(11:00 PM Beijing time, 3:00 PM UTC) malware-test a Chinese Anti-Virus research site reported that a new Microsoft Windows exploit had surfaced on the web see (http://malware-test.com/blog/archives/2007/03/28/894). Several vendors had follow-up reports and Microsoft released an advisory. There have been several reports of attacks in the wild, proof-of-concept code (POC) has been released, and online toolkits are available to create you own attack code.  There have also been reports of SPAM runs with embedded URL’s with exploit code, compromised websites, and potentially a worm propagating.

Screenshots of post original post with fake ESPN site infection:

The exploits are using Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability and Internet Explorer and Outlook users are at risk of having programs launch without user-interaction (see: http://www.microsoft.com/technet/security/advisory/935423.mspx)

The original report to MS was in Dec, 2006 and was disclosed by Determina Research (see: http://www.determina.com/security.research/vulnerabilities/ani-header.html).

March 28 & 29th

Several security vendors start to see exploits in the wild. Websense discovers that the same domains are being used that were used in the Super Bowl compromise incident discovered by Websense in February.

See:  http://www.websense.com/securitylabs/alerts/alert.php?AlertID=762

March 30th

Approximately 60 URL’s are being actively tracked. Exploits are starting to spread more within websites but are still mostly in China region. Reports that IFRAME cash groups in Russia are using exploits but these appear to be not true at this time as they are being mistaken for older ANR exploits.

March 31st

We issued an update to our alert on ANI with information that we were tracking more than 100 sites that were mostly hosted in China.

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=763

March 31

•China Incident Response Team reporting a worm. We have yet to confirm if this worm is indeed working and propagating.
•Report of email lures propagating in China region with embedded links pointing to sites with active exploit code.
•A website surfaces in China that allows users to create their own attack code and embed it within website:

Original Site:

Research Collaboration thanks to iDefense

Rough Site translation:

April 1

Zero Day Emergency Response Team releases un-official patch:
http://isotf.org/zert/

April 1, 2007 @ 7:00 PM

There are a minimum of three proof-of-concepts public on the web and although a lot of the sites have been shutdown we believe that this exploit will start being used by additional groups such as the Iframe folks in Russia. More attacks are imminent and we believe we will see rises in the number of sites being setup, compromised, and sites being supported with email and potentially IM lures in the next week.

As stated in previous alerts our ThreatSeeker Technology is actively scanning the web and domain name infrastructure providing pre-emptive protection against these attacks. More information will be published as details are discovered. We also recommend that customers block all file with .exe extensions in the uncategorized category and web-hosting.

Update: April 1, 2007 @ 7:36 PM MS has announced an out-of-bounds patch: http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx

Lets hope that is not an April Fools joke!