New IE Malware Captures Passwords Ahead Of SSL
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
that this hasn't happened earlier. Why would you fsck with SSL when you can bypass it completely?
Disconnect and self-destruct, one bullet at a time.
Well, personally, i agree with you. Internet Explorer is far inferior to a lot of the other browsers out there.. The thing is that it's bundled with windows, and most people out there quite frankly aren't very computer literate, and more than 1/2 I would bet don't even know other web browsers exist. True, no? Any comments to that?
"laziness"
Gee I'm glad I use FireFox on Linux!
Except when I'm at work...
I've got no choice at the office. So should I just stop doing online banking at work because the computers happen to use the most popular operating system and browser in the world?
It does seem surprising that this hasn't been done before.
Primarily cos they just use the first thing that is in front of their face.
One small step towards fixing this is to be involved as much as possible with all new computer installations.
Your mum is getting a new computer? Go in there and set it up for her. Put mozilla and firefox on the desktop, show her how to use them, and remove all the IE icons. She won't know any better and you can rest easy knowing there's less chance your inheritance is going to disappear from her bank account.
-- Even if a god did exist, why the fsck should I worship it?
For the non-power user IE *IS* preferable. I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.
IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.
I don't blame most users for using IE. For them it is "good enough". I see a lot of snobbishness on this site, and maybe some of it is fair enough. I also see a lot of silly arguments with extrapolation from a small sample set "My sister uses Mozilla all the time now!" to big conclusions. As a scientist, I know enough not to make those errors. Anyway I just wanted to say most users don't need Firefox despite what you might read. I guess this is pretty obvious, it accounts for a fraction of 1% of browser usage after all.
For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
Stuff like the google search bar? Does that count?
Sehr geehrter Toilettenbenutzer!
Gee, I'm glad I use Firefox on Linux. And why the hell shouldn't I be? In addition to actually supporting standards (CSS anyone?), my decision is constantly reaffirmed by exploints such as these. Do you have a problem with that? (Actually I use Mozilla, but close enough.)
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
Everyone here is likely to blame Microsoft. I'm turning my wrath against the intelligence organizations of various countries. For far too long this BS - malware, viruses, fraud sent via spam - has been mostly ignored. It seems nobody is going to jail for the Paypal scams because Paypal isn't a "real bank". Now they're targeting real banks.
I, for one, am sick of it. Where is our FBI and what are they doing about this? If these were criminals setting up videocameras to record pin numbers at ATMs, you can bet there would be a huge effort to track them down. Well, this is worse than that.
-Ryan, with the unoriginal sig
If this won't get people to switch, what will?
Nothing. Probably 75% of computer users out there aren't even aware what a web browser is, much less what "SSL", a "security hole", and a "BHO" are. If they can understand neither what they are using, nor why they shouldn't be using it, they aren't about to switch.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
I've actually had online banking sites force me to use MSIE when they decided Mozilla 1.5 wasn't a modern browser. Seems better with recent Mozilla and Firefox versions, or perhaps the frigging bank fixed their frigging software.
Who do you get to be an expert to tell you something's not obvious? The least insightful person you can find? -J Roberts
"For crying out loud, people! How hard is it to download Firefox and switch? Especially with the new settings import wizard?"
For crying out loud, people! Nobody even knows what Firefox is!
Quit acting like everybody's a retard and start putting money into a Firefox ad campaign or something. Acting like a raging zealot isn't going to get people to switch.
"Derp de derp."
Thats when you point her IE shortcut at Firefox...
I mean come on,,, Just tell her it is the new IE.
DJMD - The fourth man - Planetary
What people blame Microsoft for is leaving that option on by default. Most users wouldn't even know what that means much less have the sense to uncheck it.
And if you're dumb enough to use a bank that works only with the big neon "Hack Me" sign that is IE, you get what you deserve. Find a bank that works with Mozilla or Konqueror and use those for banking instead.
Oh yes, and be sure to tell your old bank WHY you're closing your account with them. "You're only supporting Internet Explorer as a browser, so I'm not supporting you as a bank."
Not like they'll notice on personal accounts, but maybe if a business or three moves their accounts, they'll sit up and take notice.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
The one that asks the user if he wants to install it?
Yeah, but the only site still forcing me to use IE is my local bank...
1) Complain, if you haven't already... some web commerce site (can't remember which, but it was a big one) had a bug where it didn't recognize Mozilla as a sufficiently high version of Netscape. I feedbacked it, they responded with a NON-CANNED thank you within 24 hours, and it was fixed by the time I used the site again three days later.
2) Have you tried fooling the site by sending different authentication? Mozilla can just *tell* the site it's IE. Unless they're doing something very stupid like using ActiveX, that may work just fine. (If they are using ActiveX, switch banks. Seriously.)
Don't you wish your girlfriend was a geek like me?
I think this will change when non-IE browsers start ruling a larger percentage in the server logs and too many customer complain.
... and decide there's no need to support anything else.
1. Web sites check the user-agent header, refuse access to anybody not claiming to be MSIE.
2. Users of advanced browsers change their user-agent strings to claim to be MSIE.
3. Webmasters check logs, see most all hits come from MSIE...
4.
What does Linux have to do with it? I use FireFox on Windows and I am still not vulnerable to this.
FoundNews.com - get paid to blog.,
According to the linked article, this BHO phones the mothership located at:
http://www.refestltd.com/cgi-bin/yes.pl
www.refestltd.com is 66.226.64.11; the ARIN pull is below.
I'm on the phone right now with Matt of Abacus America to get the website taken down.
I am saddened to think that I'm the first one that's bothered to go to the trouble...
OrgName: Abacus America Inc.
OrgID: ABAC
Address: 5276 Eastgate Mall
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
NetRange: 66.226.64.0 - 66.226.95.255
CIDR: 66.226.64.0/19
NetName: ABAC2002A
NetHandle: NET-66-226-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ABAC.COM
NameServer: NS2.ABAC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-31
Updated: 2003-03-27
TechHandle: AD384-ORG-ARIN
TechName: A Net DNS Administrator
TechPhone: +1-858-410-6900
TechEmail: dns@aplus.net
OrgTechHandle: ANETS-ARIN
OrgTechName: A Net Support
OrgTechPhone: +1-858-410-6900
OrgTechEmail: support@aplus.net
# ARIN WHOIS database, last updated 2004-06-28 22:17
# Enter ? for additional hints on searching ARIN's WHOIS database.
For example, I used to work for Cablevision's Optimumonline service. I would sit in meetings and go on and on about how we should support, even lightly suggest our customers use Mozilla. One of the biggest avoidable call drivers in our Call Centers was people complaining of pop-ups. Another large driver was Spam. Mozilla is a great tool for handling both of those problems.
The Higher Ups weren't interested in my ramblings. They would point out that we support IE, Netscape, Outlook Express and Outlook. They eventually came around and offered support of Safari but on a very limited basis (not that it needs anything more).
The biggest problem that most ISPs face is uneducated consumers. Their machines get hijacked and in turn Spam the World, which causes other users to complain and blame the company. These machines also eat up Network resources, again causing other users to complain and blame the service. Don't forget the users that click on EVRERY pop-up that comes their way, thereby infesting their machine with spy-ware to the point that even opening IE is near impossible. Again, this is blamed on the service.
Granted the Mozilla fam aren't really out of the "beta" fase, but I see less Firefox, and Mozilla fixes then there are for IE. Being that Netscape and Mozilla are half-siblings (in a sense) why not support it? It's not like the support staff needs to be re-trained.
People don't care what browser they use, they want one that is intuitive, free, and functional to their needs. I think the Mozilla branch does that. With firefox 9.1 out today, why are people still using IE? Better yet, why aren't ISPs telling people NOT to use IE? It would save them a fortune and a company not looking to save a fortune..... should be investigated!
I boycott signatures
How can an attacker "easily install a Mozilla extension?", exactly. If you are talking about somebody who has rooted your box, then they can already log all your keystrokes regardless of what browser you use. If you are talking about somebody writing browser malware, it's a big problem if a web page can install extensions without your approval. I've never heard of such an exploit for mozilla (lots for IE, though).
You are also asserting that a mozilla extension can access the cleartext typed into a login box by "parsing the DOM before navigation begins". It's not clear to me that this is true. If it is, I think it should be considered a security hole. Mozilla should sandbox that text and use protected memory, etc...
You're a fool for using your office computer to do online banking. Haven't you ever heard of a keycatcher?
Keep in mind, you cannot trust a computer which you cannot restrict physical access to. Period.
No personal stuff on the office computer. Not because the company want it that way, but because you do, whether you know it or not.
You are checking your backups, aren't you?
I am tired of trying to propose solutions to the problems brought about with the large numbers of ignorant users using MS software. I'm also tired of trying to fix problems that these users repeatedly cause. Government and law enforcement doesn't seem to care, so I'll propose this solution:
In nature, when a population gets too large there's a die-off. Usually this die-off is caused by disease or starvation. The better adapted creatures survive and live on.
We can use the fox and rabbit scenario here.
The malware writers are the foxes and the ignorant users are the rabbits. In our case the foxes don't eat the rabbits, but instead hijack the rabbits' computers for fraud, spam, pop-ups, etc. Foxes die by giving up and moving on to more lucrative off-line crimes.
The rabbits don't eat anything but are increasing in numbers by simply hooking up machines to the Internet. Rabbits die by cancelling their AOL accounts and stop using the Internet.
Right now there are a ton of rabbits (and more every day) and the fox population is exploding.
If we just sit back and let natural selection take its course, the ignorant rabbits will become sufficiently frustrated with their Internet experience and give up. The foxes will concentrate even harder on the remaining rabbits (who will be better adapted to counter the foxes' attacks) or start writing malware for the rest of the rabbits or face a massive die-off as well.
Those that are able to adapt do so by either keeping their machines properly patched or learn to use alternative browsers (or operating systems). These rabbits will then have a better Internet in the end because we will have a better class of users and software.
There's plenty of educational material out there for ignorant users to read. Practically every day there's something in the newspaper about how to protect oneself from these attacks.
The Zombies and SpamBots will make life a hell for the rest of us, but that's a short-term problem in this model. That should fix itself after the die-off itself.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time -- the average time -- to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates.
(1) what planet is he living on?
(2) Isn't that an awfully narrow range? Nothing like being specific with the bull you spew.
Is it just me or has Gates becoming more and more "out there" lately? Is he even following the computer industry anymore?
Finkployd
There are two very fundamental statements that need to be made. First, yes, someone could develop a malware plugin for Mozilla (or Opera or whatever). The major difference is that only IE allows BHOs to be installed unbeknownst to the user. Furthermore, IE makes it very easy for a user to be duped into allowing a plugin to be installed. Also, IE makes it difficult and confusing to raise the security settings for the browser. Watch an average user try it some day.
Second, it's not that there are so many users that are upset with having to deal with a crappy browser, it's that they don't *know* that IE is a crappy browser. Every time that I have to clean malware off of a machine, I make sure that I let them know (and prove to them by explaining the logs to them) that the spyware was installed via IE. Then, they know that they are using a crappy browser.
Ryosen
One man's "Troll, +1" is another man's "Insightful, +1".