Slashdot Mirror
New IE Malware Captures Passwords Ahead Of SSL
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
SF has an article regarding this.
Gates Defends Microsoft Patch Efforts
Free XBox, PS2
To uncheck the "enable third party browser extensions" box in your Internet Explorer properties, if you must use Internet Explorer. This fixes most of the Internet Explorer problems that people ever experience and blame on Microsoft.
There is the slight problem that malware can silently reenable it when they run, but I doubt many do.
That query is for "refestldt.com" and I stupidly typed "reflestldt.com" after "domain name". The whois info is accurate, just not what I typed there.
All's true that is mistrusted
....who figured out how it worked (i.e., Browser Handler Object, HTTP POST of stolen account info to a site) is Tom Liston of Hackbusters. He's been sorting through this kind of thing for a while...
The Army reading list
In other words, it's almost certainly a bogus phone number attached to bogus domain-registration info.
Easy, automatic testing for Perl.
The problem is that websites are test for IE only and are often broke with other browsers. Not because they are using some nifty (non-standard) feature of IE but just because the web developers only test IE.
I think this will change when non-IE browsers start ruling a larger percentage in the server logs and too many customer complain. I always take the time to send a nice e-mail to websites that are broke with Mozilla.
Companies need know that they are limiting their customer base and are losing sales.
Just yesterday I was signing up for a dedicated server at a vendor and their webpage was not working correctly, I brought up IE and worked fine. Ticked - I left and signed up with the competition (servermatrix).
Funny, CIAC Issued a warning about BHO's in early 2002 Link to warning
Anytime I hear of BHO's its always malware/spyware/adware...so when is it used for good? Seriously....
It's used for adobe acrobats PDF plug in for IE. I turn all of them off on my computer using BHO Demon
That sounds nice and all, but if your bank's site only works in IE -- as is true for many banks both large & small -- then the customer doesn't really have a choice in the matter.
I know people that are perfectly happy to use Mozilla 90% of the time, but when they have to log in to Fleet (or whatever other bank site), they must use IE there.
Yes, the problem here is the bank's broken site, but what can you do? Their standard response is "95% of people use IE, so that's what we support", completely ignoring the line of thought that if they wrote in a portable, standards compliant way, they wouldn't have to think about these issues, and their customers would be much happier. But there we are -- stuck.
Your exclamation points are appreciated, but until the banks & other IE-only sites realize the errors of their ways, you're just berating the victims of the larger crime here.
DO NOT LEAVE IT IS NOT REAL
As I understood it, it doesn't; basically the gif file is actually an exe exploiting the joys of hidden file extensions. Thus, its name would properly be img1big.gif.exe.
To get around the "teaching others to use a new browser", I just loaded Firefox, added a luna skin to make it look like IE, and then used firesomething to change the name to "internet explorer". They barely know the difference!
But for those that are unfortunately enough to have to help those that insist on IE, for whatever reason, a program called BHODemon might help you. It lets windows users see what BHO's are loaded at any particular time, so I would assume that this malware would show up here as well. Its a quick way that someone can find out just what is running in the background.
http://www.definitivesolutions.com/bhodemon.htm
BHODemon 1.0
- go to http://www.mozilla.org/products/firefox
- download the windows installer
- run aforementioned installer
- Realise that installer automatically imports IE favourites
- Select the Internet Explorer icon, press "Del" key
- When asked if you are sure,say yes (with extreme prejudice)
it's really that simple, for added effect you could try replacing the firefox icon with the explorer one (right click|properties|change icon|browse to iexplore.exe|select the icon from the ones that come up), that's what I did as I was used to clicking on a blue e. After a while I weaned myself off.I am NaN
There's a good explanation of BHO and how malware authors tend to exploit it here.
Maybe this is the kick of the pants that M$ will get now that financial institutions are targetted with a n exploit from a badly-design browser model.
Which is nice.
Wearing pants should always be optional.
How is an IE exploit an advertisment for Apple? Dos this specific problem not exist in IE for Macs?
Uh, no. An Apple Mac couldn't run the executable, it uses a different family of CPU. Even if it could, IE's browser share on Mac OS X is very low.
So there's a list of 50-or-so banking sites that the malware picks up. Where's the list? How can I know if I need to call home and tell the wife to NOT use online banking until I get home or not? Also, what's the quick way to tell if I have the malware or not? Does it drop a dll, exe or something somewhere? I *hate* things like this where it's reported that "you might be infected" -- tell me what clues I can look for to know. Tell me which (if any?) IE fixes subvert this. Tell me which A/V vendors have patches to prevent it (if any). Aargh.
No need. Your can run Firefox from removable media. Just get yourself a USB memory stick or USB micro drive, and follow the installation instructions.
Do this for a few power users, and within a very short time, the IE-only requirement goes away pretty fast.
Quit playing Monopoly with Bill.
Linux - of the people, by the people, and for the people.
Wow, the Finnish bank solution is way overkill. I'd rather have to deal with identity theft every 5 years than to keep a list of one time use passwords.
The list is a credit-card shaped piece of plastic that has a bunch of numbers on both sides. Goes easily in wallet. Doesn't matter if it gets stolen because you still need the username/password pair and you can get a new list by calling your bank.
And like I said, you can still use the smartcard version (so you'll skip the typing of one-time-password entirely).
There is no feature in Firefox that would prevent the writing of the application.
There is, however, a feature that would prevent the installation of the application. From my experiences so far with Mozilla's various incarnations, you can't silently install plugins.
I can puzzle out a way for this to run under Mozila, but it's a lot more complicated than under IE. IE uses the global (HKEY_LOCAL_MACHINE) and user (HKEY_CURRENT_USER) registry keys to keep track of plugins. As far as I've been able to find, Mozilla uses a separate registry per profile to keep plugins and customizations working; probably due to an offshoot of cross-platform compatibility.
The tools for installing the IE exploits are already in place: just convince IE to run some code via a buffer overflow or somesuch, have the code run "regsvr32 myfunexploit" and the exploit is installed into HKLM as a browser helper object. With Mozilla, you'd have to do a bit more work: find a buffer overflow exploit to execute remote code, have your code figure out where the profile directory for the user is located, run through that directory looking for a Mozilla installation, parse out the Mozilla registry, install your exploit code and (probably) wait for the user to restart Mozilla before it's loaded.
As the article noted, you need a third party application to easily list and modify BHO plugins. Under Firefox, at least, it's a single click to see what plugins you have running.
This could, in theory, be done with Mozilla-and-friends, but most of the features in the browser, simple plugin viewing and a separate registry, make it, if not unlikely to happen, at least more easily noticed by the end user.
There's so little difference between politics and jihad lately...
TO ALL YOU PR0N WANTERS :
I will upload the project tonight for your downloading pleasures. And yes, of course it's GPL! Well actually it doesn't really have any licenses yet, so it will probably end up being GPL or BSD.
You will, however, notice that many of the bugs mentioned there are fairly trivial, and (as of Firefox 0.8) several of them appear to be fixed now.
:hover, position: fixed, and has many other bugs and omissions.
It's not anything like IE's bugginess and incomplete support. You don't see freak bugs like IE's margin-doubling. IE also lacks support for
And the fact is, no browser supports all of CSS2. Mozilla (Gecko) has much better support than most browsers, and they are constantly improving it's rendering. Compare that with the stagnation of IE's development over the last several years.
Okay, this idiot must want to get caught. To you aspiring virus/trojan writers out there: DO NOT have your virus/trojan send information to a web site. Send it to a newsgroup. Geez. Encrypt it if you must, but don't send it somewhere where you can be tracked. Send it somewhere where you can get it anonymously. Man, moron hackers out there. It's like that idiot Slashdot reported on yesterday who got caught on the extortion deal when he told them who to make the check out to.
As of 7:11 PM Eastern Time (1.5 hours after my phone call), the site is now offline.