Home / mailings Websense Security Lab
Posted on 03 April 2007
Websense Security LabWebsense Security Labs(TM) has discovered a large email spam run that includes links to sites that are hosting ANI exploit code. Users receive an email with the subject line "Hot Pictures of Britiney Speers" that is written in HTML and has anti-spam avoidance text within the HTML comments.
Users who click on the links are redirected to one of several websites that we are tracking. The sites contain obfuscated JavaScript. The decoded JavaScript sends all users to the same website, which is hosting the exploit code.
When users connect, a file is downloaded and installed without any end-user interaction. The file is called 200.exe with the MD5 of b017cae51e4498c309690b8936f2fa79. The binary file appears to be a new variant of a file infector with operating system hooks and spamming capabilities. A more complete analysis will soon appear on our blog.
The main server that hosts the exploit code is hosted in Russia and has been used by groups that have installed rootkits, password stealing Trojans, and other nefarious code in the past.
For additional details and information on how to detect and prevent this type of attack:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=764