New IE Malware Captures Passwords Ahead Of SSL

Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."

Go back to basics?

[Sheetrock]

This brings up a complaint I've got with the way the industry works nowadays.

As a programmer, I feel the continual march of progress in computing has been hampered as of late because of a major misconception in some segments of the software industry. Some would argue that the process of refinement by iterative design, which is the subject of many texts in the field -- extreme programming being the most recent -- demonstrates that applying the theory of evolution to coding is the most effective model of program 'design'.

But this is erroneous. The problem is that while extremely negative traits are usually stripped away in this model, negative traits that do not (metaphorically) explicitly interfere with life up until reproduction often remain. Additionally, traits that would be extremely beneficial that are not explicitly necessary for survival fail to come to light. Our ability to think and reason was not the product of evolution, argues a new and credible scientific theory called intelligent design, but was deliberately chosen for us. Perhaps this is a thought that should again be applied to the creation of software.

It makes no sense to choose the option of continually hacking at a program until it works as opposed to properly designing it from the start. One only has to compare the security woes of Microsoft or Linux with the rock-solid experience of OpenBSD for an example. It makes little sense from a business perspective as well; it costs up to ten times as much to fix an error by the time it hits the market as it would to catch it during the design. Unfortunately, as much of this cost is borne by consumers and not the companies designing buggy products, it's harder to make the case for proper software engineering.

Hey, why don't we be more sarcastic?

[TaintedPastry]

Here's a thought for all of you brain-washed linux-geeks: If every end-user is an idiot, as you all so condescendingly post day in and down day out, fix it for them.

Bust out all your mad coding skills and throw up a rogue Windows patch site to install your own 'patches' onto the Windows OS/IE to fix these problems.

You sit here and spout about how much MS ruins the world, and make fun of your end-users (without whom you would have no JOB) to the point of weary. Yet, you do nothing to FIX these problems. According to you they don't know any better...so instead of worry their feeble little minds with learning a new broswer, put your dual 4.5 Ghz Biological thinking machines to work and fix the BHO/SSL problem along with world hunger.

Re:Coming events

[GlassUser]

Any chance of sharing that writeup? I use IE and have no problem with it (pretty much all these "security holes" that people whine about are the user's fault, and not caused by IE), but if it helps them support standards and the idea behind web browsers, I'm all for it.

Linux helps. Windoze is a waste of time.

[twitter]

What does Linux have to do with it? I use FireFox on Windows and I am still not vulnerable to this.

Your choice of browser helps, but it's not enough. You might not be caught by this, but Windoze itself listens on other ports and can be exploited. It happens without any effort on your part. Also, you might be tempted to use LookOut or similar, are probably running as root and lack a host of other safety mechanisms that protect the average Linux user.

The average user is much better off running a kernel that has real users that respects permissions embedded in the file system. As someone else mentioned, all of the above makes it difficult for a malicious web site to load any kind of system software without the user knowing. Windoze was designed to make that possible and it is no surprise that security is so poor on Windoze.

Some might complain that you use Mozilla based browsers, email clients and other stuff to avoid Windoze security problems and that's good enough for you. Fine for them, whatever. I consider it all a royal pain in the ass to keep up with all of that. Going to get a handfull of free software programs to make Windoze work right is an exhausting and pointless exercise. Microsoft does it's best to break them and dependency resolution on Windoze has always been impossible. It's much easier, and more secure, to simply install a reasonable distro in the first place.