Follow:

 

Exploit:Win64/Anogre.A


Microsoft security software detects and removes this threat. 

This malicious file exploits a vulnerability in Windows (outlined in CVE-2011-3402). This vulnerability can allow a hacker to install programs, view, change, or delete data or create new accounts with full administrative privileges.

If you visit a website containing the malicious code while using a vulnerable version of Windows, an attempt to load Exploit:Win32/Anogre will be made.



What to do now

The following Microsoft software detects and removes this threat: 

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Update Windows

If you have automatic updating enabled, you don't need to take any action because this security update will be downloaded and installed automatically. If you have not enabled automatic updating, you will need to check for updates and install this update manually. There is more information about automatic updating in Microsoft Knowledge Base Article 294871.

Threat behavior

Exploit:Win64/Anogre is a specially-crafted TrueType font file which exploits vulnerability in the Win32k.sys system file.

The Win32k.sys file is the Windows kernel mode driver, which, among other functions, is responsible for TrueType fonts rendering in ring 0.

If you visit a website containing the malicious code while using a vulnerable version of Windows, an attempt to load Exploit:Win64/Anogre will be made.

The following versions of Windows are vulnerable to this exploit:

  • Windows XP Service Pack 3
  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Make sure that you install all available updates from the vendor in order to avoid this exploit. You can read more about this vulnerability and download software updates from these links:

What is an exploit?

Exploits are written to take advantage of weaknesses (or "vulnerabilities") in legitimate software. A project called "Common Vulnerability Enumeration" (or "CVE"), used by many vendors and organizations, gives each vulnerability a unique number, in this case "CVE-2011-3402". The portion "2011" refers to the year the vulnerability was discovered, and "3402 is a unique ID for this specific vulnerability. The official source that gives out CVE identifiers lists this at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3402.

Payload

Grants an attacker full administrative privileges

If the exploit is successful, an attacker may be able to perform the following actions on your computer:

  • Install programs
  • View, change, or delete data
  • Create new accounts
Additional technical details

Exploit:Win64/Anogre takes advantage of the glyph bitmap information embedded in to the TrueType font file.

The glyph bitmap information is encoded by the means of three tables: embedded bitmap locators (EBLC), embedded bitmap data (EBDT), and embedded bitmap scaling information (EBSC). For the vulnerability to work, all three tables are manipulated.

The vulnerability is caused when a Windows kernel mode driver does not perform proper validation when writing into a buffer. Such a font file could be embedded to a malicious webpage or any other file formats.

Once such a file is opened on the targeted computer, it is parsed by the Win32k.sys kernel mode driver; if the driver is vulnerable to the attack, it could allow an attacker (who successfully exploited this vulnerability) to run arbitrary code in kernel mode.

An attacker could then do the following on your computer:

  • Install programs
  • View, change, or delete data
  • Create new accounts

This particular version of the exploit is distributed inside a TrueType font file format 4198 bytes long version 1.102. The most prevalent file names containing the vulnerable TrueType font, which could be found in the browser’s cache folder are:

  • alcohol.htm
  • brain.htm
  • chain.htm
  • CURTAIN-FISHING.htm
  • incessant.htm 
  • Insight.Job.htm
  • Typically.htm
  • tyre_voyage.htm
  • WORDING.htm
  • you.htm

Analysis by Oleg Petrovsky


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    affection.htm
    BISCUIT.DISABILITY.htm
    INTOXICATE_INCREASING.htm
    MILITANT.htm
    mix.htm
    PRINTING.htm
    Syllable.htm
    terrify.provider.htm
    Trader.htm
    winning-content.htm

Prevention


Alert level: Severe
First detected by definition: 1.143.56.0
Latest detected by definition: 1.143.159.0 and higher
First detected on: Jan 16, 2013
This entry was first published on: Jan 16, 2013
This entry was updated on: Oct 11, 2013

This threat is also detected as:
No known aliases