Animated Cursor Flaw Remains in Cross Hairs

More than a week after Microsoft's patch release, the ANI flaw is targeted by attackers using Paris Hilton and Jenna Jameson as bait.

IT organizations are being urged to deploy a patch for a bug affecting how Microsoft Windows handles animated cursors as spammers step up their efforts to exploit the flaw—this time with a promise of lewd pictures of celebrity hotel heiress Paris Hilton.

The spammed e-mail messages have subject lines such as "Hot pictures of Paris Hilton nude" but actually contain an embedded image of adult film star and entrepreneur Jenna Jameson. When clicked on, the image links to a Web site containing the malicious Troj/Iffy-B Trojan horse, which in turn points to another piece of malware targeting the Microsoft vulnerability.

Graham Cluley, senior technology consultant at Sophos, in Abingdon, England, said companies should have an anti-spam solution in place to prevent these kinds of messages from arriving at employees desktops in the first place.

"Its about time that alarm bells rang in the brains of PC users when they receive an unsolicited e-mail offering them porn or salacious celebrity snapshots," he said. "Year after year we have seen hackers using this kind of social engineering to fool innocent users into clicking on a link or opening a dangerous file."

The fact that attackers are still looking to exploit a flaw patched more than a week ago came as little surprise to Dan Hubbard of San Diego-based Websense. Researchers at the company announced they had found some 2,000 unique sites hosting the exploit code or pointing to compromised machines hosting the code.

"Although organizations appear to be getting better, we still see exploits for vulnerabilities long after the patches have been released," Hubbard said. "As an example we see approximately 10-15 percent exploitation success on vulnerabilities that have been patched for 6 months-plus still."

Home users who have upgraded to Windows XP Service Pack 2 or Vista are most likely automatically downloading security patches for their operating system, Cluley said. But he noted that doesnt help businesses where it is a system administrators decision when to roll out patches. He explained system administrators are sometimes nervous about rolling out patches across their enterprise until the patches have been tested internally.

"This is to avoid clashes with existing software, as there have been instances in the past where Microsoft has had to patch the patch because of problems in its initial release," Cluley said.

/zimages/7/28571.gifMicrosoft has released patches for four critical flaws. Click here to read more.

According to researchers at Sophos, this latest attack is believed to be by the same group of hackers that spammed out scantily clad pictures of Britney Spears the week of April 2 to exploit the Microsoft vulnerability. Sophos experts also noted that Paris Hilton has been used as bait before to trick users into viral infection. Two mass-mailing worms that masqueraded as X-rated videos of Hilton were released in February 2005, company officials said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.