Quote:APRIL 2, 2007 - eEye Digital Security 's timing couldn't be better: Starting today it's offering the latest version of its Blink Personal Internet Security consumer product for free, which comes with antivirus and anti-spyware as well as its standard personal firewall/vulnerability assessment package. The freebie software also comes with a bonus -- defense against the latest Windows zero-day exploit, which gives an attacker full control of an infected system. eEye late last week released one of the first temporary patches for the new .ANI exploit, which has been gathering steam over the past few days.

The zero-day attacks are being staged mainly from host systems in China and had spread to over 100 Websites as of this morning, according to Websense, and have prompted Microsoft to release an off-cycle, critical patch tomorrow, and ZERT to release a patch on Friday. The exploit, which embeds a malicious .ANI file in a Webpage, requires that a user visit the infected Website, or open a bad Microsoft Office file. Some researchers have observed worm-like behavior, and note that it's not limited to animated cursors but is also showing up in JPG files on Websites.

eEye's patch prevents the exploit from working, but according to ZERT, it does not fix the flawed copy routine that's at the heart of the problem, and could "break third-party applications that use animated cursors within their own program directories," according to ZERT's advisory. ZERT says its patch goes further.

Meanwhile, eEye in November began offering the previous version of Blink Personal -- personal firewall and VA tool -- as a freebie. Ross Brown, CEO of eEye, says his company added its AV and anti-spyware technology to provide an easier-to-use and smaller footprint option for consumers than what's currently out there for them.

"We're hearing two frustrations: that antivirus and firewall aren't protecting me and I’m still getting bot-infected," Brown says. "The things hitting them are not designed to be stopped by AV or firewalls and they're not getting caught by heuristic AV."

Brown says eEye used six months' worth of data from its Neighborhood Watch program -- where it logs and analyzes attack data from consumer users -- and built a new rule-set for Blink Personal. He says the all-in-one tool should be easier for less technically savvy users, although he admits eEye has not had a big consumer presence. "It's never been a huge business for us."

He says the free consumer tool will also help eEye gather the data to build a better commercial product for its traditional business -- commercial and security-savvy users. The company is offering a free one-year subscription, but it doesn't intend to start charging for Blink Personal after the one year is up. "The renewal will probably be free again, too."

— Kelly Jackson Higgins

Quote:By Sharon Gaudin

Microsoft is getting ready to release an off-cycle patch Tuesday for the bug that has spawned more than 100 malicious sites and a worm over the last few days.

Microsoft is releasing an off-cycle patch Tuesday for the .ANI vulnerability that saw an escalating number of threats appearing over the weekend.

"From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat," Christopher Budd, security program manager at Microsoft's Security Response Center, wrote in a blog Sunday. "Additionally, we are aware of public disclosure of proof-of-concept code. In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday, April 3, 2007."

Budd added that Microsoft's technicians will be testing the patch, which will be released on an 'as is' basis with no warrantees, right up until its release. It's possible, he noted, that they will find an issue that will force the release to be delayed.

The amount of attacks against the vulnerability intensified over the weekend, according to F-Secure, which noted that the first worm using the exploit was discovered roaming the Internet on Sunday. "We've seen a lot of activity relating to the .ANI exploit during the weekend," said Mikko Hypponen, chief research officer at F-Secure, in an e-mail to InformationWeek. "This vulnerability is really tempting for the bad guys. It's easy to modify the exploit, and it can be launched via Web or e-mail fairly easily."

Websense Security Labs reported that researchers there now are monitoring more than 100 Web sites that are spreading the .ANI zero-day exploit. Proof-of-concept code also is in the wild.

"Currently, the majority of the attacks appear to be downloading and installing generic password-stealing code," Websense reported on its blog. "Most sites are hosted in China. Interestingly, the most popular domain space being used is .com."

The .ANI vulnerability lies in the way Windows handles malformed animated cursor files and could enable a hacker to remotely take control of an infected system. The bug affects all the recent Windows releases, including its highly-touted Vista operating system. Internet Explorer is the main attack vector for the exploits.

"In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability, view a specially crafted e-mail message, or open a specially crafted e-mail attachment sent to them by an attacker," Adrian Stone, a Microsoft researcher, said in a blog. "While the attack appears to be targeted and not widespread, we are monitoring the issue and will update the advisory and blog as new information becomes available."

Last Friday, eEye Digital Security released a patch designed to prevent the latest exploit from working.

The Zeroday Emergency Response Team (ZERT) also released a patch "which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files." The patch is available for Microsoft Windows 98, 2000, XP, Server 2003, and Vista.

The Internet Storm Center is advising users that this is an unofficial patch and should be removed when Microsoft releases its own patch.

Quote: April 3, 2007 05:15 PM

Microsoft released a security update to fix seven vulnerabilities, but security researchers expect the .ANI attacks to continue.

Even though Microsoft released a patch on Tuesday for the critical .ANI vulnerability, security researchers say the exploit attacks are expected to get much worse before they begin to get better.

The patch, which was released a week ahead of Microsoft's monthly Patch Tuesday schedule, fixes the way Windows handles malformed animated cursor files. Microsoft had planned on releasing the patch on schedule next week, but pushed it out a week early because of the wave of exploits that are showing up.

The security update doesn't just patch the .ANI vulnerability, but fixes a total of seven vulnerabilities, ranging from a WMF denial-of-service bug to three elevation-of-privilege bugs.

Dan Hubbard, a senior director of research at Websense, said in an interview that analysts there have found more than 700 Web sites that are spreading the .ANI exploit. Researchers have found an exploit being sent out in a spam campaign, and automated root kits are popping up online to let even unsavvy hackers build their own exploit malware.

All of this malicious activity isn't going to die down because Microsoft issued a patch, said Craig Schmugar, a threat researcher with McAfee, in an interview. "Getting the patch out early definitely was the right call to make," he said. "There's been a big uptick in exploit activity. It'll get worse. The release of a patch is not the end of the issue. Now that root kits are posted publicly, more and more hackers will find them and this will just get worse."

He added that this could remain an ongoing issue as researchers frequently find working exploits that are a year or two old.

In the 24 hours between Monday and Tuesday mornings, the .ANI exploits became the most detected piece of code coming out of Asia, Schmugar said. Globally, it went from outside of the top 20 to the No. 6 position. He added that he "has no doubt" it will become the most utilized exploit around the world in a week or two.

Even though Microsoft released a patch, it will take some time for consumers and enterprises to install it, and some will take a lot more time than others, said Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, in an interview. That, he noted, will give the hackers plenty of time to continue their assault.

Both Microsoft and the SANS Institute are recommending that users download the patch immediately.

The .ANI vulnerability lies in the way Windows handles animated cursor files and could enable a hacker to remotely take control of an infected system. The bug affects all the recent Windows releases, including its new Vista operating system. Internet Explorer is the main attack vector for the exploits.

Users are being infected after visiting a malicious Web page that has embedded malware designed to take advantage of the flaw. They also can be infected if they open a specially crafted e-mail message or if they open a malicious e-mail attachment sent by a hacker.

Microsoft was alerted to the vulnerability on Dec. 20 by Alexander Sotirov of Determina Security Research. Mark Miller, director of the Microsoft Security Response Center, said in an interview Monday that they began working on a fix immediately. The patch, though, did not come out before exploits began showing up in a flurry of malicious code last week.

Miller said the company needed the three-plus months to work on building and testing a good patch, adding that slightly less than 100 Microsoft technicians have been working on the fix since last week.