Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE Malware Captures Passwords Ahead Of SSL

Posted by simoniker on from the tricky dept.

Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."

7 of 986 comments (clear)

  1. SF article by savagedome · · Score: 5, Informative

    SF has an article regarding this.
    Gates Defends Microsoft Patch Efforts

    --


    Free XBox, PS2
  2. usually a good idea by dtfinch · · Score: 5, Informative

    To uncheck the "enable third party browser extensions" box in your Internet Explorer properties, if you must use Internet Explorer. This fixes most of the Internet Explorer problems that people ever experience and blame on Microsoft.

    There is the slight problem that malware can silently reenable it when they run, but I doubt many do.

  3. The fellow in the article... by tcopeland · · Score: 5, Informative

    ....who figured out how it worked (i.e., Browser Handler Object, HTTP POST of stolen account info to a site) is Tom Liston of Hackbusters. He's been sorting through this kind of thing for a while...

    --
    The Army reading list
  4. Funny CIAC issued a warning in 2002 by that1guy · · Score: 5, Informative

    Funny, CIAC Issued a warning about BHO's in early 2002 Link to warning

  5. Re:Coming events by msoftsucks · · Score: 5, Informative

    No need. Your can run Firefox from removable media. Just get yourself a USB memory stick or USB micro drive, and follow the installation instructions.

    Do this for a few power users, and within a very short time, the IE-only requirement goes away pretty fast.

    --
    Quit playing Monopoly with Bill.
    Linux - of the people, by the people, and for the people.
  6. Re:So.. by Hank+Reardon · · Score: 5, Informative

    There is no feature in Firefox that would prevent the writing of the application.

    There is, however, a feature that would prevent the installation of the application. From my experiences so far with Mozilla's various incarnations, you can't silently install plugins.

    I can puzzle out a way for this to run under Mozila, but it's a lot more complicated than under IE. IE uses the global (HKEY_LOCAL_MACHINE) and user (HKEY_CURRENT_USER) registry keys to keep track of plugins. As far as I've been able to find, Mozilla uses a separate registry per profile to keep plugins and customizations working; probably due to an offshoot of cross-platform compatibility.

    The tools for installing the IE exploits are already in place: just convince IE to run some code via a buffer overflow or somesuch, have the code run "regsvr32 myfunexploit" and the exploit is installed into HKLM as a browser helper object. With Mozilla, you'd have to do a bit more work: find a buffer overflow exploit to execute remote code, have your code figure out where the profile directory for the user is located, run through that directory looking for a Mozilla installation, parse out the Mozilla registry, install your exploit code and (probably) wait for the user to restart Mozilla before it's loaded.

    As the article noted, you need a third party application to easily list and modify BHO plugins. Under Firefox, at least, it's a single click to see what plugins you have running.

    This could, in theory, be done with Mozilla-and-friends, but most of the features in the browser, simple plugin viewing and a separate registry, make it, if not unlikely to happen, at least more easily noticed by the end user.

    --
    There's so little difference between politics and jihad lately...
  7. w00t by alexburke · · Score: 5, Informative

    As of 7:11 PM Eastern Time (1.5 hours after my phone call), the site is now offline.