Racy Britney Spears photos used as ANI exploit lure; few problems reported with early Windows patch

Share this article:

Count a website touting racy photos of former pop diva Britney Spears as one of about 450 that are hosting the dangerous ANI exploit, patched on Tuesday by Microsoft in an emergency release.

Spam, written in HTML to evade filters, arrives with the subject "Hot Pictures of Britiney Speers," [sic] and contains links leading to the malicious sites, according to a security alert from Websense. Obfuscated JavaScript on these sites actually brings users to a single site that is hosting the exploit code, said Websense researchers.

The server connected to the site is based in Russia and has been used in similar attacks to install rootkits and other trojans, the alert said.

A number of compromised sites containing IFrames, which permit the embedding of HTML documents inside a main document, are contributing to the spread of exploits, according to researchers. In this case, the IFrames are pointing to a site hosting the ANI exploit.

Roger Thompson, CTO and chief researcher of Exploit Prevention Labs, said Tuesday on his blog that the IFrame "lures" are leading to a site installing a Rustok rootkit.

"They have a strong and large system of lures, so this is a pretty good escalation of events," Thompson said. "Good thing the patch came out today."

In addition, Thompson reported "large numbers" of hacked sites, mostly based in China, are hosting similar payloads.

Meanwhile, more details emerged late Tuesday about the lead-up to Microsoft’s patch release. Mike Reavey of the Microsoft Security Response Center said the company first received word of the vulnerability on Dec. 20, but the fix had to go through a lengthy building and testing process before it was ready for release.

As users apply the patch, some problems are resulting, the SANS Internet Storm Center reported today.

At least one application, the Realtek HD Audio Control Panel, may not start after the fix is installed, according to an updated advisory from Microsoft.

Microsoft suggests applying the accompanying hotfix.


Click here to email reporter Dan Kaplan.


Looking for a new job? SCMagazine.com has the latest IT security employment opportunities. Click here for our jobs page.

Share this article:

Sign up to our newsletters

More in News

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.