Websense.com / Security Labs / Blogs / A tale of two ANI attacks: Same exploit, different motives, different targets

Blog

A tale of two ANI attacks: Same exploit, different motives, different targets

04.09.2001 - 12:00 AM

SEARCH BLOG

Subscribe to this feed »

April 2001

04/09/2001

A tale of two ANI attacks: Same exploit, different motives, different targets »

Archive

By now most of you are familiar with the ANI zero-day attacks that have been happening over the last week. See bottom of this blog entry for URL details and background on ANI.

The state as of now is that there are more than 2000 unique sites that are hosting exploit code and/or are compromised and are pointing to machines that host exploit code.

There are two main attacks that comprise of the majority of these sites. The first set we believe are one of the first groups to start using the zero-day exploits in the wild. These are attacks that started in the China region and appear to be created by groups within the Asia Pacific Region. The attackers have compromised hundreds of machines and placed IFRAME's back to the main servers that host the exploit code. In most cases the payload and motivation of these attacks is to gather credentials for online games such as lineage. Lineage is a very popular online game in Asia.

The second set of attacks started just a couple days ago appear to be from a group in Eastern Europe. This group has been placing exploit code on sites for many years now and has a very resilient infrastructure. They have used WMF, VML, and several other exploits in there routines previously. As of now they have also added the ANI attacks to their arsenal. The payload and motivation is somewhat different however as they are more known to install rootkit's and crimeware which is designed to install form grabbing software and keyloggers in order to compromise end-user banking details. Also in the past they have installed fake anti-spyware software as a distraction and as a means to falsify someone into acquiring some anti-spyware software.

The below map took all the websites we have classified that have been compromised by one of these two parties and plotted them on the map. Note: we plotted by country not by city ! What you can see, with some minor exceptions, is that the first attacker set are going after servers, and presumably users in China, whereas the second attacker set are going after servers, and users in America.

Compromised Web Servers Plotted

Detail URL's

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=762
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=763
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=764
http://www.websense.com/securitylabs/blog/blog.php?BlogID=120
http://www.websense.com/securitylabs/blog/blog.php?BlogID=121

Large scale attacks spreading ANI exploit code on compromised web servers