Slashdot Mirror
New IE Malware Captures Passwords Ahead Of SSL
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
Why anyone is still running Internet Explorer when there are so many better alternatives?
that this hasn't happened earlier. Why would you fsck with SSL when you can bypass it completely?
Disconnect and self-destruct, one bullet at a time.
For crying out loud, people! How hard is it to download Firefox and switch? Especially with the new settings import wizard?
This is about your internet banking passwords, people! Your hard earned money is at stake here!
"Oooh, does that mean we get to kick some puffy white mad zionist butt?"
"laziness"
Gee I'm glad I use FireFox on Linux!
Except when I'm at work...
I've got no choice at the office. So should I just stop doing online banking at work because the computers happen to use the most popular operating system and browser in the world?
It does seem surprising that this hasn't been done before.
For the non-power user IE *IS* preferable. I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.
IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.
I don't blame most users for using IE. For them it is "good enough". I see a lot of snobbishness on this site, and maybe some of it is fair enough. I also see a lot of silly arguments with extrapolation from a small sample set "My sister uses Mozilla all the time now!" to big conclusions. As a scientist, I know enough not to make those errors. Anyway I just wanted to say most users don't need Firefox despite what you might read. I guess this is pretty obvious, it accounts for a fraction of 1% of browser usage after all.
For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
Stuff like the google search bar? Does that count?
Sehr geehrter Toilettenbenutzer!
Gee, I'm glad I use Firefox on Linux. And why the hell shouldn't I be? In addition to actually supporting standards (CSS anyone?), my decision is constantly reaffirmed by exploints such as these. Do you have a problem with that? (Actually I use Mozilla, but close enough.)
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
Everyone here is likely to blame Microsoft. I'm turning my wrath against the intelligence organizations of various countries. For far too long this BS - malware, viruses, fraud sent via spam - has been mostly ignored. It seems nobody is going to jail for the Paypal scams because Paypal isn't a "real bank". Now they're targeting real banks.
I, for one, am sick of it. Where is our FBI and what are they doing about this? If these were criminals setting up videocameras to record pin numbers at ATMs, you can bet there would be a huge effort to track them down. Well, this is worse than that.
-Ryan, with the unoriginal sig
Where I work, I have to cater to the clients' demands, timelines, and budgets. That means that I strongly recommend as much security as they need, and if they don't want everything I recommend then I don't build it in. Then I provide a nice document detailing all the steps I took to secure the site and request that they review and sign off on it. It's on their heads.
There's an outcry when Microsoft pushes their product launch back another year, and followed up with complaints that they didn't spend enough time testing and securing everything.
I don't disagree with you, but I can also see some factors that cause these problems.
And finally - the story is not about Microsoft, it's about malware that someone else created. You could create and install malware for Firefox too, you know.
netscape.
When there's no competition, M$ can get away with this crap. Let's face it, even with this 99% of people won't switch from IE, solely because they don't even realize they have a choice anymore. If there was actual competition in the industry (aside from nerds who run firefox), then this crap would NOT be allowed by M$, because it would mean certain death for any share of the browser market they held.
Are they even paying attention? At first it was .exe worms in email, then it was network-layer exploits, and then it was spyware, and now in the past week it seems that IE is totally unsafe for any purpose whatsoever.
What's amazing me is why Microsoft isn't *running* to provide patches, for at least XP and 2K, to mitigate this. They're offering non-solutions like disabling Active X and Javascript. Sure, fixing the problem may mean some serious breakage for some in-house software someplace, but does anyone care that Spyware+Malware+IE is rendering their operating systems junk?
Are they even paying attention? Is XP SP2 a magic fix? Is it just too badly broken to even BE fixed?
What fancy-ass security feature in Firefox would prevent somebody from writing a plugin like this? Anything besides 'not a big enough user base to attempt it'?
"Derp de derp."
And how many times does it have to be said. "If everyone switched to Mozilla today, this same exploint would be available for it tomorrow."
You should keep your mouth shut about Mozilla/firefox. It's 5% market share is the ONLY safety mechanism is had. Keep it secret, keep it safe.
"Oooh switch to firefox" is the most ignorant and misguided response to this.
This activity needs to be ILLEGAL...and that's the only way to stop it.
Oh yes, I'm so glad that there are no murders, rapes or robberies around here, because those things are all illegal. I shouldn't lock up my house or car, that's ignorant!
Yeah, but the only site still forcing me to use IE is my local bank...
Yes.
In fact, there's some damn clueless stuff out there for banks online presence. Like storing passwords in touch-tone format, where it doesn't matter if you use A, B, or C if the password has an A in it. Or blindly assuming that one's SSN is secure.
The problem is, right now, the incremental cost in programming and potential bad-will to have stronger authentication are generally more expensive than writing off some small percentage of loss from these sorts of things.
Although the one-time-password thing is a damn good idea, I have to say.
Gentoo Sucks
What people blame Microsoft for is leaving that option on by default. Most users wouldn't even know what that means much less have the sense to uncheck it.
This activity needs to be ILLEGAL...and that's the only way to stop it. They're wiretapping without consent.
(Nit-pick) It is illegal; it needs to be prosecuted.
...and, Soccer Mom might care about Firefox et al, if we tell her at every opportunity. She's not daft (hopefully) - she'll appreciate knowing how to reduce the risk to her (and her family's) finances.
This is where the serious fun begins.
And if you're dumb enough to use a bank that works only with the big neon "Hack Me" sign that is IE, you get what you deserve. Find a bank that works with Mozilla or Konqueror and use those for banking instead.
Oh yes, and be sure to tell your old bank WHY you're closing your account with them. "You're only supporting Internet Explorer as a browser, so I'm not supporting you as a bank."
Not like they'll notice on personal accounts, but maybe if a business or three moves their accounts, they'll sit up and take notice.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
Yeah, but the only site still forcing me to use IE is my local bank...
1) Complain, if you haven't already... some web commerce site (can't remember which, but it was a big one) had a bug where it didn't recognize Mozilla as a sufficiently high version of Netscape. I feedbacked it, they responded with a NON-CANNED thank you within 24 hours, and it was fixed by the time I used the site again three days later.
2) Have you tried fooling the site by sending different authentication? Mozilla can just *tell* the site it's IE. Unless they're doing something very stupid like using ActiveX, that may work just fine. (If they are using ActiveX, switch banks. Seriously.)
Don't you wish your girlfriend was a geek like me?
Don't you know the proper way for citizens to solve their problems today?
1. Incorporate yourself
2. Make a $1000 contribution to the Corporate Party (DNC or RNC, doesn't matter which)
3. Sue them for $10000, and get your pol friends to bring in the FBI
4. PROFIT!!!
It is an compressed Exe-File with a .gif ending. The user didn't run as admin and the Windows XP policy was in place so the file couldn't install. Through this it came to the admins attention. I guess Firefox wouldn't have be a more difficult target.
As soon as a trojan gets executed on your machine you can just hope you didn't do it with root-powers and that the trojan won't find a way to raise it's priviledges.
What does Linux have to do with it? I use FireFox on Windows and I am still not vulnerable to this.
FoundNews.com - get paid to blog.,
According to the linked article, this BHO phones the mothership located at:
http://www.refestltd.com/cgi-bin/yes.pl
www.refestltd.com is 66.226.64.11; the ARIN pull is below.
I'm on the phone right now with Matt of Abacus America to get the website taken down.
I am saddened to think that I'm the first one that's bothered to go to the trouble...
OrgName: Abacus America Inc.
OrgID: ABAC
Address: 5276 Eastgate Mall
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
NetRange: 66.226.64.0 - 66.226.95.255
CIDR: 66.226.64.0/19
NetName: ABAC2002A
NetHandle: NET-66-226-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ABAC.COM
NameServer: NS2.ABAC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-31
Updated: 2003-03-27
TechHandle: AD384-ORG-ARIN
TechName: A Net DNS Administrator
TechPhone: +1-858-410-6900
TechEmail: dns@aplus.net
OrgTechHandle: ANETS-ARIN
OrgTechName: A Net Support
OrgTechPhone: +1-858-410-6900
OrgTechEmail: support@aplus.net
# ARIN WHOIS database, last updated 2004-06-28 22:17
# Enter ? for additional hints on searching ARIN's WHOIS database.
report said they used the CHM exploit.
2 3' CODEBASE='mstasks.exe'
Here is what I dug up on that (as related to another incident):
A file named chm.chm, which is a compiled-HTML help file, is downloaded. This file is 143,918 bytes in length. The chm.chm contains two files, launch.htm (93 bytes) and mstasks.exe( 160,768 bytes).
The file launch.htm, which contains the following code, runs mstasks.exe.
OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-1111111111
So I am guessing the exe in the chm file renames the gif and runs it?
For example, I used to work for Cablevision's Optimumonline service. I would sit in meetings and go on and on about how we should support, even lightly suggest our customers use Mozilla. One of the biggest avoidable call drivers in our Call Centers was people complaining of pop-ups. Another large driver was Spam. Mozilla is a great tool for handling both of those problems.
The Higher Ups weren't interested in my ramblings. They would point out that we support IE, Netscape, Outlook Express and Outlook. They eventually came around and offered support of Safari but on a very limited basis (not that it needs anything more).
The biggest problem that most ISPs face is uneducated consumers. Their machines get hijacked and in turn Spam the World, which causes other users to complain and blame the company. These machines also eat up Network resources, again causing other users to complain and blame the service. Don't forget the users that click on EVRERY pop-up that comes their way, thereby infesting their machine with spy-ware to the point that even opening IE is near impossible. Again, this is blamed on the service.
Granted the Mozilla fam aren't really out of the "beta" fase, but I see less Firefox, and Mozilla fixes then there are for IE. Being that Netscape and Mozilla are half-siblings (in a sense) why not support it? It's not like the support staff needs to be re-trained.
People don't care what browser they use, they want one that is intuitive, free, and functional to their needs. I think the Mozilla branch does that. With firefox 9.1 out today, why are people still using IE? Better yet, why aren't ISPs telling people NOT to use IE? It would save them a fortune and a company not looking to save a fortune..... should be investigated!
I boycott signatures
If a bank requires that you allow ActiveX to view their online banking webpages... what does that say about their commitment to / knowledge of information security?
How can an attacker "easily install a Mozilla extension?", exactly. If you are talking about somebody who has rooted your box, then they can already log all your keystrokes regardless of what browser you use. If you are talking about somebody writing browser malware, it's a big problem if a web page can install extensions without your approval. I've never heard of such an exploit for mozilla (lots for IE, though).
You are also asserting that a mozilla extension can access the cleartext typed into a login box by "parsing the DOM before navigation begins". It's not clear to me that this is true. If it is, I think it should be considered a security hole. Mozilla should sandbox that text and use protected memory, etc...
Gee, I'm glad I use Firefox on Linux. And why the hell shouldn't I be? In addition to actually supporting standards (CSS anyone?), my decision is constantly reaffirmed by exploints such as these. Do you have a problem with that? (Actually I use Mozilla, but close enough.)
Now looking at the BHO I am wondering why you think using FireFox on Linux is safer than IE? Someone else could just as easily (Anything is possible, so don't say it can't be done) program a plug-in for FireFox/Mozilla that does the same as BHO and people can just as easily download this plug-in and experience the same issues on FireFox/Mozilla as any Windows user using IE. IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.
Maybe you should be happy that IE is used by so many.
You're a fool for using your office computer to do online banking. Haven't you ever heard of a keycatcher?
Keep in mind, you cannot trust a computer which you cannot restrict physical access to. Period.
No personal stuff on the office computer. Not because the company want it that way, but because you do, whether you know it or not.
You are checking your backups, aren't you?
To be realistic about it, there are probably too few users who care about using a browser other than Internet Explorer, and those few drops in the bucket won't mean much to a bigger bank.
Of course, that aside, I would certainly want to change banks if I relied heavily on online banking (my bank actually follows standards as well, as I have no "broken" pages with their online banking). I just don't think it's going to change the world to do so.
Nyo nyo, the Neko Boy has spoken.
I am tired of trying to propose solutions to the problems brought about with the large numbers of ignorant users using MS software. I'm also tired of trying to fix problems that these users repeatedly cause. Government and law enforcement doesn't seem to care, so I'll propose this solution:
In nature, when a population gets too large there's a die-off. Usually this die-off is caused by disease or starvation. The better adapted creatures survive and live on.
We can use the fox and rabbit scenario here.
The malware writers are the foxes and the ignorant users are the rabbits. In our case the foxes don't eat the rabbits, but instead hijack the rabbits' computers for fraud, spam, pop-ups, etc. Foxes die by giving up and moving on to more lucrative off-line crimes.
The rabbits don't eat anything but are increasing in numbers by simply hooking up machines to the Internet. Rabbits die by cancelling their AOL accounts and stop using the Internet.
Right now there are a ton of rabbits (and more every day) and the fox population is exploding.
If we just sit back and let natural selection take its course, the ignorant rabbits will become sufficiently frustrated with their Internet experience and give up. The foxes will concentrate even harder on the remaining rabbits (who will be better adapted to counter the foxes' attacks) or start writing malware for the rest of the rabbits or face a massive die-off as well.
Those that are able to adapt do so by either keeping their machines properly patched or learn to use alternative browsers (or operating systems). These rabbits will then have a better Internet in the end because we will have a better class of users and software.
There's plenty of educational material out there for ignorant users to read. Practically every day there's something in the newspaper about how to protect oneself from these attacks.
The Zombies and SpamBots will make life a hell for the rest of us, but that's a short-term problem in this model. That should fix itself after the die-off itself.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
And furthermore, even if they do know what it means and have the sense to turn it off, they have to have the intuition to look at that dialog panel to even be aware that such a thing exists. When you first run a program, is the first thing you do to go around looking at all the various File|Preferences and Tools|Options panels, and look over every single tab searching for stupid settings under the assumption that the defaults will be dangerous to use? Probably not.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Will finally consider officially supporting browsers other than IE ;-)
The CTO is right and you know it. You must have skipped over the:
"specially to those doing web development because it could lead to diferent rendering results."
Which is a completely valid concern.
Sending an email to work people via your work email implies work business. To think it doesn't just because you didn't specifically say "office PC" is stupid even if your ego can't take being told what to do by an officer.
Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time -- the average time -- to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates.
(1) what planet is he living on?
(2) Isn't that an awfully narrow range? Nothing like being specific with the bull you spew.
Is it just me or has Gates becoming more and more "out there" lately? Is he even following the computer industry anymore?
Finkployd
There are two very fundamental statements that need to be made. First, yes, someone could develop a malware plugin for Mozilla (or Opera or whatever). The major difference is that only IE allows BHOs to be installed unbeknownst to the user. Furthermore, IE makes it very easy for a user to be duped into allowing a plugin to be installed. Also, IE makes it difficult and confusing to raise the security settings for the browser. Watch an average user try it some day.
Second, it's not that there are so many users that are upset with having to deal with a crappy browser, it's that they don't *know* that IE is a crappy browser. Every time that I have to clean malware off of a machine, I make sure that I let them know (and prove to them by explaining the logs to them) that the spyware was installed via IE. Then, they know that they are using a crappy browser.
Ryosen
One man's "Troll, +1" is another man's "Insightful, +1".
Here is a sample of an email I sent recently:
With the almost daily anouncements from Microsoft about security vulnerabilities in Internet Explorer web browser, I now use the Mozilla.org web browser. Unfortunately, the BANK-NAME web site requires Internet Explorer. I very much enjoy BANK-NAME's online services, but do not feel secure using software that has a negligible sercurity record. I will be doing all my banking and account access directly at my branch office until I am able to access my online account with a more secure browser. Thank you much for your time.
Sincerely,
my-name
itadakimasu
penalize them for failure to reveal risk.
This is actually a known hole. Even SP2 doesn't fix this. Basically the file is downloaded as a .gif file (xxx.gif). Javascript commands to ActiveX then rename the file to xxx.gif.exe. Then execute it. This exploit will actually work even if you have ActiveX disasbled.
Quit playing Monopoly with Bill.
Linux - of the people, by the people, and for the people.
Such pinpads are used in high security (mainly military) installations, and have been around for decades. The problem is as soon as you start using them in situations where the userbase does not have maximum security drummed into their heads, anything that makes it more difficult for them to enter their PIN just increases the chance that the PIN gets written down and kept in their wallet. Usually when I type numbers on PIN pads, my memory recalls them positionally rather than numerically, and many other people are the same.