Security news4 April 2007
Britney fears: troubled pop star exploited by Microsoft ANI vulnerability Computer users must patch against toxic flaw now
IT security and control firm Sophos has urged computer users to patch their computers against a vulnerability in the way Microsoft Windows handles animated cursors as hackers exploit the problem by using pictures of pop star Britney Spears.
Emails spammed out by hackers are directing internet users to hacked PHP websites with the promise of candid pictures of the troubled singer. PHP, a scripting language used by many websites, has suffered from serious security vulnerabilities in the past.
On 30 March the initial campaign began, with just a link to a Russian website. The site contained the Troj/Iffy-A Trojan horse that pointed at another piece of malware which contained zero-day exploit of Microsoft's animated cursor (ANI) vulnerability. Sophos detects this malicious code as Troj/Animoo-L.
At this stage the emails contained no graphics, but cycled their subject lines in an attempt to avoid detection as the following short example of the timeline demonstrates:
2007/03/30 14:21:10 birtney psears nakde
2007/03/30 14:26:58 birtney speasr nkaed
2007/03/30 14:34:04 britnye speras anked
2007/03/30 14:39:20 briteny psears nkaed
2007/03/30 14:40:15 britnye speasr nkaed
2007/03/30 14:40:23 rbitney spaers nakde
2007/03/30 14:40:24 rbitney speras anked
2007/03/30 14:42:48 rbitney speasr nkaed
2007/03/30 14:42:58 britnye speras nkaed
2007/03/30 14:44:16 birtney speasr nkaed
Since the initial campaign, the hackers' attack has evolved. In the last few days spammed email messages with subject lines such as "Hot pictures of Britiney Speers" have contained an embedded image of the scantily clad pop star which links to a number of websites which have had the animated cursor exploit planted on them by hackers.
Hackers trying to infect computers using Microsoft's animated cursor vulnerability are using pictures of Britney Spears to lure users to dangerous websites.
"The message is simple: you must patch your computers against this vulnerability now or risk infection. Hackers are exploiting people's tardiness in rolling out updates and looking to infect as many PCs as they can," said Graham Cluley, senior technology consultant for Sophos. "Microsoft issued a patch for the problem yesterday, but the hackers will continue to take advantage of the critical security loophole for as long as they can."
Sophos's gateway security solutions detected the spam email messages without requiring an update, and the Sophos Web Security Appliance blocks users from visiting the websites hosting the malicious code.
Home users of Microsoft Windows can visit update.microsoft.com to have their systems scanned for Microsoft security vulnerabilities.
Sophos suggests that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.
Sophos experts note that this is far from the first time that Britney Spears has been used as bait in an attempt to trick innocent computer users into viral infection. The promise of glimpses of pin-ups like Halle Berry, Avril Lavigne, Anna Kournikova, Julia Roberts, Angelina Jolie and Brad Pitt, Jennifer Lopez, or the stars of 'Sex and the City' have previously been used to help viruses spread.
Sophos continues to recommend companies protect their desktops and servers with automatically updated protection against viruses, spyware, and spam.
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
About Sophos
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.
