IT security and control firm Sophos has urged computer users to
patch their computers against a vulnerability in the way Microsoft
Windows handles animated cursors as hackers exploit the problem by
using pictures of pop star Britney Spears.
Emails spammed out by hackers are directing internet users to
hacked PHP websites with the promise of candid pictures of the
troubled singer. PHP, a scripting language used by many websites,
has suffered from serious security vulnerabilities in the past.
On 30 March the initial campaign began, with just a link to a
Russian website. The site contained the Troj/Iffy-A Trojan horse
that pointed at another piece of malware which contained zero-day
exploit of Microsoft's animated cursor (ANI) vulnerability. Sophos
detects this malicious code as Troj/Animoo-L.
At this stage the emails contained no graphics, but cycled their
subject lines in an attempt to avoid detection as the following
short example of the timeline demonstrates:
2007/03/30 14:21:10 birtney psears nakde
2007/03/30 14:26:58 birtney speasr nkaed
2007/03/30 14:34:04 britnye speras anked
2007/03/30 14:39:20 briteny psears nkaed
2007/03/30 14:40:15 britnye speasr nkaed
2007/03/30 14:40:23 rbitney spaers nakde
2007/03/30 14:40:24 rbitney speras anked
2007/03/30 14:42:48 rbitney speasr nkaed
2007/03/30 14:42:58 britnye speras nkaed
2007/03/30 14:44:16 birtney speasr nkaed
Since the initial campaign, the hackers' attack has evolved. In
the last few days spammed email messages with subject lines such as
"Hot pictures of Britiney Speers" have contained an embedded image
of the scantily clad pop star which links to a number of websites
which have had the animated cursor exploit planted on them by
hackers.
Hackers trying to infect computers using
Microsoft's animated cursor vulnerability are using pictures of
Britney Spears to lure users to dangerous websites.
"The message is simple: you must patch your computers against
this vulnerability now or risk infection. Hackers are exploiting
people's tardiness in rolling out updates and looking to infect as
many PCs as they can," said Graham Cluley, senior
technology consultant for Sophos. "Microsoft issued a patch
for the problem yesterday, but the hackers will continue to
take advantage of the critical security loophole for as long as
they can."
Sophos's gateway security
solutions detected the spam email messages without requiring an
update, and the Sophos Web Security
Appliance blocks users from visiting the websites hosting the
malicious code.
Home users of Microsoft Windows can visit update.microsoft.com to have their systems scanned for
Microsoft security vulnerabilities.
Sophos suggests that every IT manager responsible for security
should consider subscribing to vulnerability mailing lists such as
that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.
Sophos experts note that this is far from the
first time that Britney Spears has been used as bait in an
attempt to trick innocent computer users into viral infection. The
promise of glimpses of pin-ups like Halle
Berry, Avril
Lavigne, Anna
Kournikova, Julia
Roberts, Angelina Jolie
and Brad Pitt, Jennifer
Lopez, or the stars of 'Sex and the
City' have previously been used to help viruses spread.
Sophos continues to recommend companies protect their desktops
and servers with automatically updated
protection against viruses, spyware, and spam.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.