Home / mailings Websense Security Lab
Posted on 31 March 2007
Websense Security LabWebsense Security Labs(TM) is actively tracking more than 100 websites that are spreading the ANI "zero-day" exploit. Proof-of-concept (POC) attack code is also now available, and we expect additional attacks to surface.
Currently the majority of the attacks appear to be downloading and installing generic password stealing code. Also, as represented in the below graphs, most sites are hosted in China. Interestingly the most popular domain space being used is .com.
Due to the fact that POC code is now downloadable on the web, there is no patch from Microsoft, and the fact that some of the attackers we are tracking have infected hundreds of sites on the web, we believe that exploits will continue to surface and the numbers will get larger.
Reports out of China also indicate that a worm is now propagating using the exploit code: http://www.cisrt.org/enblog/read.php?68.
We are scanning the web and providing pre-emptive blocking for all security customers of Websense and recommend that customers block all uncategorized websites with the .exe filter extension due to the fact that most exploits simply download a .exe from the same site the exploit is being served from.
Graphs available within full alert.
For additional details and information on how to detect and prevent this type of attack:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=763
