Any ANI File Could Infect You!

It’s been a busy day in the ASERT team office. Brand spanking new Windows vulnerability to shake up the past several days of minor notes and issues. Animated cursors, objects on web pages or embedded in emails, malicious files … malware downloaded and launched. Sound familiar? It should be, this feels like last year’s IE issues (WMF, createTextRange(), setSlice()) all over again. Here’s what we know:

  • this is a brand spanking new issue in the ANI file format. This is not MS05-002, despite what some detection products tell you. This is new, and this is a new attack vector. No patches yet, Microsoft is working on it.
  • Here’s a few sites that have been hosting the malicious ANI files:
    • wsfgfdgrtyhgfd.net
    • 85.255.113.4
    • uniq-soft.com
    • fdghewrtewrtyrew.biz
    • newasp.com.cn

    Block access to them if you can. Many more surely exist.

  • At this point (4PM US EDT, Thursday) we haven’t seen a tool to make your own ANI exploit for this vuln. Expect one soon.

ani_exploit

Mitigation is going to be difficult. If you’re worried about attachments getting in, you can’t just block .ani files, because this exploit works independent of the file extension. Configuring Outlook and Outlook Express to read your mail in plain text doesn’t help, O/OE will still parse the ANI and hit the exploit.

(Edited to add this paragraph on 30 March 2007) Some of you may be wondering what an ANI file is and what it’s good for. Simply put an animated cursor is the little Windows mouse cursor animations. Some people use custom ones in their own custom Windows themes, and even the spinning hourglass is an animated cursor done in the ANI format. The file format is described on this site, What is an animated cursor?, and you can begin to see how a file like that may be corrupted – you’ve got TLV sets everywhere in the file, so a mismanaged one can corrupt memory and run arbitrary code, which is what appears to be going on here.

Links around the net:

  • Unpatched Drive-By Exploit Found on the Web (Follow-Up) by our friends at McAfee
  • TROJ_ANICMOO.AX, AV detection by our friends at Trend Micro. Also see TROJ_ANICMOO.AV, a related detection sig.
  • Active Exploitation of an Unpatched Vulnerability in Microsoft Windows ANI Handling, from our friends at US-CERT. Also see VU#191609.
  • Exploit-ANIfile.c, detection from McAfee
  • EEYEZD-20070328: Windows .ANI Processing, which includes an unofficial patch which we have not tested.

12 Responses to “Any ANI File Could Infect You!”

March 29, 2007 at 9:40 pm, R. Kerns said:

This reminds me of the vulnerability a few years ago where KBB, MLB and EBay as well as many smaller sites were affected by an exploit that took advantage of the way IE and Outlook/OE handled malicious jpegs. Strictly viewing the image was an issue and an undisclosed number of ppl were affected by it. Luckily for some reason thus far these attacks have not been well coordinated enough to do mass damage! Hopefully this will have a real workaround (not something to the effect of turn off this core function to stop this from occurring) and we can move on to waiting for the next problem child… To be honest I am waiting for an in the wild version of Billy Hoffman’s Jikto to appear which will be a real PITA.

March 30, 2007 at 5:28 am, securegg.com said:

Any ANI File Could Infect You!…

It’s been a busy day in the ASERT team office. Brand spanking new Windows vulnerability to shake up the past several days of minor notes and issues. Animated cursors, objects on web pages or embedded in emails, malicious files … malware downloaded …

March 30, 2007 at 6:47 am, Opera User said:

What about Opera? Affected or not?

March 30, 2007 at 11:10 am, Tech Blog » Blog Archive » 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) said:

[…] It seems like the vulnerability is already exploited in the wild: /blog/asert/2007/03/any-ani-file-could-infect-you/ […]

March 30, 2007 at 9:24 am, Robert Scroggins said:

Eeye has a temporary patch at http://research.eeye.com/html/alerts/zeroday/20070328.html. They say you should remove it when Microsoft comes out with theirs.

Regards,

March 30, 2007 at 1:29 pm, Internet Security and Programming » Blog Archive » Any ANI File Could Infect You! said:

[…] category News. You can read any responses through the RSS 2.0 feed. You can give a response, or trackback from your site. « State Agencies Coordinate Efforts To Combat Cybercrime And EducateStudents, Parents Hello from Black Hat Amsterdam » […]

March 30, 2007 at 3:04 pm, Harry Waldron - My IT Forums Blog : ANI based Trojans - Exploit Windows Animated Cursor handling said:

[…] ANI based Trojans – Exploit Windows Animated Cursor handling New trojans have surfaced that exploit a vulnerability in Windows animated cursor handling. This malware uses the ANI extension which has been rarely manipulated by malware in the past.  Corporate admins should add ANI to their email blocking lists.  Users should be cautious with all HTML based email (use plain text if possible),  They should also be careful to only visit trusted and mainstream websites.  The ANI malware can hide within HTML code. This vulnerability in Windows will lead to a crash of the security system so that other malware will be downloaded and installed on the infected system. Microsoft Security Advisory (935423)Vulnerability in Windows Animated Cursor Handlinghttp://www.microsoft.com/technet/security/advisory/935423.mspx Other Security Advisorieshttp://secunia.com/advisories/24659/http://www.frsirt.com/english/advisories/2007/1151http://www.avertlabs.com/research/blog/?p=230http://www.avertlabs.com/research/blog/?p=233/blog/asert/2007/03/any-ani-file-could-infect-you/http://research.eeye.com/html/alerts/zeroday/20070328.htmlhttp://www.us-cert.gov/current/current_activity.html#WINANIhttp://www.kb.cert.org/vuls/id/191609 AV Vendorshttp://vil.nai.com/vil/content/v_141860.htmhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAXhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAVhttp://www.sophos.com/sl/va/security/analyses/trojanimoou.htmlhttp://www.f-secure.com/v-descs/exploit_w32_ani_c.shtml Published Friday, March 30, 2007 8:02 PM by hwaldron […]

April 05, 2007 at 12:35 pm, Magically Delicious » The Microsoft .ANI Vulnerability said:

[…] Arbor Networks sees it being exploited in the wild […]

April 06, 2007 at 1:31 pm, R. Kerns said:

Of course after some review of the discovered exploit code what do I see in reporting TODAY! Really find it funny as I am a World of Warcrack player as well…

From BBC reporting at http://news.bbc.co.uk/2/hi/technology/6526851.stm

“Analysis of that malicious software showed that it lay dormant on a victims machine until they ran World of Warcraft (WoW) at which point it captured login data and sent it to the hacking group. ” “Research by security firm Symantec suggests that the raw value of a WoW account is now higher than a credit card and its associated verification data.

One card can be sold for up to $6 (£3) suggests Symantec, but a WoW account will be worth at least $10. An account that has several high level characters associated with it could be worth far more as the gold and rare items can be sold for real cash. “

April 10, 2007 at 10:31 am, Jacqui said:

Also this is being hosted on domains yata.com.au and spybiz4u.com and possibly a number of others for use in drive by downloads. I’ve just found your advisory after coming from an affected forum and confirmed the yata domain by searching for the .exe file on there via a remote program.

May 06, 2009 at 9:07 am, Diane said:

It sounds like you’re creating problems yourself by trying to solve this issue instead of looking at why their is a problem in the first place.

September 04, 2009 at 2:06 pm, Philosophically Secure » Blog Archive » The Microsoft .ANI Vulnerability said:

[…] Arbor Networks sees it being exploited in the wild […]

Comments are closed.