April 3, 2007
It’s amazing to me, the stranglehold that Microsoft seems to have on the PC market. So much so that for years they’ve been the target of so many attacks, exploits, trojans and viruses. Between the OS itself just not being secure, to their flagship browser many dub “Internet Exploder”, it’s surprising that Windows would continue for so long to be such a popular product.
But why change from what you know, right? If you started out on Windows, you’re unlikely to switch to anything else.
And then this little nugget came along, highlighting the latest and greatest exploit, the well-documented animated cursor bug (.ANI files).
[Users] who visit one of the thousands of pages will be infected with a generic password
stealer that will run without any user-interaction. ... they will be redirected to two
unique locations which are hosting exploit code which in turn downloads and installs a
file called "ad.exe". The file includes a generic password stealer and is not detected
well by most Antivirus companies.
If that wasn’t enough, Websense also warns of a large-scale attack via Email:
"... that includes links to sites that are hosting ANI exploit code. Users receive an email
with the subject line "Hot Pictures of Britiney Speers" ... Users who click on the links are
redirected to one of several websites that ... sends all users to the same website, which
is hosting the exploit code.
"When users connect, a file is downloaded and installed without any end-user interaction.
The file is called 200.exe... The binary file appears to be a new variant of ... operating
system hooks and spamming capabilities."
Bad right? Buckle your seatbelts… There’s more to 200.exe than meets the eye “When run, 200.exe writes itself (into the Windows registry) to ensure it gets into the execution cycle on reboot … it emails out to a hotmail account, presumably to announce that the victim has been 0wned, and then calls out to a different server on port 80 every five minutes, presumably looking for commands. In other words, it’s a bot / backdoor. Oh, and it’s a rootkit.”
Yowza - triple-whammy: you visit a site that exploits ANI animated cursors, and end up with a program that steals your passwords and a program that turns your PC into a remotely-control zombie system.
But wait a sec … “Oh, and it’s a rootkit”
Love their attitude about it: “Oh yeah, before we forget …”
According to WikiPedia:
"A rootkit is a set of software tools intended to conceal running processes, files or
system data from the operating system"
In other words, this 200.exe file will be running as Winlogin.exe, which already shows up in your process list, but just in case you’re clever enough to kill that off without crashing your Windows machine, it’s also going to run in a protected piece of memory that you can’t view/modify/kill the processes running. And I’ll bet you lunch that the rootkit will monitor the registry to rewrite itself in there if it detects you’re clever enough to find it.
People, enough already. Dump Microsoft, delete Windows, move to another operating system like Linux, which offers actual user-space protection – if you’re logged in as a plain old user and you download some nasty piece of code, it’s very likely not going to have the means (permission, access, etc) to cause any real damage.
Now, get over to Microsoft’s web site and patch your machine, windoze boy. And stop oogling over ‘hot’ pictures of Britany entering a Sinead O’Connor look-alike contest.