New IE Malware Captures Passwords Ahead Of SSL

Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."

Coming events

[Carnildo]

Cue the "Gee I'm glad I use FireFox on Linux" posts.

Re:Coming events

Gee I'm glad I use FireFox on Linux.

Re:Coming events

Gee I'm glad I use FireFox on Linux!
Except when I'm at work...

I've got no choice at the office. So should I just stop doing online banking at work because the computers happen to use the most popular operating system and browser in the world?

It does seem surprising that this hasn't been done before.

Re:Coming events

[oGMo]

Cue the "Gee I'm glad I use FireFox on Linux" posts.

Gee, I'm glad I use Firefox on Linux. And why the hell shouldn't I be? In addition to actually supporting standards (CSS anyone?), my decision is constantly reaffirmed by exploints such as these. Do you have a problem with that? (Actually I use Mozilla, but close enough.)

Re:Coming events

[IsaacW]

So should I just stop doing online banking at work because the computers happen to use the most popular operating system and browser in the world?

Nope, you should just be smart about your office desktop's security settings and perhaps even use the browser-help-object (BHO) listing tool noted in the linked article: http://www.definitivesolutions.com/bhodemon.htm. I just checked my desktop, and it wasn't infected; so I'll still do banking online and continue to be wary of security issues.

Re:Coming events

[karniv0re]

You just wait, mister, until enough people start using Lynx. Then they'll start coding malware for Lynx. Just think! Pop-ups, Homepage changing... You might even get browser-hijacked to porn sights!

Re:Coming events

[Ironica]

Yeah, but the only site still forcing me to use IE is my local bank...

1) Complain, if you haven't already... some web commerce site (can't remember which, but it was a big one) had a bug where it didn't recognize Mozilla as a sufficiently high version of Netscape. I feedbacked it, they responded with a NON-CANNED thank you within 24 hours, and it was fixed by the time I used the site again three days later.

2) Have you tried fooling the site by sending different authentication? Mozilla can just *tell* the site it's IE. Unless they're doing something very stupid like using ActiveX, that may work just fine. (If they are using ActiveX, switch banks. Seriously.)

Re:Coming events

[dirvish]

What does Linux have to do with it? I use FireFox on Windows and I am still not vulnerable to this.

Re:Coming events

[msoftsucks]

No need. Your can run Firefox from removable media. Just get yourself a USB memory stick or USB micro drive, and follow the installation instructions.

Do this for a few power users, and within a very short time, the IE-only requirement goes away pretty fast.

Re:Coming events

[sentientbeing]

Gee im glad im continously overdrawn and therefore have no money whatsover in my bank account...

the last time i asked for money at the bank they knocked me back.

"Fine!" I said, im taking my minus 1500 elsewhere...."

Re:Coming events

[freakmn]

I'm glad I use AOL on Windows ME!

If I actually did, I think I would puke...

Re:Coming events

[955301]

You're a fool for using your office computer to do online banking. Haven't you ever heard of a keycatcher?

Keep in mind, you cannot trust a computer which you cannot restrict physical access to. Period.

No personal stuff on the office computer. Not because the company want it that way, but because you do, whether you know it or not.

Re:Coming events

[AstroDrabb]

No offence, but I think that is a poor attitude. One opinion can make a difference, though there are no guarantees. For example, about 1 year ago, I was having problems with online banking for my bank. The site sucked and said you need/should use IE. I keep a long list of links to IE/Windows holes, exploits etc. I wrote up a very good technical email with links to all the problems with IE. I basically asked my bank why would they force me to use the most insecure web browsers to do transactions that are so important to me and their business. Not too long after that the site now works great in Mozilla/Firefox. Now I don't know if those changes were because of me or because other users complianed or the bank IT dept figured it out on thier own, but the changes happened. I also put in the email that I would take my money to a competitor that does have a standars compliant site.

And if your bank does not change. Then you change. Take your money to a different bank. It may be a little bit of a pain to have to do that, but that is the only power we have left as consumers, so exercise it.

Re:Coming events

[omglolbah]

Or, get a *real* ebanking system...

I live in norway and most net-banks here use both your "birth-number" *and* a "securitycard" to generate a key.

The key generated by the securitycard is never the same, and you need a 4 digit pin-code to even get it to generate a code. You type in the first 6 digits and hit "log in" and on the screen you get the last 2 digits, if these match with the ones on your "securitycard" you can be resonable sure that you are really talking with your bank.

Sniffing the password etc wont help you one bit, since it will only be active for a few minutes. After that, you need a new number to log in.

Steal the card? I would just call my bank and they would issue a new one, and put the other on the "watch list" someone try to log on with it: ups, their IP is logged and you have a trail for the police ;)

Another great thing about this way of doing it is that you can access your netbank anywhere and within a few minutes, any information logged by a keycatcher is invalid.

I'm suprised

[cbrocious]

that this hasn't happened earlier. Why would you fsck with SSL when you can bypass it completely?

And this...

[DaHat]

Is why I transmit all of my passwords in plain text... not very secure, but a lot less obvious then all of these complicated 'security' or 'encryption' methods.

SF article

[savagedome]

SF has an article regarding this.
Gates Defends Microsoft Patch Efforts

Re:Can someone explain...

[gr33nlantern]

Well, personally, i agree with you. Internet Explorer is far inferior to a lot of the other browsers out there.. The thing is that it's bundled with windows, and most people out there quite frankly aren't very computer literate, and more than 1/2 I would bet don't even know other web browsers exist. True, no? Any comments to that?

usually a good idea

[dtfinch]

To uncheck the "enable third party browser extensions" box in your Internet Explorer properties, if you must use Internet Explorer. This fixes most of the Internet Explorer problems that people ever experience and blame on Microsoft.

There is the slight problem that malware can silently reenable it when they run, but I doubt many do.

Re:usually a good idea

[duslow]

What people blame Microsoft for is leaving that option on by default. Most users wouldn't even know what that means much less have the sense to uncheck it.

HA!

This is why I do all my online banking using Gopher.

Because...

[Draconix]

What's a browser? Is that like Internet Explorer? But why do I need another one when I already have Internet Explorer? Don't I have to use Internet Explorer to connect to the internet?

Re:Can someone explain...

[The+Fanta+Menace]

Primarily cos they just use the first thing that is in front of their face.

One small step towards fixing this is to be involved as much as possible with all new computer installations.

Your mum is getting a new computer? Go in there and set it up for her. Put mozilla and firefox on the desktop, show her how to use them, and remove all the IE icons. She won't know any better and you can rest easy knowing there's less chance your inheritance is going to disappear from her bank account.

Because it isn't so clear cut

[SimianOverlord]

For the non-power user IE *IS* preferable. I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.

IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.

I don't blame most users for using IE. For them it is "good enough". I see a lot of snobbishness on this site, and maybe some of it is fair enough. I also see a lot of silly arguments with extrapolation from a small sample set "My sister uses Mozilla all the time now!" to big conclusions. As a scientist, I know enough not to make those errors. Anyway I just wanted to say most users don't need Firefox despite what you might read. I guess this is pretty obvious, it accounts for a fraction of 1% of browser usage after all.

For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.

Re:Because it isn't so clear cut

[saintp]

Bah! If the average user doesn't need all these extensions, explain the popularity of all of the various toolbars, extensions, and pop-up blockers for IE. When I'm trying to proselytize, I don't explain that Opera has mouse gestures and tabbed browsing; that interests me, but not them. I explain that it has native, intelligent pop-up blocking. That gets people interested.

IE is not just woefully inadequate for power users. It's woefully inadequate for anyone who wants a reasonable (not to mention decent!) Internet experience.

It's only "good enough" as long as people don't know about alternatives. Then the immediately start downloading extensions to IE -- extensions that you and I know come standard with a real modern browser.

Can someone refer me to a useful BHO?

[curtisk]

Anytime I hear of BHO's its always malware/spyware/adware...so when is it used for good? Seriously....

Stuff like the google search bar? Does that count?

The fellow in the article...

[tcopeland]

....who figured out how it worked (i.e., Browser Handler Object, HTTP POST of stolen account info to a site) is Tom Liston of Hackbusters. He's been sorting through this kind of thing for a while...

What, exactly, is the FBI doing about this?

[ryanwright]

Everyone here is likely to blame Microsoft. I'm turning my wrath against the intelligence organizations of various countries. For far too long this BS - malware, viruses, fraud sent via spam - has been mostly ignored. It seems nobody is going to jail for the Paypal scams because Paypal isn't a "real bank". Now they're targeting real banks.

I, for one, am sick of it. Where is our FBI and what are they doing about this? If these were criminals setting up videocameras to record pin numbers at ATMs, you can bet there would be a huge effort to track them down. Well, this is worse than that.

Man, I'm so sick of this...

[NeoGeo64]

When will us Linux users finally get to experience all of these exploits and viruses? It looks like Windows users have all the fun. :-)

Re:If this won't get people to switch, what will?

[NanoGator]

"For crying out loud, people! How hard is it to download Firefox and switch? Especially with the new settings import wizard?"

For crying out loud, people! Nobody even knows what Firefox is!

Quit acting like everybody's a retard and start putting money into a Firefox ad campaign or something. Acting like a raging zealot isn't going to get people to switch.

Re:Can someone explain...

[DjMd]

Thats when you point her IE shortcut at Firefox...
I mean come on,,, Just tell her it is the new IE.

Funny CIAC issued a warning in 2002

[that1guy]

Funny, CIAC Issued a warning about BHO's in early 2002 Link to warning

Find a new bank

[GrouchoMarx]

And if you're dumb enough to use a bank that works only with the big neon "Hack Me" sign that is IE, you get what you deserve. Find a bank that works with Mozilla or Konqueror and use those for banking instead.

Oh yes, and be sure to tell your old bank WHY you're closing your account with them. "You're only supporting Internet Explorer as a browser, so I'm not supporting you as a bank."

Not like they'll notice on personal accounts, but maybe if a business or three moves their accounts, they'll sit up and take notice.

Re:So..

[Durandal64]

The one that asks the user if he wants to install it?

Quit the handwringing and DO SOMETHING!

[alexburke]

According to the linked article, this BHO phones the mothership located at:

http://www.refestltd.com/cgi-bin/yes.pl

www.refestltd.com is 66.226.64.11; the ARIN pull is below.

I'm on the phone right now with Matt of Abacus America to get the website taken down.

I am saddened to think that I'm the first one that's bothered to go to the trouble...

OrgName: Abacus America Inc.
OrgID: ABAC
Address: 5276 Eastgate Mall
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US

NetRange: 66.226.64.0 - 66.226.95.255
CIDR: 66.226.64.0/19
NetName: ABAC2002A
NetHandle: NET-66-226-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ABAC.COM
NameServer: NS2.ABAC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-31
Updated: 2003-03-27

TechHandle: AD384-ORG-ARIN
TechName: A Net DNS Administrator
TechPhone: +1-858-410-6900
TechEmail: dns@aplus.net

OrgTechHandle: ANETS-ARIN
OrgTechName: A Net Support
OrgTechPhone: +1-858-410-6900
OrgTechEmail: support@aplus.net

# ARIN WHOIS database, last updated 2004-06-28 22:17
# Enter ? for additional hints on searching ARIN's WHOIS database.

Why people use IE

[funkdid]

Odder still is that many ISPs won't support Mozilla /Firefox etc.

For example, I used to work for Cablevision's Optimumonline service. I would sit in meetings and go on and on about how we should support, even lightly suggest our customers use Mozilla. One of the biggest avoidable call drivers in our Call Centers was people complaining of pop-ups. Another large driver was Spam. Mozilla is a great tool for handling both of those problems.

The Higher Ups weren't interested in my ramblings. They would point out that we support IE, Netscape, Outlook Express and Outlook. They eventually came around and offered support of Safari but on a very limited basis (not that it needs anything more).

The biggest problem that most ISPs face is uneducated consumers. Their machines get hijacked and in turn Spam the World, which causes other users to complain and blame the company. These machines also eat up Network resources, again causing other users to complain and blame the service. Don't forget the users that click on EVRERY pop-up that comes their way, thereby infesting their machine with spy-ware to the point that even opening IE is near impossible. Again, this is blamed on the service.

Granted the Mozilla fam aren't really out of the "beta" fase, but I see less Firefox, and Mozilla fixes then there are for IE. Being that Netscape and Mozilla are half-siblings (in a sense) why not support it? It's not like the support staff needs to be re-trained.

People don't care what browser they use, they want one that is intuitive, free, and functional to their needs. I think the Mozilla branch does that. With firefox 9.1 out today, why are people still using IE? Better yet, why aren't ISPs telling people NOT to use IE? It would save them a fortune and a company not looking to save a fortune..... should be investigated!

Re:So..

[Hank+Reardon]

There is no feature in Firefox that would prevent the writing of the application.

There is, however, a feature that would prevent the installation of the application. From my experiences so far with Mozilla's various incarnations, you can't silently install plugins.

I can puzzle out a way for this to run under Mozila, but it's a lot more complicated than under IE. IE uses the global (HKEY_LOCAL_MACHINE) and user (HKEY_CURRENT_USER) registry keys to keep track of plugins. As far as I've been able to find, Mozilla uses a separate registry per profile to keep plugins and customizations working; probably due to an offshoot of cross-platform compatibility.

The tools for installing the IE exploits are already in place: just convince IE to run some code via a buffer overflow or somesuch, have the code run "regsvr32 myfunexploit" and the exploit is installed into HKLM as a browser helper object. With Mozilla, you'd have to do a bit more work: find a buffer overflow exploit to execute remote code, have your code figure out where the profile directory for the user is located, run through that directory looking for a Mozilla installation, parse out the Mozilla registry, install your exploit code and (probably) wait for the user to restart Mozilla before it's loaded.

As the article noted, you need a third party application to easily list and modify BHO plugins. Under Firefox, at least, it's a single click to see what plugins you have running.

This could, in theory, be done with Mozilla-and-friends, but most of the features in the browser, simple plugin viewing and a separate registry, make it, if not unlikely to happen, at least more easily noticed by the end user.

OK, I'll take the bait

[Infonaut]

Now looking at the BHO I am wondering why you think using FireFox on Linux is safer than IE? Someone else could just as easily (Anything is possible, so don't say it can't be done) program a plug-in for FireFox/Mozilla that does the same as BHO and people can just as easily download this plug-in and experience the same issues on FireFox/Mozilla as any Windows user using IE.

Someone could just as easily program a plug-in for Mozilla/Firefox/whatever that does the same thing as BHO? Do you also think that all operating systems are equally secure inherently? Is it just as easy to program in Python as it is to program in Pascal? Microsoft has a long history of creating application environments that offer extensibility through plug-ins that are inherently prone to security exploits. This makes it easier to create exploits for their products.

IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.

Like back in the day, when Netscape ruled the browser market? Yep, there were a lot of adware/spyware/trojan-ware apps back then.

Maybe you should be happy that IE is used by so many.

Actually, no. I think most people would be a lot happier not to have to deal with such a crappy browser that is always introducing security problems, isn't standards-compliant, and doesn't have any of the most recent "must have" features that so many other browsers share. It would be easier for web developers, users, and security managers if IE weren't such a piece of crap.

w00t

[alexburke]

As of 7:11 PM Eastern Time (1.5 hours after my phone call), the site is now offline.