Attackers operating from Chinese servers may have been the first to use the animated-cursor (.ANI) file flaw in Microsoft Windows to exploit victims' systems, but another group--apparently operating from Eastern Europe--has started using the flaw as well, security firm Websense said on Monday.
The Chinese attackers have operated at least since late last year and typically have targeted victims' accounts for online games such as World of Warcraft and Legacy. More recent attacks that appear to emanate from Eastern Europe have installed rootkits and keyloggers aimed at getting access to victim's financial accounts, according to Websense.
"This group has been placing exploit code on sites for many years now and has a very resilient infrastructure," wrote researchers from security firm Websense. "They have used WMF, VML, and several other exploits in there routines previously. As of now they have also added the ANI attacks to their arsenal."
Flaws in the Microsoft's Windows' handling of Windows Meta File (WMF) and the Vector Markup Language (VML) allowed computers that had not been patched to be exploited remotely through the Internet Explorer.
The vulnerability in Microsoft Windows' processing of animated-cursor (.ANI) files is of similar magnitude to both the WMF and VML flaws. While Microsoft was told of the vulnerability in December, the software giant had not expedited a fix, but made the critical patch a part of its normal process. In the end, attackers found the flaw first and Microsoft had to release an emergency patch last week. The vulnerability affects all versions of Windows, including Windows Vista.
The Web site of PC hardware maker ASUS was compromised late last week in a manner typical of both these groups.
Posted by: Robert Lemos