Slashdot Mirror
New IE Malware Captures Passwords Ahead Of SSL
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
SF has an article regarding this.
Gates Defends Microsoft Patch Efforts
Free XBox, PS2
To uncheck the "enable third party browser extensions" box in your Internet Explorer properties, if you must use Internet Explorer. This fixes most of the Internet Explorer problems that people ever experience and blame on Microsoft.
There is the slight problem that malware can silently reenable it when they run, but I doubt many do.
....who figured out how it worked (i.e., Browser Handler Object, HTTP POST of stolen account info to a site) is Tom Liston of Hackbusters. He's been sorting through this kind of thing for a while...
The Army reading list
The problem is that websites are test for IE only and are often broke with other browsers. Not because they are using some nifty (non-standard) feature of IE but just because the web developers only test IE.
I think this will change when non-IE browsers start ruling a larger percentage in the server logs and too many customer complain. I always take the time to send a nice e-mail to websites that are broke with Mozilla.
Companies need know that they are limiting their customer base and are losing sales.
Just yesterday I was signing up for a dedicated server at a vendor and their webpage was not working correctly, I brought up IE and worked fine. Ticked - I left and signed up with the competition (servermatrix).
Funny, CIAC Issued a warning about BHO's in early 2002 Link to warning
As I understood it, it doesn't; basically the gif file is actually an exe exploiting the joys of hidden file extensions. Thus, its name would properly be img1big.gif.exe.
There's a good explanation of BHO and how malware authors tend to exploit it here.
Maybe this is the kick of the pants that M$ will get now that financial institutions are targetted with a n exploit from a badly-design browser model.
Which is nice.
Wearing pants should always be optional.
No need. Your can run Firefox from removable media. Just get yourself a USB memory stick or USB micro drive, and follow the installation instructions.
Do this for a few power users, and within a very short time, the IE-only requirement goes away pretty fast.
Quit playing Monopoly with Bill.
Linux - of the people, by the people, and for the people.
There is no feature in Firefox that would prevent the writing of the application.
There is, however, a feature that would prevent the installation of the application. From my experiences so far with Mozilla's various incarnations, you can't silently install plugins.
I can puzzle out a way for this to run under Mozila, but it's a lot more complicated than under IE. IE uses the global (HKEY_LOCAL_MACHINE) and user (HKEY_CURRENT_USER) registry keys to keep track of plugins. As far as I've been able to find, Mozilla uses a separate registry per profile to keep plugins and customizations working; probably due to an offshoot of cross-platform compatibility.
The tools for installing the IE exploits are already in place: just convince IE to run some code via a buffer overflow or somesuch, have the code run "regsvr32 myfunexploit" and the exploit is installed into HKLM as a browser helper object. With Mozilla, you'd have to do a bit more work: find a buffer overflow exploit to execute remote code, have your code figure out where the profile directory for the user is located, run through that directory looking for a Mozilla installation, parse out the Mozilla registry, install your exploit code and (probably) wait for the user to restart Mozilla before it's loaded.
As the article noted, you need a third party application to easily list and modify BHO plugins. Under Firefox, at least, it's a single click to see what plugins you have running.
This could, in theory, be done with Mozilla-and-friends, but most of the features in the browser, simple plugin viewing and a separate registry, make it, if not unlikely to happen, at least more easily noticed by the end user.
There's so little difference between politics and jihad lately...
TO ALL YOU PR0N WANTERS :
I will upload the project tonight for your downloading pleasures. And yes, of course it's GPL! Well actually it doesn't really have any licenses yet, so it will probably end up being GPL or BSD.
You will, however, notice that many of the bugs mentioned there are fairly trivial, and (as of Firefox 0.8) several of them appear to be fixed now.
:hover, position: fixed, and has many other bugs and omissions.
It's not anything like IE's bugginess and incomplete support. You don't see freak bugs like IE's margin-doubling. IE also lacks support for
And the fact is, no browser supports all of CSS2. Mozilla (Gecko) has much better support than most browsers, and they are constantly improving it's rendering. Compare that with the stagnation of IE's development over the last several years.
Okay, this idiot must want to get caught. To you aspiring virus/trojan writers out there: DO NOT have your virus/trojan send information to a web site. Send it to a newsgroup. Geez. Encrypt it if you must, but don't send it somewhere where you can be tracked. Send it somewhere where you can get it anonymously. Man, moron hackers out there. It's like that idiot Slashdot reported on yesterday who got caught on the extortion deal when he told them who to make the check out to.
As of 7:11 PM Eastern Time (1.5 hours after my phone call), the site is now offline.