CYBERSPACE — Horny admirers of porn mega queen Jenna Jameson and/or pampered hotel chain princess Paris Hilton got more than they bargained for recently when they clicked on spam claiming to lead to exotic images of each.Instead of compromising photos of their favorite bottle blondes, the computer users found themselves downloading gobs of malware.
According to security experts, the masterminds behind this latest attack on home computer security were responsible for last week’s similar assault, which promised naughty visuals of rehab romantic Britney Spears.
“What’s interesting about this,” observes Sunbelt Software president Alex Eckelberry on SCMagazine.com, “is that these guys are sending out these bold, graphic pictures that have striking images. It’s all trying to invite a click.”
“These guys” are believed to be members of Russian organized crime collectives that recently began taking advantage of the Microsoft .ANI bug
According to researchers, those who click the link from the “Hot pictures of Paris Hilton nude” email find themselves looking at a large image of Jameson, instead of merely inheriting payloads from invasive worms clinging to executable attachments. Nonetheless, the websites they ultimately connect with are loaded with the Iffy-B Trojan, which sends the compromised system to malware intent to exploit the Microsoft weakspot.
“It’s pretty sophisticated stuff,” Eckelberry points out. “It’s heavily obfuscated JavaScript code that takes you to a number of different sites.”
Eckelberry says that the new, graphically oriented spam began approximately two weeks ago and arrives with a convincing Microsoft graphic instructing recipients to download Internet Explorer beta 2. When the gullible computer user attempts to do so, their system swallows a worm.
Things changed after last Wednesday’s out-of-cycle animated cursor fix was released. That’s when the Spears spam began to make the rounds, serving up malicious code hidden inside of saucy photos of the divorcing and recently panty-free performer. Eckelberry warns that web-based mail such as Hotmail or Yahoo may be particularly vulnerable to these schemes.
Sophos senior technology consultant Graham Cluley worries that “The problem is that consumers and businesses may not yet have patched themselves against this vulnerability, and clicking on unsolicited emails like these could lead them to a nasty malware infection.”
Even systems freshly patched may not be impervious to attack, however. Dan Hubbard, vice-president of Websense has estimated that there were 700 malicious code sites located last week and says that “We’re seeing a little over 2,000 sites that have exploits or point to exploit code in one way or another.
Microsoft released an emergency patch for the .ANI bug last week. Security professionals, though, are concerned that users who are slow to patch will become new victims as attacks on the vulnerability continue to surge. Dan Hubbard, VP of security company Websense, said in an interview that the patch hasn’t slowed the creation of new exploits. They’re still coming online at an alarming rate. “The patch definitely helped,” he reassures. “It went from 100-percent of people with Internet Explorer being vulnerable to a smaller subset.” But he cautions that “It didn’t slow the attacks. It just made their success rate lower.”
Hubbard says that the initial wave of .ANI exploits originated from Chinese servers and appeared to focus on stealing the profitable credentials of online Lineage players. Things have shifted away from gaming and China now, however, with Russian crime members entering the scene, planting code on American based sites, and looking for visitors’ banking information.
Although the .ANI vulnerability affected all Windows systems, including the brand new Vista OS, Mozilla’s Firefox browser is also at risk, although current attacks have not focused on the open-source application.
