funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Websense: A Tale of Two ANI Attacks

From: "Fergie" <fergdawg () netzero net>
Date: Mon, 9 Apr 2007 18:18:38 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well worth a read.

Via The Websense Security Labs Blog.

[snip]

By now most of you are familiar with the ANI zero-day attacks that have
been happening over the last week. See bottom of this blog entry for URL
details and background on ANI.

The state as of now is that there are more than 2000 unique sites that are
hosting exploit code and/or are compromised and are pointing to machines
that host exploit code.

There are two main attacks that comprise of the majority of these sites.
The first set we believe are one of the first groups to start using the
zero-day exploits in the wild. These are attacks that started in the China
region and appear to be created by groups within the Asia Pacific Region.
The attackers have compromised hundreds of machines and placed IFRAME's
back to the main servers that host the exploit code. In most cases the
payload and motivation of these attacks is to gather credentials for online
games such as lineage. Lineage is a very popular online game in Asia.

The second set of attacks started just a couple days ago appear to be from
a group in Eastern Europe. This group has been placing exploit code on
sites for many years now and has a very resilient infrastructure. They have
used WMF, VML, and several other exploits in there routines previously. As
of now they have also added the ANI attacks to their arsenal. The payload
and motivation is somewhat different however as they are more known to
install rootkit's and crimeware which is designed to install form grabbing
software and keyloggers in order to compromise end-user banking details.
Also in the past they have installed fake anti-spyware software as a
distraction and as a means to falsify someone into acquiring some
anti-spyware software.

[snip]

More:
http://www.websense.com/securitylabs/blog/blog.php?BlogID=122

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.0 (Build 214)

wj8DBQFGGoN0q1pz9mNUZTMRAkadAJ9yNLnz5x5bw3MfN17Hn6GbfZe5MwCgp2F2
N42r049WOJikrJ20a0nOKJU=
=r7YX
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: