security, based in Boston.
"One reason why spammers are interested is because a lot of the underground community takes advantage of botnets to relay their work, and this is great for building huge bontets since it works on every version of Windows that you care about," Cacares said. "With the potential to exploit it directly from Outlook, this is great for compromising a huge variety of users, and once it's made part of botnet, it also becomes a huge asset for all kinds of spammers."
Some researchers said they were surprised that there have not been more widespread attacks since the vulnerability was first made public so long ago.
"We actually haven't seen a huge proliferation yet," said David Frazer, director of technology services for anti-virus specialists F-Secure, based in Helsinki. "But with four patches issued from Microsoft between the original announcement and the release of all this code, one could say it might have been fixed sooner; fortuitously, we haven't seen as many infections as might have happened."
Matt Sergeant, senior anti-spam technologist at security software maker MessageLabs, based in Gloucester, U.K., said that Russian hackers are known to have been seeking new flaws that would allow them to deliver massive amounts of malware code in short periods of time.
"We're very much aware that Russian guys have been on the lookout for a new attack, their botnets have actually been diminishing since October 2006 since the Warezov virus," he said. "They're looking for anew angle to get in and with the security improvements in Vista, they're worried that they can't crack into stuff as easy as in past, but this proves that might not be the case."
The expert contends that the hackers are working furiously to find new avenues for attack, and predicted that many have shifted their efforts to the .ANI vulnerability over the last several days.
"These guys have teams of programmers working on this 24 hours a day, trying to find some way in, and when a major software vendors releases a patch, they move quickly," said Sergeant. "Especially on a Tuesday morning, most businesses are not ready to get a patch immediately installed; this is likely creating a huge opportunity for these guys to get stuff installed on people's computers and increase the size of their botnets."
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
Recommend This
