From Websense:
Websense Security Labs(TM) is actively tracking more than 100 websites that are spreading the ANI “zero-day” exploit. Proof-of-concept (POC) attack code is also now available, and we expect additional attacks to surface.
Currently the majority of the attacks appear to be downloading and installing generic password stealing code. Also, as represented in the below graphs, most sites are hosted in China. Interestingly the most popular domain space being used is .com.
Due to the fact that POC code is now downloadable on the web, there is no patch from Microsoft, and the fact that some of the attackers we are tracking have infected hundreds of sites on the web, we believe that exploits will continue to surface and the numbers will get larger.
Reports out of China also indicate that a worm is now propagating using the exploit code: http://www.cisrt.org/enblog/read.php?68.
We are scanning the web and providing pre-emptive blocking for all security customers of Websense and recommend that customers block all uncategorized websites with the .exe filter extension due to the fact that most exploits simply download a .exe from the same site the exploit is being served from.
We are scanning the web and providing pre-emptive blocking for all security customers of Websense and recommend that customers block all uncategorized websites with the .exe filter extension due to the fact that most exploits simply download a .exe from the same site the exploit is being served from.
The PoC code, version 2 and version 3 (external links)
Symantec has added detection: W32.Fubalca
Mcafee has added detection: W32/Fujacks.aa
CISRT Link “New worm use the .ani zero day vulnerability”
[tags]ANI Exploit, Websense, China, Zero-Day, Malware, PoC[/tags]
