Animated Cursor Vulnerability Attacks Increasing

Looks like attackers are increasing their use of the Windows Animated Cursor Vulnerability we posted awhile back, link to the patch is here, with one group pushing it in the United States and in Europe, and another Chinese group pushing it in China. Two different attempts to exploit the same vulnerability.

There are two main attacks that comprise of the majority of these sites. The first set we believe are one of the first groups to start using the zero-day exploits in the wild. These are attacks that started in the China region and appear to be created by groups within the Asia Pacific Region. The attackers have compromised hundreds of machines and placed IFRAME’s back to the main servers that host the exploit code. In most cases the payload and motivation of these attacks is to gather credentials for online games such as lineage. Lineage is a very popular online game in Asia.

The second set of attacks started just a couple days ago appear to be from a group in Eastern Europe. This group has been placing exploit code on sites for many years now and has a very resilient infrastructure. They have used WMF, VML, and several other exploits in there routines previously. As of now they have also added the ANI attacks to their arsenal. The payload and motivation is somewhat different however as they are more known to install rootkit’s and crimeware which is designed to install form grabbing software and keyloggers in order to compromise end-user banking details. Also in the past they have installed fake anti-spyware software as a distraction and as a means to falsify someone into acquiring some anti-spyware software. Source: A tale of two ANI attacks: Same exploit, different motives, different targets

It’s amazing to me that there could be groups doing this stuff for years and getting away with it, no doubt helped by people creating websites and then abandoning them for years. Google recently starting removing the links for sites like these out of the natural search results, so, hopefully, most of the sites with their code are or will be removed soon.