S-s-s-something From the Comments
Monday April 2, 2007 at 2:04 pm CST
Posted by Allysa Myers
sleepdoc Says: I love you guys who act like the IT guy on the SNL skit, “Jeez, one could easily manually remove the malware via autoruns or similar tool. …” Right, like the average user has any idea what you mean.
There is a very wide range of technical experience levels among readers of this blog, and it can be very difficult for us to write for all possible levels. So, we’ll conduct a little experiment: Periodically I’ll post a breakdown for those of us who are less technically inclined, to explain a security concept in layman’s terms.
This is where you come in: If this is helpful, let me know. If I’m still being too heavy on the geek-speak, let me know that, too. If you have a specific request, fire away. I’d like this to be as universally useful as possible.
So, here’s a basic breakdown of the ANI exploit situation:
There are a huge number of innocent Web sites–hacked by the same group that hacked the Superbowl site–that are hosting a file which exploits an unpatched hole in many recent Windows versions. The file was created in such a way that it can cause a system to download and run malware.
What that means to you and me is that either just by searching around to our favorite sites, or by following links in e-mail, we could be going to sites that are hacked to contain this malicious ANI file. We’re not talking about searching just for pr0n or warez or something, but regular, everyday Web sites.
If your system is vulnerable, you will not see it run - you may not see much of anything out of the ordinary. And from there, it could be silently pulling other nasty things down onto your machine. There is not currently a patch or work-around from Microsoft to fix this. That’s why this threat is such a big deal.
Adding to this scariness is that these ANI files are being frequently tweaked by the hackers so they can evade antivirus detection. We’ve added generic detection for these malformed files as new ones are found, and this has been working quite well so far at proactively picking up brand new variants. Having a firewall can also help stop those new files that are being downloaded by the ANI files, as those are being frequently updated too. (These downloader trojans are, very generally, what Ned was discussing in his comment)
The bottom line here is to be extra vigilant about updating your virus definitions frequently, and make sure you have a firewall. Keep an eye out on Microsoft’s site for an update. They’re planning on releasing a patch tomorrow. Don’t run files, especially coming through email, which promise to be Microsoft updates or patches. Get your patches directly from Microsoft.
Next up: Firewalls 101 - what is an “open” port and why should I care?
April 2nd, 2007 at 4:17 pm
“There are a huge number of innocent Web sites–hacked by” is too technical. Dumb it down to something like, “more than 125,000,” or “more than nine.” Be specific.
April 2nd, 2007 at 5:51 pm
Allysa,
Although I do sympathise with sleepdoc, I enjoy particularly reading over this site for the techincal level of detail that is usually included which to my knowledge was the focus of the posts.
Getting the ‘basic breakdown’ of most problems can be acheived via the standard news articles and so forth floating around. This blog in my eyes was a great way to get some extra tehnical detail regular websites didn’t offer.
April 2nd, 2007 at 7:42 pm
While I am concerned about zero-days, I’ve never gotten a good answer on this:
Assuming that I have current AV running (happens to be McAfee Viruscan), if I visit an ani-evil site, the ani-exploit might work. But wouldn’t the subsequent actions of the ani-exploit be sensed and blocked by my AV?
For example, if the ani-evil site attempted to download and run a keystroke logger, wouldn’t that action of trying to download (or even load) the keystroke logger program get caught by my current AV?
My point is that the zero-day action would not be caught, but the subsequent actions of downloading/executing malware *would* be caught by a current AV-protected system, with a good firewall.
A knee-jerk reaction (”all malware is evil; you are always vulnerable to zero-day”) is not a reasonable answer. Wouldn’t my current AV be a pretty good protection against something like the ANI exploit that tries to subsequently download/execute malware?
Please respond thoughtfully….
Thanks…Rick.
April 3rd, 2007 at 5:45 am
For RickH
The answer - unfortunately - is both a yes and a no!
If the zero-day exploit is downloading a file which the AV already handles - either with a specific detection for that particular binary, or with a generic detection - a detection which detects “general” patterns that occur within a family of malware - or even a “heuristic” detection that is looking more for behavioural type patterns within the code - then yes, the AV product will alert and/or block this additional malware from running on your system.
However, if the zero-day exploit downloads/runs a file which the AV cannot handle then the answer is “NO”
at least in terms of the file running.
And please remember that the bad guys could have a selection of many different files for download on the site - some of which might be detected, and some of which might not!
For example, a new “bot” which has been “packed” using an encryption tool which the AV product cannot handle (although not technically the case for many “packers”, from the AV perspective “packers” are simply an encryption mechanism)
In terms of transmission of data back to the hacker, then a firewall can/should block these transmissions, but with the rootkit technology available to the bad guys as well as process injection, many firewalls are unable to block this behaviour under all circumstances…
However - as you point out - the AV product can help - and one of the most common symptoms that users might see is that the exploit is downloading “adware” onto your system - if you start to see adware alerts on your system that you wouldn’t expect then you should treat this in the same way as a malware (virus/trojan) alert because the real risk of course isn’t the adware itself - it’s “how the heck did that get onto my computer in the first place!”
One thing to look at for your information - check the numbers of detections that the DATs cover on a day-by-day basis - AVERT are having to add in new detections for hundreds - if not 1000 or more - new items of malware every week, that may or may not be related to these zero-day exploits…
Regards
Daniel Wolff
April 3rd, 2007 at 9:13 am
AMIGAF - Right now the number is fluctuating some due to people cleaning up the hacked servers. It seems to be consistently over 100,000 sites.
MichaelW - No worries, we’ll still have primarily technically-oriented articles. But I figured it would also be nice to have articles for less technically-oriented people, to catch them up on some of the more complicated concepts. More benefit for more people.
RickH - I’ll be posting a blog to respond to your comment soon, as that requires more in-depth information. Until then, Daniel Wolff’s comment sums it up nicely!