Unpatched Drive-By Exploit Found On The Web

Several of my posts over the last few months have centered around very targeted zero-day attacks. This post covers an exploit that McAfee researchers discovered in the field, posted to a message board. That posting was simply a proof of concept; however McAfee Avert Labs has since received a malicious sample as well. It is quite likely that similar exploits targeting this vulnerability are currently being used in other attacks on the web.

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

The vulnerability lies in the handling of malformed ANI files. Known exploits download and execute arbitrary exe files. This vulnerability is reminiscent of MS05-002.

More information will be posted as it becomes available.

http://www.avertlabs.com/research/blog/?p=230

More info.

http://isc.sans.org/diary.html?storyid=2534

Update:

The vulnerability ‘causes Vista to enter an endless crash-restart loop’.

Video here:

http://www.avertlabs.com/research/blog/?p=233

More comment here:

http://www.betanews.com/article/Vista_Can_Be_Taken_Down_by_an_Animated_Cursor/1175201875

Hi FwF,

On this site: http://www.malware.com.br/ you can find a special update for ABP in FF or Flock that protects against this. So not only NoScript protects you here, but also this download for Adblock Plus.

polonus

Hi malware fighters,

The exploit is so critical, also in Vsta, that an unofficial patch has been brought out:
http://research.eeye.com/html/alerts/zeroday/20070328.html Mind you this is not an official Microsoft patch.

polonus

VPS content over past month 30.3.2007 - 0729-0

Win32:Ani-N [Trj]

Is this a detection for this exploit?

Is this a detection for this exploit?

Yep.
BTW I’d rather recommend against installing any “unofficial” patches, especially in this case…

Cheers
Vlk

Kudos avast! 8)

The following link gives more insight and a solution
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ANICMOO.AX

Thanks for the quick update Avast team.