Britney fears: troubled pop star exploited by Microsoft ANI vulnerability

April 04, 2007 Sophos Press Release

IT security and control firm Sophos has urged computer users to patch their computers against a vulnerability in the way Microsoft Windows handles animated cursors as hackers exploit the problem by using pictures of pop star Britney Spears.

Emails spammed out by hackers are directing internet users to hacked PHP websites with the promise of candid pictures of the troubled singer. PHP, a scripting language used by many websites, has suffered from serious security vulnerabilities in the past.

On 30 March the initial campaign began, with just a link to a Russian website. The site contained the Troj/Iffy-A Trojan horse that pointed at another piece of malware which contained zero-day exploit of Microsoft's animated cursor (ANI) vulnerability. Sophos detects this malicious code as Troj/Animoo-L.

At this stage the emails contained no graphics, but cycled their subject lines in an attempt to avoid detection as the following short example of the timeline demonstrates:

2007/03/30 14:21:10 birtney psears nakde
2007/03/30 14:26:58 birtney speasr nkaed
2007/03/30 14:34:04 britnye speras anked
2007/03/30 14:39:20 briteny psears nkaed
2007/03/30 14:40:15 britnye speasr nkaed
2007/03/30 14:40:23 rbitney spaers nakde
2007/03/30 14:40:24 rbitney speras anked
2007/03/30 14:42:48 rbitney speasr nkaed
2007/03/30 14:42:58 britnye speras nkaed
2007/03/30 14:44:16 birtney speasr nkaed

Since the initial campaign, the hackers' attack has evolved. In the last few days spammed email messages with subject lines such as "Hot pictures of Britiney Speers" have contained an embedded image of the scantily clad pop star which links to a number of websites which have had the animated cursor exploit planted on them by hackers.

Hackers trying to infect computers using Microsoft's animated cursor vulnerability are using pictures of Britney Spears to lure users to dangerous websites
Hackers trying to infect computers using Microsoft's animated cursor vulnerability are using pictures of Britney Spears to lure users to dangerous websites.

"The message is simple: you must patch your computers against this vulnerability now or risk infection. Hackers are exploiting people's tardiness in rolling out updates and looking to infect as many PCs as they can," said Graham Cluley, senior technology consultant for Sophos. "Microsoft issued a patch for the problem yesterday, but the hackers will continue to take advantage of the critical security loophole for as long as they can."

Sophos's gateway security solutions detected the spam email messages without requiring an update, and the Sophos Web Security Appliance blocks users from visiting the websites hosting the malicious code.

Home users of Microsoft Windows can visit update.microsoft.com to have their systems scanned for Microsoft security vulnerabilities.

Sophos suggests that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.

Sophos experts note that this is far from the first time that Britney Spears has been used as bait in an attempt to trick innocent computer users into viral infection. The promise of glimpses of pin-ups like Halle Berry, Avril Lavigne, Anna Kournikova, Julia Roberts, Angelina Jolie and Brad Pitt, Jennifer Lopez, or the stars of 'Sex and the City' have previously been used to help viruses spread.

Sophos continues to recommend companies protect their desktops and servers with automatically updated protection against viruses, spyware, and spam.