Websense.com / Security Labs / Blogs / Compromised sites using ANI exploit code

Blog

Compromised sites using ANI exploit code

04.02.2007 - 3:15 PM

SEARCH BLOG

Subscribe to this feed »

April 2007

04/20/2007	Packers, Packers, Packers for sale ! »
04/05/2007	Analysis of Malware Spread via SPAM and ANI vulnerability »
04/03/2007	Large scale compromise with ANI exploit code »
04/02/2007	Compromised sites using ANI exploit code »
04/02/2007	Automated Defacement through Search Engines »
04/01/2007	ANI Zero-Day Event Timeline »

Archive
+ March 2007
+ February 2007
+ January 2007
+ December 2006
+ November 2006

Websense's ThreatSeeker(tm) technology has discovered that a large set of websites have been compromised within the Asia Pacific Region and have embedded IFRAMES within them pointing to a site that is hosting the ANI exploit code. An IFRAME or "invisible frame" is an element which makes it possible to embed another HTML document inside the main document. From Wikipedia: http://en.wikipedia.org/wiki/Iframe.

Although we are tracking hundreds of other sites that are hosting ANI exploit files this alert pertains to one group of sites that are all connecting to the same host. Many of the sites appear to be running online blogs or message boards. Most sites have embedded IFRAME's on all pages leading to a main set of sites which are hosting the exploit code. The number of unique sites currently up and running for this one attack is greater than 50 and the number of pages is greater than 500.

Assuming users connect to the sites they will be redirected to two unique locations which are hosting exploit code which in turn downloads and installs a file called "ad.exe". The file includes a generic password stealer and is not detected well by most Antivirus companies (MD5 0c9217553871d3eb5f20b553d91a098b).

Websense security customers are protected from visiting the websites associated with the ANI zero-day attack.

Some sample screenshots of compromised servers: