Slashdot Mirror


New IE Malware Captures Passwords Ahead Of SSL

Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."

37 of 986 comments (clear)

  1. I'm suprised by cbrocious · · Score: 5, Insightful

    that this hasn't happened earlier. Why would you fsck with SSL when you can bypass it completely?

    --
    Disconnect and self-destruct, one bullet at a time.
  2. Re:Can someone explain... by gr33nlantern · · Score: 5, Insightful

    Well, personally, i agree with you. Internet Explorer is far inferior to a lot of the other browsers out there.. The thing is that it's bundled with windows, and most people out there quite frankly aren't very computer literate, and more than 1/2 I would bet don't even know other web browsers exist. True, no? Any comments to that?

  3. one word by WormholeFiend · · Score: 4, Insightful

    "laziness"

    1. Re:one word by joeljkp · · Score: 4, Insightful

      Not really. Lack of enough interest is the root of ignorance. I'm ignorant of much of quantum physics, because I have other things to do and don't really have the interest or the time to research it.

      Doesn't mean I'm lazy. Nobody can not be ignorant of something.

      --
      WeRelate.org - wiki-based genealogy
  4. Re:Coming events by Anonymous Coward · · Score: 5, Insightful

    Gee I'm glad I use FireFox on Linux!
    Except when I'm at work...

    I've got no choice at the office. So should I just stop doing online banking at work because the computers happen to use the most popular operating system and browser in the world?

    It does seem surprising that this hasn't been done before.

  5. Re:Can someone explain... by The+Fanta+Menace · · Score: 5, Insightful

    Primarily cos they just use the first thing that is in front of their face.

    One small step towards fixing this is to be involved as much as possible with all new computer installations.

    Your mum is getting a new computer? Go in there and set it up for her. Put mozilla and firefox on the desktop, show her how to use them, and remove all the IE icons. She won't know any better and you can rest easy knowing there's less chance your inheritance is going to disappear from her bank account.

    --
    -- Even if a god did exist, why the fsck should I worship it?
  6. Because it isn't so clear cut by SimianOverlord · · Score: 5, Insightful


    For the non-power user IE *IS* preferable. I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.

    IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.

    I don't blame most users for using IE. For them it is "good enough". I see a lot of snobbishness on this site, and maybe some of it is fair enough. I also see a lot of silly arguments with extrapolation from a small sample set "My sister uses Mozilla all the time now!" to big conclusions. As a scientist, I know enough not to make those errors. Anyway I just wanted to say most users don't need Firefox despite what you might read. I guess this is pretty obvious, it accounts for a fraction of 1% of browser usage after all.

    For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.

    --
    Meine Schwester ist sehr, sehr reizvoll - Nietzsche
  7. Can someone refer me to a useful BHO? by curtisk · · Score: 5, Insightful
    Anytime I hear of BHO's its always malware/spyware/adware...so when is it used for good? Seriously....

    Stuff like the google search bar? Does that count?

    --

    Sehr geehrter Toilettenbenutzer!

  8. Re:Coming events by oGMo · · Score: 5, Insightful
    Cue the "Gee I'm glad I use FireFox on Linux" posts.

    Gee, I'm glad I use Firefox on Linux. And why the hell shouldn't I be? In addition to actually supporting standards (CSS anyone?), my decision is constantly reaffirmed by exploints such as these. Do you have a problem with that? (Actually I use Mozilla, but close enough.)

    --

    Don't think of it as a flame---it's more like an argument that does 3d6 fire damage

  9. What, exactly, is the FBI doing about this? by ryanwright · · Score: 5, Insightful

    Everyone here is likely to blame Microsoft. I'm turning my wrath against the intelligence organizations of various countries. For far too long this BS - malware, viruses, fraud sent via spam - has been mostly ignored. It seems nobody is going to jail for the Paypal scams because Paypal isn't a "real bank". Now they're targeting real banks.

    I, for one, am sick of it. Where is our FBI and what are they doing about this? If these were criminals setting up videocameras to record pin numbers at ATMs, you can bet there would be a huge effort to track them down. Well, this is worse than that.

    --
    -Ryan, with the unoriginal sig
    1. Re:What, exactly, is the FBI doing about this? by Muttonhead · · Score: 3, Insightful

      If the FBI should do anything it is to force Microsoft to make their software truly secure. I mean if the door is open, close and lock it.

    2. Re:What, exactly, is the FBI doing about this? by asdfghjklqwertyuiop · · Score: 4, Insightful

      Where is our FBI and what are they doing about this?


      They're much too busy detaining arabs in the US for no reason, searching people's homes without warrants, raiding and siezing the equipment of people they thing are computer hackers...

      Oh, and they're busy punishing copyright violation too. That is clearly more important than people's bank accounts.

  10. Re:If this won't get people to switch, what will? by Carnildo · · Score: 4, Insightful

    If this won't get people to switch, what will?

    Nothing. Probably 75% of computer users out there aren't even aware what a web browser is, much less what "SSL", a "security hole", and a "BHO" are. If they can understand neither what they are using, nor why they shouldn't be using it, they aren't about to switch.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  11. Re:Can someone explain... by stevesliva · · Score: 4, Insightful

    I've actually had online banking sites force me to use MSIE when they decided Mozilla 1.5 wasn't a modern browser. Seems better with recent Mozilla and Firefox versions, or perhaps the frigging bank fixed their frigging software.

    --
    Who do you get to be an expert to tell you something's not obvious? The least insightful person you can find? -J Roberts
  12. Re:If this won't get people to switch, what will? by NanoGator · · Score: 5, Insightful

    "For crying out loud, people! How hard is it to download Firefox and switch? Especially with the new settings import wizard?"

    For crying out loud, people! Nobody even knows what Firefox is!

    Quit acting like everybody's a retard and start putting money into a Firefox ad campaign or something. Acting like a raging zealot isn't going to get people to switch.

    --
    "Derp de derp."
  13. Re:Can someone explain... by DjMd · · Score: 5, Insightful

    Thats when you point her IE shortcut at Firefox...
    I mean come on,,, Just tell her it is the new IE.

    --
    DJMD - The fourth man - Planetary
  14. So.. by NanoGator · · Score: 3, Insightful

    What fancy-ass security feature in Firefox would prevent somebody from writing a plugin like this? Anything besides 'not a big enough user base to attempt it'?

    --
    "Derp de derp."
    1. Re:So.. by Durandal64 · · Score: 5, Insightful

      The one that asks the user if he wants to install it?

  15. Re:If this won't get people to switch, what will? by eSims · · Score: 3, Insightful
    The difficulty here is that many Banks require Internet Explorer. I use Firefox and before that opera netscape, even lynx to avoid having to use IE, but when it comes to banking sometimes I have little choice. Recently I even pulled down the extension so that Firefox would fool my Cable provider into thinking it was IE, but that doesn't work with my Bank.

    Get out in the the Real World (tm)(c) and realize that the problem is bigger that just "download Firefox and switch".

    --
    I .sig therefore I am!
  16. Re:Coming events by pacc · · Score: 3, Insightful

    Yeah, but the only site still forcing me to use IE is my local bank...

  17. Re:Coming events by IsaacW · · Score: 5, Insightful
    So should I just stop doing online banking at work because the computers happen to use the most popular operating system and browser in the world?
    Nope, you should just be smart about your office desktop's security settings and perhaps even use the browser-help-object (BHO) listing tool noted in the linked article: http://www.definitivesolutions.com/bhodemon.htm. I just checked my desktop, and it wasn't infected; so I'll still do banking online and continue to be wary of security issues.
  18. Re:usually a good idea by duslow · · Score: 5, Insightful

    What people blame Microsoft for is leaving that option on by default. Most users wouldn't even know what that means much less have the sense to uncheck it.

  19. Find a new bank by GrouchoMarx · · Score: 5, Insightful

    And if you're dumb enough to use a bank that works only with the big neon "Hack Me" sign that is IE, you get what you deserve. Find a bank that works with Mozilla or Konqueror and use those for banking instead.

    Oh yes, and be sure to tell your old bank WHY you're closing your account with them. "You're only supporting Internet Explorer as a browser, so I'm not supporting you as a bank."

    Not like they'll notice on personal accounts, but maybe if a business or three moves their accounts, they'll sit up and take notice.

    --

    --GrouchoMarx
    Card-carrying member of the EFF, FSF, and ACLU. Are you?

  20. Re:Can someone explain... by SecretMethod70 · · Score: 3, Insightful
    I used to like this tactic but the more I think about it the less I do. Fact is, doing this only HELPS Microsoft maintain a monopoly even with bad software. It is far better to go through the effort of EDUCATING someone about alternatives and why they are better. Not only is tricking them dishonest, but it also leads them to believe "wow, Microsoft has really fixed Internet Explorer. They're such a good company that does so much for everyone."

    Yes, it's sad that people don't realize that Internet Explorer is not "the internet" and that there are alternatives, but tricking them is not the answer.

  21. Re:Coming events by Ironica · · Score: 5, Insightful

    Yeah, but the only site still forcing me to use IE is my local bank...

    1) Complain, if you haven't already... some web commerce site (can't remember which, but it was a big one) had a bug where it didn't recognize Mozilla as a sufficiently high version of Netscape. I feedbacked it, they responded with a NON-CANNED thank you within 24 hours, and it was fixed by the time I used the site again three days later.

    2) Have you tried fooling the site by sending different authentication? Mozilla can just *tell* the site it's IE. Unless they're doing something very stupid like using ActiveX, that may work just fine. (If they are using ActiveX, switch banks. Seriously.)

    --
    Don't you wish your girlfriend was a geek like me?
  22. Re:Can someone explain... by lightspawn · · Score: 4, Insightful

    I think this will change when non-IE browsers start ruling a larger percentage in the server logs and too many customer complain.

    1. Web sites check the user-agent header, refuse access to anybody not claiming to be MSIE.
    2. Users of advanced browsers change their user-agent strings to claim to be MSIE.
    3. Webmasters check logs, see most all hits come from MSIE...
    4. ... and decide there's no need to support anything else.

  23. Re:Coming events by dirvish · · Score: 5, Insightful

    What does Linux have to do with it? I use FireFox on Windows and I am still not vulnerable to this.

  24. Quit the handwringing and DO SOMETHING! by alexburke · · Score: 5, Insightful

    According to the linked article, this BHO phones the mothership located at:

    http://www.refestltd.com/cgi-bin/yes.pl

    www.refestltd.com is 66.226.64.11; the ARIN pull is below.

    I'm on the phone right now with Matt of Abacus America to get the website taken down.

    I am saddened to think that I'm the first one that's bothered to go to the trouble...

    OrgName: Abacus America Inc.
    OrgID: ABAC
    Address: 5276 Eastgate Mall
    City: San Diego
    StateProv: CA
    PostalCode: 92121
    Country: US

    NetRange: 66.226.64.0 - 66.226.95.255
    CIDR: 66.226.64.0/19
    NetName: ABAC2002A
    NetHandle: NET-66-226-64-0-1
    Parent: NET-66-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.ABAC.COM
    NameServer: NS2.ABAC.COM
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2002-01-31
    Updated: 2003-03-27

    TechHandle: AD384-ORG-ARIN
    TechName: A Net DNS Administrator
    TechPhone: +1-858-410-6900
    TechEmail: dns@aplus.net

    OrgTechHandle: ANETS-ARIN
    OrgTechName: A Net Support
    OrgTechPhone: +1-858-410-6900
    OrgTechEmail: support@aplus.net

    # ARIN WHOIS database, last updated 2004-06-28 22:17
    # Enter ? for additional hints on searching ARIN's WHOIS database.

  25. Re:Why is a gif file getting run as an EXE?!? by Anonymous Coward · · Score: 3, Insightful

    report said they used the CHM exploit.

    Here is what I dug up on that (as related to another incident):

    A file named chm.chm, which is a compiled-HTML help file, is downloaded. This file is 143,918 bytes in length. The chm.chm contains two files, launch.htm (93 bytes) and mstasks.exe( 160,768 bytes).

    The file launch.htm, which contains the following code, runs mstasks.exe.

    OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-11111111112 3' CODEBASE='mstasks.exe'



    So I am guessing the exe in the chm file renames the gif and runs it?

  26. Why people use IE by funkdid · · Score: 5, Insightful
    Odder still is that many ISPs won't support Mozilla /Firefox etc.

    For example, I used to work for Cablevision's Optimumonline service. I would sit in meetings and go on and on about how we should support, even lightly suggest our customers use Mozilla. One of the biggest avoidable call drivers in our Call Centers was people complaining of pop-ups. Another large driver was Spam. Mozilla is a great tool for handling both of those problems.

    The Higher Ups weren't interested in my ramblings. They would point out that we support IE, Netscape, Outlook Express and Outlook. They eventually came around and offered support of Safari but on a very limited basis (not that it needs anything more).

    The biggest problem that most ISPs face is uneducated consumers. Their machines get hijacked and in turn Spam the World, which causes other users to complain and blame the company. These machines also eat up Network resources, again causing other users to complain and blame the service. Don't forget the users that click on EVRERY pop-up that comes their way, thereby infesting their machine with spy-ware to the point that even opening IE is near impossible. Again, this is blamed on the service.

    Granted the Mozilla fam aren't really out of the "beta" fase, but I see less Firefox, and Mozilla fixes then there are for IE. Being that Netscape and Mozilla are half-siblings (in a sense) why not support it? It's not like the support staff needs to be re-trained.

    People don't care what browser they use, they want one that is intuitive, free, and functional to their needs. I think the Mozilla branch does that. With firefox 9.1 out today, why are people still using IE? Better yet, why aren't ISPs telling people NOT to use IE? It would save them a fortune and a company not looking to save a fortune..... should be investigated!

    --

    I boycott signatures

  27. Re:Coming events by bwt · · Score: 4, Insightful

    How can an attacker "easily install a Mozilla extension?", exactly. If you are talking about somebody who has rooted your box, then they can already log all your keystrokes regardless of what browser you use. If you are talking about somebody writing browser malware, it's a big problem if a web page can install extensions without your approval. I've never heard of such an exploit for mozilla (lots for IE, though).

    You are also asserting that a mozilla extension can access the cleartext typed into a login box by "parsing the DOM before navigation begins". It's not clear to me that this is true. If it is, I think it should be considered a security hole. Mozilla should sandbox that text and use protected memory, etc...

  28. Re:Coming events by 955301 · · Score: 5, Insightful

    You're a fool for using your office computer to do online banking. Haven't you ever heard of a keycatcher?

    Keep in mind, you cannot trust a computer which you cannot restrict physical access to. Period.

    No personal stuff on the office computer. Not because the company want it that way, but because you do, whether you know it or not.

    --
    You are checking your backups, aren't you?
  29. Darwinian selection in action by rworne · · Score: 4, Insightful

    I am tired of trying to propose solutions to the problems brought about with the large numbers of ignorant users using MS software. I'm also tired of trying to fix problems that these users repeatedly cause. Government and law enforcement doesn't seem to care, so I'll propose this solution:

    In nature, when a population gets too large there's a die-off. Usually this die-off is caused by disease or starvation. The better adapted creatures survive and live on.

    We can use the fox and rabbit scenario here.

    The malware writers are the foxes and the ignorant users are the rabbits. In our case the foxes don't eat the rabbits, but instead hijack the rabbits' computers for fraud, spam, pop-ups, etc. Foxes die by giving up and moving on to more lucrative off-line crimes.

    The rabbits don't eat anything but are increasing in numbers by simply hooking up machines to the Internet. Rabbits die by cancelling their AOL accounts and stop using the Internet.

    Right now there are a ton of rabbits (and more every day) and the fox population is exploding.

    If we just sit back and let natural selection take its course, the ignorant rabbits will become sufficiently frustrated with their Internet experience and give up. The foxes will concentrate even harder on the remaining rabbits (who will be better adapted to counter the foxes' attacks) or start writing malware for the rest of the rabbits or face a massive die-off as well.

    Those that are able to adapt do so by either keeping their machines properly patched or learn to use alternative browsers (or operating systems). These rabbits will then have a better Internet in the end because we will have a better class of users and software.

    There's plenty of educational material out there for ignorant users to read. Practically every day there's something in the newspaper about how to protect oneself from these attacks.

    The Zombies and SpamBots will make life a hell for the rest of us, but that's a short-term problem in this model. That should fix itself after the die-off itself.

    --
    I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
  30. Re:usually a good idea by DunbarTheInept · · Score: 3, Insightful

    And furthermore, even if they do know what it means and have the sense to turn it off, they have to have the intuition to look at that dialog panel to even be aware that such a thing exists. When you first run a program, is the first thing you do to go around looking at all the various File|Preferences and Tools|Options panels, and look over every single tab searching for stupid settings under the assumption that the defaults will be dangerous to use? Probably not.

    --

    Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.

  31. Re:SF article by finkployd · · Score: 4, Insightful

    Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time -- the average time -- to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates.

    (1) what planet is he living on?

    (2) Isn't that an awfully narrow range? Nothing like being specific with the bull you spew.

    Is it just me or has Gates becoming more and more "out there" lately? Is he even following the computer industry anymore?

    Finkployd

  32. Re:OK, I'll take the bait by Ryosen · · Score: 4, Insightful

    There are two very fundamental statements that need to be made. First, yes, someone could develop a malware plugin for Mozilla (or Opera or whatever). The major difference is that only IE allows BHOs to be installed unbeknownst to the user. Furthermore, IE makes it very easy for a user to be duped into allowing a plugin to be installed. Also, IE makes it difficult and confusing to raise the security settings for the browser. Watch an average user try it some day.

    Second, it's not that there are so many users that are upset with having to deal with a crappy browser, it's that they don't *know* that IE is a crappy browser. Every time that I have to clean malware off of a machine, I make sure that I let them know (and prove to them by explaining the logs to them) that the spyware was installed via IE. Then, they know that they are using a crappy browser.

    --

    Ryosen
    One man's "Troll, +1" is another man's "Insightful, +1".
  33. social engineering - not a technical problem by rawdirt · · Score: 3, Insightful
    Try changing the disclosure laws for financial fraud requiring the financial institutions reveal amounts of the losses from use of browers.

    penalize them for failure to reveal risk.