New IE Malware Captures Passwords Ahead Of SSL
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
I read this article in the Houston Chronicle this morning: Flaws may mean it's time to drop Microsoft browser. It's beginning to look like there's a ton of exploitable stuff in IE.
BTM
That was the turning point of my life--I went from negative zero to positive zero.
Not to discuss about IE, what about banks using different password entry schemes?
In Brazil there seems to be a new regulation saying that users of ATM and online banking shouldn't type the password in a numeric pad anymore.
Instead, you get 5 buttons on the touch screen (or a small Java applet, or Javascript thing in the case of the bank where I have an account there) with combinations of two numbers. It looks like "press this if the next number is 3 or 8".
The thing is, the combination changes every time you enter your password. The first button that was "3 or 8" before will be something like "4 or 7" next time. And the combinations change too, not only the position of the buttons.
So it becomes more difficult for spyware to monitor keypresses / mouse clicks, or things like this to work for the scammer. (Ironic or not, the ATM in the pictures at the UT website is from a Brazilian bank).
I haven't seen anything like that in any US bank; it's always a number pad where you type your password, or a text field to type the password online.
Marcelo Vanzin
Come on Bill, lets see you put your money (its not like you don't have enough of that) where your mouth is.
Your 48 hours starts now.
I gots ta ding a ding dang my dang a long ling long
...I don't know about banks in the US, but at least my (Finnish) bank gives me a username, password and (most important of all) a list of one-time passwords. When I log in, the only things I can see before it requests a one-time password is the balance on account, EURIBOR interest rates and the few stocks I've chosen to observe (ie, a master summary page). If I try to access anything, such as transaction records (not to mention transfers), I have to type in the one-time password. They mail me a new sheet when I'm starting to run out of one-timers.
If I don't want to use one-time passwords, I can choose to use smartcard reader and a PIN number (which remains constant). I'm not sure if that would be vulnerable. Anyway, this follows the "something you have, something you know"-security model, I know the username/password and have either the smartcard or the one-time list.
Do the US banks only use username/password pair?
IE is not just woefully inadequate for power users. It's woefully inadequate for anyone who wants a reasonable (not to mention decent!) Internet experience.
It's only "good enough" as long as people don't know about alternatives. Then the immediately start downloading extensions to IE -- extensions that you and I know come standard with a real modern browser.
Another one bites the dust
I wrote a BHO to help me leech pr0n. You know those websites that have a big table of thumbnails and each thumbnail is a link to the real picture? Well I wrote a BHO which would enumerate all links that pointed to pictures and then download them. It was smart and inserted the Referer tag so that it would download correctly. It's a sweet BHO if you ask me.
There's a bunch of stuff going on.
First, Microsoft can't keep up with every possible exploit, so they don't even try. This is why they have yet to tackle viruses and trojans. Heck most of the virus companies aren't doing trojans, either.
Second, most of the fine-grained ability to really solve these sorts of problems is beyond your average user. If they had a switch to turn off BHOs, people would turn them off and then wonder why the WhizBangSuperBHO application they just downloaded doesn't work and wouldn't think to make the connection. Plus, there's no real concept of a proper sandbox, nor is there much ability to do it properly, if the default install gives everybody root.
Third, a page or internal site that uses ActiveX, BHOs, and other Microsoft-only technologies is a page or internal site that doesn't work under Opera or Mozilla. So by disabling such things, they risk turning back the clock towards standards that they've been enticing web designers with.
Fourth, spyware folks *cough*gator*cough* have a tendancy to sue their foes. Which is probably without basis, but still could cause Microsoft to have weird injunctions if they got too active about it.
The problem, and the advantage for the rest of the market, is that all of this hurts Microsoft, if they do anything, or if they don't.
Gentoo Sucks
Apparently her ISP software linked directly to Iexplorer.exe and when it asked her to make it default she clicked yes.
Not her fault but still makes you want to slam yur head against the monitor screen.
My days of not taking you seriously are certainly coming to a middle...
Thats funny considering I can't use my bank's Internet system it says it requires IE for security purposes.
I'd agree with you, except my banks aren't supporting standards, and don't work with standards-compliant browsers.
Mine does. Switch to a different bank. Market forces will take care of the rest.
Unfortunately, people have their (usually unjustified) reasons.
Take, for example, my Mom. A month or so before coming home from school, I mentioned that I planned on building a new computer for myself over the summer. She told me that she was just about fed up with our home PC because it was so slow and working so poorly and crashing. I told her definitely not to go do anything silly like buy a new one, just yet.
So when I get home, she has since cleaned up a lot of stuff (she's fairly tech-savvy as far as Aunt Tillie-types go) and the computer is running OK. I immediately installed Firefox on the computer, and told her, my brother and sister to all start using it instead of IE.
I left a week later for my summer job (6 hr drive, first time I go back is this weekend). As soon as the IIS compromise issue came out, I e-mailed my Mom and made sure she was using Firefox because she had told me over the phone that she had a lot of spyware/malware problems. Of course she wasn't using Firefox. I asked her why the hell not and she says, "I'm old and don't want to have to take the time to learn something new" (she is co-owner of a financial consulting firm). So I explain to her how it's not anything new. A browser is a browser, you've got the back button, the forward button, hell, you can even import favorites. So whatever. That was a few days ago.
I called her last night to make sure she started using Firefox, and of course, she wasn't again. I asked her why and this is exactly what she said, "I may be superstitious or something, but ever since Mozilla was installed, that's when we started getting all the nasty stuff on the computer." Well I didn't want to be rude and point out what problems she was having before I got home from school, so I let it go when she promised I could show her how great Firefox is when I go home this weekend.
I only hope she's not using IE to check her bank statements, etc.
Some people are so set in their ways, like my uncle, for example, who refuses to wear a seatbelt. I feel like switching browsers is the same situation. If anyone has any recommendations on how to convince people that are utterly unconvinceable to switch to Firefox, please let me know.
erm ... this says the html is not valid 4.01. Also, the w3c css validator complains rather heavily on it. So much for standard support ^_^
For the non-power user IE *IS* preferable.
The non-power user is most vulnerable to the security flaws IE is famous for. They are less likely to notice if something is downloaded to them without consent, and less likely to be able to fix it if it is.
I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.
There's two things I tell/show people about Mozilla when I install it (waiting for 1.0 to start giving out Firefox):
- Look, tabbed browsing. [perform Google search on something they find interesting. Middle-click on a lot of links.] Shiny!
- Look, no pop-ups. This is the big winner.
Oh, yeah, it's more secure, yadda yadda... but those are the two functions that the average person is going to find most beneficial. They may not pick up tabbed browsing, but they sure will appreciate built-in by-default popup blocking.
It may take some persistence. Every time they call you for help, walk them through like they're using Mozilla. If they're not using Mozilla, tell them to use it instead.
IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.
My mom called me last week, when my phone battery was almost dead. Thankfully, it was a short conversation, because it went like this:
"I heard that there's this new web exploit that MS doesn't have a patch for, but it's ok if you update your antivirus. So if I just update Norton I'll be fine?"
"Are you using IE?"
"No."
"Go ahead and update Norton anyway, but you can only get the virus if you're using IE. Keep using Mozilla and you'll be fine."
[bee-oop, bee-oop, bee-oop, phone goes dead]
The last few months of retraining her to think of Mozilla as her default browser have paid off. Yay!
For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.
You could say the same about IE. Most of the security flaws come from having built-in functionality that is only useful in some very esoteric intranet environments, and has no business on the public web. The whole "Trusted Sites," "Internet Zone," etc. thing is WAY more complicated than it should be, and defaults to settings that aren't safe, so you do have to go in there and change things if you want a somewhat secure browsing experience.
In Mozilla, the preferences are very clearly organized, with only a few things on any one screen. Makes it far easier for me to walk someone through changing something, and easier for the novice to find it themselves. The explanations are a lot more useful, too.
To go with the car analogy, using IE is like using the company fleet's Ford Taurus with no right-hand wing mirror or air bags, because it's closer at hand than your Honda Civic Hybrid. In my opinion, anyway.
Don't you wish your girlfriend was a geek like me?
While this naively may seem like a good idea, it has enormous potential to blow up in your face.
By installing software on a computer-illiterate person's computer, you are implicitly taking *personal* responsibility for that computer, whether you want to or not. From that moment forward, that person will insist that you provide free technical support for them whenever you need it. Refuse this, and you will cast a bad light on open source. (ie: That Mozilla thing broke my Internet and no one will help me!) From experience, Murphy's law will go into effect, and any and every thing will go wrong.
Be wary whenever you offer to help someone with their computer. I have been so burnt out from helping so many people over the years that I refuse to help anyone, even family members, or even talk to them about computers.
Like it or not, open source cannot forever rely on legions of selfless geeks helping everyone. It's just not infinitely scalable. "Mainstream" open source projects like Mozilla, OpenOffice, etc need to 1) proactively focus on usability by recruiting (by paying if necessary) human-computer interface experts and focusing all development on usability and 2) forming political relationships with as many computer manufacturers, banks, and any other organizations we can to get our stuff in front of mainstream users. There is already some movement on these fronts, but it needs to be at least an order of magnitude greater.
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
Someone could just as easily program a plug-in for Mozilla/Firefox/whatever that does the same thing as BHO? Do you also think that all operating systems are equally secure inherently? Is it just as easy to program in Python as it is to program in Pascal? Microsoft has a long history of creating application environments that offer extensibility through plug-ins that are inherently prone to security exploits. This makes it easier to create exploits for their products.
IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.
Like back in the day, when Netscape ruled the browser market? Yep, there were a lot of adware/spyware/trojan-ware apps back then.
Maybe you should be happy that IE is used by so many.
Actually, no. I think most people would be a lot happier not to have to deal with such a crappy browser that is always introducing security problems, isn't standards-compliant, and doesn't have any of the most recent "must have" features that so many other browsers share. It would be easier for web developers, users, and security managers if IE weren't such a piece of crap.
Read the EFF's Fair Use FAQ
Isn't Firefox with its plugins system also susceptible to malware? How secure is the area in which plugins can play? It would be interesting if someone would take up the challenge of writing a similar piece of software as a plugin for Firefox and see if they can insinuate it in the Plugins repository.
It's not that I wish such a thing on people, but I'd like to know how secure the repositories are and what kind of damage we're looking at if it isn't.
And if your bank does not change. Then you change. Take your money to a different bank. It may be a little bit of a pain to have to do that, but that is the only power we have left as consumers, so exercise it.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
My bank changed it too. I called phone support and after a week or so I was suddenly able to surf to the page with mozilla. Half a year later they relaunched their page and got rid of the Java crap they have been using before. Actually, when I called lately and they told me about another update I asked again and they replied "Of course we will support Mozilla, we wouldn't be so stupid to annoy many of our customers!" It seems that their IT is at least aware that there are other browsers out there.
FYI: It was this german bank.
One problem with your little scenario.
The "rabbits" are consumers! They pay to buy and sell stuff, pay to read about other rabbits, pay to view pictures of young shaved rabbits, pay to manage their carrot hoard online, all on the websites we're paid to build.
If there's fewer rabbits, we get paid less.
If rabbits tell other rabbits that one particular "field" (the internet) is full of foxes, they'll stay away, and the rabbits will move off to somebody else's field (like maybe a "secure" proprietary network owned by a big corporation).
Let me make my point another way - instead of the web, let's consider a shopping mall that has pickpockets. By your Darwinian model, we should just sit back, let the shoppers get pickpocketed, and hope that only paranoid shoppers with tight pants will shop in our mall...?
Or, get a *real* ebanking system...
;)
I live in norway and most net-banks here use both your "birth-number" *and* a "securitycard" to generate a key.
The key generated by the securitycard is never the same, and you need a 4 digit pin-code to even get it to generate a code. You type in the first 6 digits and hit "log in" and on the screen you get the last 2 digits, if these match with the ones on your "securitycard" you can be resonable sure that you are really talking with your bank.
Sniffing the password etc wont help you one bit, since it will only be active for a few minutes. After that, you need a new number to log in.
Steal the card? I would just call my bank and they would issue a new one, and put the other on the "watch list" someone try to log on with it: ups, their IP is logged and you have a trail for the police
Another great thing about this way of doing it is that you can access your netbank anywhere and within a few minutes, any information logged by a keycatcher is invalid.
For those of you who don't take the time to read the analysis of the trojan, here's what is said:
.chm file. At the same time, it appears to have executed a script on .chm exploit, shown above is likely used to rename and execute this
The HTML here attempts to exploit a known flaw in Internet Explorer to load and
execute a
www.mymaydayinc.com called photos.php. At this point, the packet captures provided
by the victim end, but it is possible to make some intelligent guesses as to what happened
next.
The victim of the attack found a file called "img1big.gif" had been loaded onto their
machine. Because of the account restrictions on the person running the machine, it had
failed to install properly, which was why it had come to their attention. It is this file that
they forwarded to the SANS Internet Storm Center for analysis.
The file "img1big.gif" is not a graphic file at all. It is actually a 27648 byte Win32
executable that has been compressed using the Open Source executable compressor UPX.
(Hypothesis: the
file.)
So basically, it allows a CHM file (Compiled Help, used in your standard help files) to auto-install a DLL, which in turn regisers itself as a Browser Helper Object (BHO). BHO's are typically used for things like Browser Toolbars (like the one Google provides).
Microsoft should not allow auto-execution of any file type. It should be an easy fix to IE though.
A relevant side comment; banks are generally very concerned about security, online and in general. This is because it is a liablity for them. I work in the banking industry in fraud detection and prevention, and its big business. In the US at least, the consumer is only liable for the first $50 in a case of check card fraud, credit card companies are liable for the whole thing. I've had my work slow to a crawl because a bank's IT dept blocked _all_ attachements during a worm outbreak, I've FedExed CDs with 2 10K files because no one knew when attachments would be allowed again.
Speaking up really could make a difference, especially if you can get in touch with a techie. He/she can then go to the PHB with some ammo that consumers demand compatibility with more secure browsers such as Mozilla/Safari/Opera etc. (He/she already demanded this compatibility, but you know PHBs).
I'd not be the least bit surprised if the banking industry became a major driver in getting users to switch away from IE. Online fraud losses are creeping up on more traditional fraud s.a. check fraud. Add in the liability if consumer data gets out on the net and banks may begin to _only_ support non-IE browsers. Maybe not today, maybe not tomorrow, but someday, an IE hole is going to blow so big banks won't want thier customers on it because of the liability concern. At least this what the IT and loss prevention people would prefer.
--
IE isn't a feature, its a bug
"None of us are as dumb as all of us." - meeting mantra
Knoppix, Linux, DOS, OS/2 -- the OS doesn't matter. The keykatcher is hardware dongle-like thing, looks like an elongated keyboard plug. And all it does is keeps the last 65K of keystrokes you've typed.
You can download it to a floppy without removing it from the PC (if you're running Windows) or you can remove it, download it to a different PC and replace it later. Or, you can remove it, download it to a different PC, and then place it on the next guy's keyboard.
So, the truly paranoid person now has to cut-n-paste bits of their password with the mouse, and hope the bad guys haven't installed Back Orifice.
John
I am one of the folks that submitted this to SANS. I actually looked at the file prior to my teammate sending it and the initial report. The .gif file was really an executable file without the .exe extension. The file had an executable's header and link information strings referring to DLL load points at the end of the file. The middle of the file was compressed binary cruft. The attack vector used the CHM vulnerability to launch.
./. My life is complete...
Another interesting thing we've noticed lately is how many attacks are now using multiple vectors. After dealing with this issue and a bunch of related ones we have come across I have to say that the entire banner ad system is corrupt and infected.
I never thought anything I had a hand in would show up on