Any ANI File Could Infect You!
It’s been a busy day in the ASERT team office. Brand spanking new Windows vulnerability to shake up the past several days of minor notes and issues. Animated cursors, objects on web pages or embedded in emails, malicious files … malware downloaded and launched. Sound familiar? It should be, this feels like last year’s IE issues (WMF, createTextRange(), setSlice()) all over again. Here’s what we know:
- this is a brand spanking new issue in the ANI file format. This is not MS05-002, despite what some detection products tell you. This is new, and this is a new attack vector. No patches yet, Microsoft is working on it.
- Here’s a few sites that have been hosting the malicious ANI files:
Block access to them if you can. Many more surely exist.
- At this point (4PM US EDT, Thursday) we haven’t seen a tool to make your own ANI exploit for this vuln. Expect one soon.
Mitigation is going to be difficult. If you’re worried about attachments getting in, you can’t just block .ani files, because this exploit works independent of the file extension. Configuring Outlook and Outlook Express to read your mail in plain text doesn’t help, O/OE will still parse the ANI and hit the exploit.
(Edited to add this paragraph on 30 March 2007) Some of you may be wondering what an ANI file is and what it’s good for. Simply put an animated cursor is the little Windows mouse cursor animations. Some people use custom ones in their own custom Windows themes, and even the spinning hourglass is an animated cursor done in the ANI format. The file format is described on this site, What is an animated cursor?, and you can begin to see how a file like that may be corrupted – you’ve got TLV sets everywhere in the file, so a mismanaged one can corrupt memory and run arbitrary code, which is what appears to be going on here.
Links around the net:
- Unpatched Drive-By Exploit Found on the Web (Follow-Up) by our friends at McAfee
- TROJ_ANICMOO.AX, AV detection by our friends at Trend Micro. Also see TROJ_ANICMOO.AV, a related detection sig.
- Active Exploitation of an Unpatched Vulnerability in Microsoft Windows ANI Handling, from our friends at US-CERT. Also see VU#191609.
- Exploit-ANIfile.c, detection from McAfee
- EEYEZD-20070328: Windows .ANI Processing, which includes an unofficial patch which we have not tested.