Patch/Configuration Management, Vulnerability Management

Racy Britney Spears photos used as ANI exploit lure; few problems reported with early Windows patch

Count a website touting racy photos of former pop diva Britney Spears as one of about 450 that are hosting the dangerous ANI exploit, patched on Tuesday by Microsoft in an emergency release.

Spam, written in HTML to evade filters, arrives with the subject "Hot Pictures of Britiney Speers," [sic] and contains links leading to the malicious sites, according to a security alert from Websense. Obfuscated JavaScript on these sites actually brings users to a single site that is hosting the exploit code, said Websense researchers.

The server connected to the site is based in Russia and has been used in similar attacks to install rootkits and other trojans, the alert said.

A number of compromised sites containing IFrames, which permit the embedding of HTML documents inside a main document, are contributing to the spread of exploits, according to researchers. In this case, the IFrames are pointing to a site hosting the ANI exploit.

Roger Thompson, CTO and chief researcher of Exploit Prevention Labs, said Tuesday on his blog that the IFrame "lures" are leading to a site installing a Rustok rootkit.

"They have a strong and large system of lures, so this is a pretty good escalation of events," Thompson said. "Good thing the patch came out today."

In addition, Thompson reported "large numbers" of hacked sites, mostly based in China, are hosting similar payloads.

Meanwhile, more details emerged late Tuesday about the lead-up to Microsoft’s patch release. Mike Reavey of the Microsoft Security Response Center said the company first received word of the vulnerability on Dec. 20, but the fix had to go through a lengthy building and testing process before it was ready for release.

As users apply the patch, some problems are resulting, the SANS Internet Storm Center reported today.

At least one application, the Realtek HD Audio Control Panel, may not start after the fix is installed, according to an updated advisory from Microsoft.

Microsoft suggests applying the accompanying hotfix.


Click here to email reporter Dan Kaplan.


Looking for a new job? has the latest IT security employment opportunities. Click here for our jobs page.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.