Slashdot Mirror
New IE Malware Captures Passwords Ahead Of SSL
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
Cue the "Gee I'm glad I use FireFox on Linux" posts.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
that this hasn't happened earlier. Why would you fsck with SSL when you can bypass it completely?
Disconnect and self-destruct, one bullet at a time.
Is why I transmit all of my passwords in plain text... not very secure, but a lot less obvious then all of these complicated 'security' or 'encryption' methods.
Help Brendan pay off his student loans
SF has an article regarding this.
Gates Defends Microsoft Patch Efforts
Free XBox, PS2
Well, personally, i agree with you. Internet Explorer is far inferior to a lot of the other browsers out there.. The thing is that it's bundled with windows, and most people out there quite frankly aren't very computer literate, and more than 1/2 I would bet don't even know other web browsers exist. True, no? Any comments to that?
"laziness"
To uncheck the "enable third party browser extensions" box in your Internet Explorer properties, if you must use Internet Explorer. This fixes most of the Internet Explorer problems that people ever experience and blame on Microsoft.
There is the slight problem that malware can silently reenable it when they run, but I doubt many do.
This is why I do all my online banking using Gopher.
That query is for "refestldt.com" and I stupidly typed "reflestldt.com" after "domain name". The whois info is accurate, just not what I typed there.
All's true that is mistrusted
This isn't Malware, this is advertising for Apple. THIS is why I buy Macintoshes.
What's a browser? Is that like Internet Explorer? But why do I need another one when I already have Internet Explorer? Don't I have to use Internet Explorer to connect to the internet?
By reading this you acknowledge that you have read it.
Primarily cos they just use the first thing that is in front of their face.
One small step towards fixing this is to be involved as much as possible with all new computer installations.
Your mum is getting a new computer? Go in there and set it up for her. Put mozilla and firefox on the desktop, show her how to use them, and remove all the IE icons. She won't know any better and you can rest easy knowing there's less chance your inheritance is going to disappear from her bank account.
-- Even if a god did exist, why the fsck should I worship it?
For the non-power user IE *IS* preferable. I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.
IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.
I don't blame most users for using IE. For them it is "good enough". I see a lot of snobbishness on this site, and maybe some of it is fair enough. I also see a lot of silly arguments with extrapolation from a small sample set "My sister uses Mozilla all the time now!" to big conclusions. As a scientist, I know enough not to make those errors. Anyway I just wanted to say most users don't need Firefox despite what you might read. I guess this is pretty obvious, it accounts for a fraction of 1% of browser usage after all.
For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
Stuff like the google search bar? Does that count?
Sehr geehrter Toilettenbenutzer!
You know you really have something going for you when a single application in your product line helps defines it own genre of exploits:
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
....who figured out how it worked (i.e., Browser Handler Object, HTTP POST of stolen account info to a site) is Tom Liston of Hackbusters. He's been sorting through this kind of thing for a while...
The Army reading list
From the article:
It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX.
Cue the FUD saying "look I told you Open Source was inherently less secure!"
Download my free songs!
I read this article in the Houston Chronicle this morning: Flaws may mean it's time to drop Microsoft browser. It's beginning to look like there's a ton of exploitable stuff in IE.
BTM
That was the turning point of my life--I went from negative zero to positive zero.
Everyone here is likely to blame Microsoft. I'm turning my wrath against the intelligence organizations of various countries. For far too long this BS - malware, viruses, fraud sent via spam - has been mostly ignored. It seems nobody is going to jail for the Paypal scams because Paypal isn't a "real bank". Now they're targeting real banks.
I, for one, am sick of it. Where is our FBI and what are they doing about this? If these were criminals setting up videocameras to record pin numbers at ATMs, you can bet there would be a huge effort to track them down. Well, this is worse than that.
-Ryan, with the unoriginal sig
(Score: -1, Redundant)
sulli
RTFJ.
Not to discuss about IE, what about banks using different password entry schemes?
In Brazil there seems to be a new regulation saying that users of ATM and online banking shouldn't type the password in a numeric pad anymore.
Instead, you get 5 buttons on the touch screen (or a small Java applet, or Javascript thing in the case of the bank where I have an account there) with combinations of two numbers. It looks like "press this if the next number is 3 or 8".
The thing is, the combination changes every time you enter your password. The first button that was "3 or 8" before will be something like "4 or 7" next time. And the combinations change too, not only the position of the buttons.
So it becomes more difficult for spyware to monitor keypresses / mouse clicks, or things like this to work for the scammer. (Ironic or not, the ATM in the pictures at the UT website is from a Brazilian bank).
I haven't seen anything like that in any US bank; it's always a number pad where you type your password, or a text field to type the password online.
Marcelo Vanzin
Come on Bill, lets see you put your money (its not like you don't have enough of that) where your mouth is.
Your 48 hours starts now.
I gots ta ding a ding dang my dang a long ling long
If this won't get people to switch, what will?
Nothing. Probably 75% of computer users out there aren't even aware what a web browser is, much less what "SSL", a "security hole", and a "BHO" are. If they can understand neither what they are using, nor why they shouldn't be using it, they aren't about to switch.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
When will us Linux users finally get to experience all of these exploits and viruses? It looks like Windows users have all the fun. :-)
I've actually had online banking sites force me to use MSIE when they decided Mozilla 1.5 wasn't a modern browser. Seems better with recent Mozilla and Firefox versions, or perhaps the frigging bank fixed their frigging software.
Who do you get to be an expert to tell you something's not obvious? The least insightful person you can find? -J Roberts
"For crying out loud, people! How hard is it to download Firefox and switch? Especially with the new settings import wizard?"
For crying out loud, people! Nobody even knows what Firefox is!
Quit acting like everybody's a retard and start putting money into a Firefox ad campaign or something. Acting like a raging zealot isn't going to get people to switch.
"Derp de derp."
Thats when you point her IE shortcut at Firefox...
I mean come on,,, Just tell her it is the new IE.
DJMD - The fourth man - Planetary
...I don't know about banks in the US, but at least my (Finnish) bank gives me a username, password and (most important of all) a list of one-time passwords. When I log in, the only things I can see before it requests a one-time password is the balance on account, EURIBOR interest rates and the few stocks I've chosen to observe (ie, a master summary page). If I try to access anything, such as transaction records (not to mention transfers), I have to type in the one-time password. They mail me a new sheet when I'm starting to run out of one-timers.
If I don't want to use one-time passwords, I can choose to use smartcard reader and a PIN number (which remains constant). I'm not sure if that would be vulnerable. Anyway, this follows the "something you have, something you know"-security model, I know the username/password and have either the smartcard or the one-time list.
Do the US banks only use username/password pair?
In other words, it's almost certainly a bogus phone number attached to bogus domain-registration info.
Easy, automatic testing for Perl.
What fancy-ass security feature in Firefox would prevent somebody from writing a plugin like this? Anything besides 'not a big enough user base to attempt it'?
"Derp de derp."
The problem is that websites are test for IE only and are often broke with other browsers. Not because they are using some nifty (non-standard) feature of IE but just because the web developers only test IE.
I think this will change when non-IE browsers start ruling a larger percentage in the server logs and too many customer complain. I always take the time to send a nice e-mail to websites that are broke with Mozilla.
Companies need know that they are limiting their customer base and are losing sales.
Just yesterday I was signing up for a dedicated server at a vendor and their webpage was not working correctly, I brought up IE and worked fine. Ticked - I left and signed up with the competition (servermatrix).
Funny, CIAC Issued a warning about BHO's in early 2002 Link to warning
Get out in the the Real World (tm)(c) and realize that the problem is bigger that just "download Firefox and switch".
I
Unfortunatly this describes 90% of people out there. The only way I can think of to overcome that kind of pervasive ignorace is a public service campaign like the anti-drug campaigns.
[joke]
"This is your computer.. this is your computer on Internet Explorer"
-or-
"Friends don't let Friends use Internet Explorer"
-or-
"Just say No to Internet Explorer"
[/joke]
Seriously, there needs to be a TV campaign or even public service banners on high traffic sites like google or CNN.
After last week's CERT advisory, there should only be a handful of them left.
And if you're dumb enough to use a bank that works only with the big neon "Hack Me" sign that is IE, you get what you deserve. Find a bank that works with Mozilla or Konqueror and use those for banking instead.
Oh yes, and be sure to tell your old bank WHY you're closing your account with them. "You're only supporting Internet Explorer as a browser, so I'm not supporting you as a bank."
Not like they'll notice on personal accounts, but maybe if a business or three moves their accounts, they'll sit up and take notice.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
a) Threaten to never support her computer again
b) Hide the IE shortcuts
c) Change the IE homepage to say, in big letters, "YOU'RE NOT SUPPOSED TO BE USING THIS NOW GET OUT AND START FIREFOX"
d) If you have Zonealarm on her computer, set it so IE has no Internet access
e) Use IE's Content Advisor to block all Web sites
f) I could go on and on
There's a bunch of stuff going on.
First, Microsoft can't keep up with every possible exploit, so they don't even try. This is why they have yet to tackle viruses and trojans. Heck most of the virus companies aren't doing trojans, either.
Second, most of the fine-grained ability to really solve these sorts of problems is beyond your average user. If they had a switch to turn off BHOs, people would turn them off and then wonder why the WhizBangSuperBHO application they just downloaded doesn't work and wouldn't think to make the connection. Plus, there's no real concept of a proper sandbox, nor is there much ability to do it properly, if the default install gives everybody root.
Third, a page or internal site that uses ActiveX, BHOs, and other Microsoft-only technologies is a page or internal site that doesn't work under Opera or Mozilla. So by disabling such things, they risk turning back the clock towards standards that they've been enticing web designers with.
Fourth, spyware folks *cough*gator*cough* have a tendancy to sue their foes. Which is probably without basis, but still could cause Microsoft to have weird injunctions if they got too active about it.
The problem, and the advantage for the rest of the market, is that all of this hurts Microsoft, if they do anything, or if they don't.
Gentoo Sucks
Yes, it's sad that people don't realize that Internet Explorer is not "the internet" and that there are alternatives, but tricking them is not the answer.
Apparently her ISP software linked directly to Iexplorer.exe and when it asked her to make it default she clicked yes.
Not her fault but still makes you want to slam yur head against the monitor screen.
My days of not taking you seriously are certainly coming to a middle...
That sounds nice and all, but if your bank's site only works in IE -- as is true for many banks both large & small -- then the customer doesn't really have a choice in the matter.
I know people that are perfectly happy to use Mozilla 90% of the time, but when they have to log in to Fleet (or whatever other bank site), they must use IE there.
Yes, the problem here is the bank's broken site, but what can you do? Their standard response is "95% of people use IE, so that's what we support", completely ignoring the line of thought that if they wrote in a portable, standards compliant way, they wouldn't have to think about these issues, and their customers would be much happier. But there we are -- stuck.
Your exclamation points are appreciated, but until the banks & other IE-only sites realize the errors of their ways, you're just berating the victims of the larger crime here.
DO NOT LEAVE IT IS NOT REAL
I think this will change when non-IE browsers start ruling a larger percentage in the server logs and too many customer complain.
... and decide there's no need to support anything else.
1. Web sites check the user-agent header, refuse access to anybody not claiming to be MSIE.
2. Users of advanced browsers change their user-agent strings to claim to be MSIE.
3. Webmasters check logs, see most all hits come from MSIE...
4.
As I understood it, it doesn't; basically the gif file is actually an exe exploiting the joys of hidden file extensions. Thus, its name would properly be img1big.gif.exe.
To get around the "teaching others to use a new browser", I just loaded Firefox, added a luna skin to make it look like IE, and then used firesomething to change the name to "internet explorer". They barely know the difference!
But for those that are unfortunately enough to have to help those that insist on IE, for whatever reason, a program called BHODemon might help you. It lets windows users see what BHO's are loaded at any particular time, so I would assume that this malware would show up here as well. Its a quick way that someone can find out just what is running in the background.
http://www.definitivesolutions.com/bhodemon.htm
BHODemon 1.0
Thats funny considering I can't use my bank's Internet system it says it requires IE for security purposes.
- go to http://www.mozilla.org/products/firefox
- download the windows installer
- run aforementioned installer
- Realise that installer automatically imports IE favourites
- Select the Internet Explorer icon, press "Del" key
- When asked if you are sure,say yes (with extreme prejudice)
it's really that simple, for added effect you could try replacing the firefox icon with the explorer one (right click|properties|change icon|browse to iexplore.exe|select the icon from the ones that come up), that's what I did as I was used to clicking on a blue e. After a while I weaned myself off.I am NaN
There's a good explanation of BHO and how malware authors tend to exploit it here.
Maybe this is the kick of the pants that M$ will get now that financial institutions are targetted with a n exploit from a badly-design browser model.
Which is nice.
Wearing pants should always be optional.
Unfortunately, people have their (usually unjustified) reasons.
Take, for example, my Mom. A month or so before coming home from school, I mentioned that I planned on building a new computer for myself over the summer. She told me that she was just about fed up with our home PC because it was so slow and working so poorly and crashing. I told her definitely not to go do anything silly like buy a new one, just yet.
So when I get home, she has since cleaned up a lot of stuff (she's fairly tech-savvy as far as Aunt Tillie-types go) and the computer is running OK. I immediately installed Firefox on the computer, and told her, my brother and sister to all start using it instead of IE.
I left a week later for my summer job (6 hr drive, first time I go back is this weekend). As soon as the IIS compromise issue came out, I e-mailed my Mom and made sure she was using Firefox because she had told me over the phone that she had a lot of spyware/malware problems. Of course she wasn't using Firefox. I asked her why the hell not and she says, "I'm old and don't want to have to take the time to learn something new" (she is co-owner of a financial consulting firm). So I explain to her how it's not anything new. A browser is a browser, you've got the back button, the forward button, hell, you can even import favorites. So whatever. That was a few days ago.
I called her last night to make sure she started using Firefox, and of course, she wasn't again. I asked her why and this is exactly what she said, "I may be superstitious or something, but ever since Mozilla was installed, that's when we started getting all the nasty stuff on the computer." Well I didn't want to be rude and point out what problems she was having before I got home from school, so I let it go when she promised I could show her how great Firefox is when I go home this weekend.
I only hope she's not using IE to check her bank statements, etc.
Some people are so set in their ways, like my uncle, for example, who refuses to wear a seatbelt. I feel like switching browsers is the same situation. If anyone has any recommendations on how to convince people that are utterly unconvinceable to switch to Firefox, please let me know.
According to the linked article, this BHO phones the mothership located at:
http://www.refestltd.com/cgi-bin/yes.pl
www.refestltd.com is 66.226.64.11; the ARIN pull is below.
I'm on the phone right now with Matt of Abacus America to get the website taken down.
I am saddened to think that I'm the first one that's bothered to go to the trouble...
OrgName: Abacus America Inc.
OrgID: ABAC
Address: 5276 Eastgate Mall
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
NetRange: 66.226.64.0 - 66.226.95.255
CIDR: 66.226.64.0/19
NetName: ABAC2002A
NetHandle: NET-66-226-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ABAC.COM
NameServer: NS2.ABAC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-31
Updated: 2003-03-27
TechHandle: AD384-ORG-ARIN
TechName: A Net DNS Administrator
TechPhone: +1-858-410-6900
TechEmail: dns@aplus.net
OrgTechHandle: ANETS-ARIN
OrgTechName: A Net Support
OrgTechPhone: +1-858-410-6900
OrgTechEmail: support@aplus.net
# ARIN WHOIS database, last updated 2004-06-28 22:17
# Enter ? for additional hints on searching ARIN's WHOIS database.
So there's a list of 50-or-so banking sites that the malware picks up. Where's the list? How can I know if I need to call home and tell the wife to NOT use online banking until I get home or not? Also, what's the quick way to tell if I have the malware or not? Does it drop a dll, exe or something somewhere? I *hate* things like this where it's reported that "you might be infected" -- tell me what clues I can look for to know. Tell me which (if any?) IE fixes subvert this. Tell me which A/V vendors have patches to prevent it (if any). Aargh.
report said they used the CHM exploit.
2 3' CODEBASE='mstasks.exe'
Here is what I dug up on that (as related to another incident):
A file named chm.chm, which is a compiled-HTML help file, is downloaded. This file is 143,918 bytes in length. The chm.chm contains two files, launch.htm (93 bytes) and mstasks.exe( 160,768 bytes).
The file launch.htm, which contains the following code, runs mstasks.exe.
OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-1111111111
So I am guessing the exe in the chm file renames the gif and runs it?
For example, I used to work for Cablevision's Optimumonline service. I would sit in meetings and go on and on about how we should support, even lightly suggest our customers use Mozilla. One of the biggest avoidable call drivers in our Call Centers was people complaining of pop-ups. Another large driver was Spam. Mozilla is a great tool for handling both of those problems.
The Higher Ups weren't interested in my ramblings. They would point out that we support IE, Netscape, Outlook Express and Outlook. They eventually came around and offered support of Safari but on a very limited basis (not that it needs anything more).
The biggest problem that most ISPs face is uneducated consumers. Their machines get hijacked and in turn Spam the World, which causes other users to complain and blame the company. These machines also eat up Network resources, again causing other users to complain and blame the service. Don't forget the users that click on EVRERY pop-up that comes their way, thereby infesting their machine with spy-ware to the point that even opening IE is near impossible. Again, this is blamed on the service.
Granted the Mozilla fam aren't really out of the "beta" fase, but I see less Firefox, and Mozilla fixes then there are for IE. Being that Netscape and Mozilla are half-siblings (in a sense) why not support it? It's not like the support staff needs to be re-trained.
People don't care what browser they use, they want one that is intuitive, free, and functional to their needs. I think the Mozilla branch does that. With firefox 9.1 out today, why are people still using IE? Better yet, why aren't ISPs telling people NOT to use IE? It would save them a fortune and a company not looking to save a fortune..... should be investigated!
I boycott signatures
While this naively may seem like a good idea, it has enormous potential to blow up in your face.
By installing software on a computer-illiterate person's computer, you are implicitly taking *personal* responsibility for that computer, whether you want to or not. From that moment forward, that person will insist that you provide free technical support for them whenever you need it. Refuse this, and you will cast a bad light on open source. (ie: That Mozilla thing broke my Internet and no one will help me!) From experience, Murphy's law will go into effect, and any and every thing will go wrong.
Be wary whenever you offer to help someone with their computer. I have been so burnt out from helping so many people over the years that I refuse to help anyone, even family members, or even talk to them about computers.
Like it or not, open source cannot forever rely on legions of selfless geeks helping everyone. It's just not infinitely scalable. "Mainstream" open source projects like Mozilla, OpenOffice, etc need to 1) proactively focus on usability by recruiting (by paying if necessary) human-computer interface experts and focusing all development on usability and 2) forming political relationships with as many computer manufacturers, banks, and any other organizations we can to get our stuff in front of mainstream users. There is already some movement on these fronts, but it needs to be at least an order of magnitude greater.
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
I am tired of trying to propose solutions to the problems brought about with the large numbers of ignorant users using MS software. I'm also tired of trying to fix problems that these users repeatedly cause. Government and law enforcement doesn't seem to care, so I'll propose this solution:
In nature, when a population gets too large there's a die-off. Usually this die-off is caused by disease or starvation. The better adapted creatures survive and live on.
We can use the fox and rabbit scenario here.
The malware writers are the foxes and the ignorant users are the rabbits. In our case the foxes don't eat the rabbits, but instead hijack the rabbits' computers for fraud, spam, pop-ups, etc. Foxes die by giving up and moving on to more lucrative off-line crimes.
The rabbits don't eat anything but are increasing in numbers by simply hooking up machines to the Internet. Rabbits die by cancelling their AOL accounts and stop using the Internet.
Right now there are a ton of rabbits (and more every day) and the fox population is exploding.
If we just sit back and let natural selection take its course, the ignorant rabbits will become sufficiently frustrated with their Internet experience and give up. The foxes will concentrate even harder on the remaining rabbits (who will be better adapted to counter the foxes' attacks) or start writing malware for the rest of the rabbits or face a massive die-off as well.
Those that are able to adapt do so by either keeping their machines properly patched or learn to use alternative browsers (or operating systems). These rabbits will then have a better Internet in the end because we will have a better class of users and software.
There's plenty of educational material out there for ignorant users to read. Practically every day there's something in the newspaper about how to protect oneself from these attacks.
The Zombies and SpamBots will make life a hell for the rest of us, but that's a short-term problem in this model. That should fix itself after the die-off itself.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
Someone could just as easily program a plug-in for Mozilla/Firefox/whatever that does the same thing as BHO? Do you also think that all operating systems are equally secure inherently? Is it just as easy to program in Python as it is to program in Pascal? Microsoft has a long history of creating application environments that offer extensibility through plug-ins that are inherently prone to security exploits. This makes it easier to create exploits for their products.
IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.
Like back in the day, when Netscape ruled the browser market? Yep, there were a lot of adware/spyware/trojan-ware apps back then.
Maybe you should be happy that IE is used by so many.
Actually, no. I think most people would be a lot happier not to have to deal with such a crappy browser that is always introducing security problems, isn't standards-compliant, and doesn't have any of the most recent "must have" features that so many other browsers share. It would be easier for web developers, users, and security managers if IE weren't such a piece of crap.
Read the EFF's Fair Use FAQ
Isn't Firefox with its plugins system also susceptible to malware? How secure is the area in which plugins can play? It would be interesting if someone would take up the challenge of writing a similar piece of software as a plugin for Firefox and see if they can insinuate it in the Plugins repository.
It's not that I wish such a thing on people, but I'd like to know how secure the repositories are and what kind of damage we're looking at if it isn't.
I really must stop watching Comedy Central.
I don't want knowledge. I want certainty. - Law, David Bowie
Okay, this idiot must want to get caught. To you aspiring virus/trojan writers out there: DO NOT have your virus/trojan send information to a web site. Send it to a newsgroup. Geez. Encrypt it if you must, but don't send it somewhere where you can be tracked. Send it somewhere where you can get it anonymously. Man, moron hackers out there. It's like that idiot Slashdot reported on yesterday who got caught on the extortion deal when he told them who to make the check out to.
penalize them for failure to reveal risk.
As of 7:11 PM Eastern Time (1.5 hours after my phone call), the site is now offline.
For those of you who don't take the time to read the analysis of the trojan, here's what is said:
.chm file. At the same time, it appears to have executed a script on .chm exploit, shown above is likely used to rename and execute this
The HTML here attempts to exploit a known flaw in Internet Explorer to load and
execute a
www.mymaydayinc.com called photos.php. At this point, the packet captures provided
by the victim end, but it is possible to make some intelligent guesses as to what happened
next.
The victim of the attack found a file called "img1big.gif" had been loaded onto their
machine. Because of the account restrictions on the person running the machine, it had
failed to install properly, which was why it had come to their attention. It is this file that
they forwarded to the SANS Internet Storm Center for analysis.
The file "img1big.gif" is not a graphic file at all. It is actually a 27648 byte Win32
executable that has been compressed using the Open Source executable compressor UPX.
(Hypothesis: the
file.)
So basically, it allows a CHM file (Compiled Help, used in your standard help files) to auto-install a DLL, which in turn regisers itself as a Browser Helper Object (BHO). BHO's are typically used for things like Browser Toolbars (like the one Google provides).
Microsoft should not allow auto-execution of any file type. It should be an easy fix to IE though.
I am one of the folks that submitted this to SANS. I actually looked at the file prior to my teammate sending it and the initial report. The .gif file was really an executable file without the .exe extension. The file had an executable's header and link information strings referring to DLL load points at the end of the file. The middle of the file was compressed binary cruft. The attack vector used the CHM vulnerability to launch.
./. My life is complete...
Another interesting thing we've noticed lately is how many attacks are now using multiple vectors. After dealing with this issue and a bunch of related ones we have come across I have to say that the entire banner ad system is corrupt and infected.
I never thought anything I had a hand in would show up on