New IE Malware Captures Passwords Ahead Of SSL

Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."

Coming events

[Carnildo]

Cue the "Gee I'm glad I use FireFox on Linux" posts.

Wow....

[FatSean]

I'm simply stunned...where I work security is #1 and availability is #2. Judging by their output...it must be very different working at MS.

Re:Coming events

[Anonymous Coward]

Gee I'm glad I use FireFox on Linux.

And this...

[DaHat]

Is why I transmit all of my passwords in plain text... not very secure, but a lot less obvious then all of these complicated 'security' or 'encryption' methods.

HA!

[Anonymous Coward]

This is why I do all my online banking using Gopher.

I love IE

[Admiral Llama]

This isn't Malware, this is advertising for Apple. THIS is why I buy Macintoshes.

Because...

[Draconix]

What's a browser? Is that like Internet Explorer? But why do I need another one when I already have Internet Explorer? Don't I have to use Internet Explorer to connect to the internet?

New Genre

[the_mad_poster]

You know you really have something going for you when a single application in your product line helps defines it own genre of exploits:

...the adware/spyware/IE exploit genre...

Re:Coming events

[foidulus]

Nah, I'll stick to lynx running on my gamecube, the only way to surf!

Open Source compressor used:

[geeber]

From the article:

It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX.

Cue the FUD saying "look I told you Open Source was inherently less secure!"

Re:I'm suprised

[NanoGator]

"Why would you fsck with SSL..."

Because there are no files to check, just packets?

Re:Can someone explain...

[DaHat]

less chance your inheritance is going to disappear from her bank account.

Or if there is currently little or no inheritance... have her use IE in the hopes that some how her bank account will get extra funds due to the exploit thus creating or increasing your possible inheritance.

"New IE Malware"

[sulli]

(Score: -1, Redundant)

Man, I'm so sick of this...

[NeoGeo64]

When will us Linux users finally get to experience all of these exploits and viruses? It looks like Windows users have all the fun. :-)

My Related Prayer

[Anonymous Coward]

I'm not a religious person... but I will now attempt to pray...

God, it's me, Anonymous Coward, I beg you, have the l33t hax0rs of the world unite to develop exploits and hacks against Linux and Firefox so that open source zealots can no longer scream about how secure their software is. Any competent person or deity (ie you) knows that there are potential exploits in both, but most have not been found because most do not look as hard as is done with Windows.

If you do this for me... I promise to sell my soul to your minions in Redmond and banish any Linux or Open Source related product from my home from now until eternity.

Amen

Re:Because...

[I confirm I'm not a]

Don't I have to use Internet Explorer to connect to the internet?

Whoa! Hold right up there, coyboy! You're telling me there's a difference?

(Sure it's not necessary but...just in case..."proud Firefox user since 0.6!")

Re:Because...

[cbovasso]

Wait... Isn't AOL the internet?
Now Im confused.

Sad... because its true

[HighOrbit]

Unfortunatly this describes 90% of people out there. The only way I can think of to overcome that kind of pervasive ignorace is a public service campaign like the anti-drug campaigns.

[joke]
"This is your computer.. this is your computer on Internet Explorer"
-or-
"Friends don't let Friends use Internet Explorer"
-or-
"Just say No to Internet Explorer"
[/joke]

Seriously, there needs to be a TV campaign or even public service banners on high traffic sites like google or CNN.

A good thing this only affects IE users...

[lightspawn]

After last week's CERT advisory, there should only be a handful of them left.

Re:Coming events

[Anonymous Coward]

I'd agree with you, except my banks aren't supporting standards, and don't work with standards-compliant browsers. I see a conspiracy.

Re:Can someone explain...

[Pantheraleo2k3]

a) Threaten to never support her computer again
b) Hide the IE shortcuts
c) Change the IE homepage to say, in big letters, "YOU'RE NOT SUPPOSED TO BE USING THIS NOW GET OUT AND START FIREFOX"
d) If you have Zonealarm on her computer, set it so IE has no Internet access
e) Use IE's Content Advisor to block all Web sites
f) I could go on and on

Re:Coming events

[karniv0re]

You just wait, mister, until enough people start using Lynx. Then they'll start coding malware for Lynx. Just think! Pop-ups, Homepage changing... You might even get browser-hijacked to porn sights!

Re:Open Source compressor used:

[Anonymous Coward]

UPX is written in portable endian-neutral C++

<MS shill>

...thus indicating the importance of switching to .Net and disassociating yourself from the terrorist-supporting C++ language.

</MS shill>

Re:Man, I'm so sick of this...

[. visplek .]

Hey man, it's open source! Make your own vulnerabilities! Join the development team! Linux can not be taken seriously if there aren't at least 2,000 worms or security holes available. I myself am working on KRURAG. (KDE Random User Root Acces Granting)

Re:Why is a gif file getting run as an EXE?!?

[Anonymous Coward]

Does another exploit change the .gif name to .exe or attempt to unzip the .gif file? If not, why does IE allow .gif's to be installed?!

Clearly this is a programming error. IE only allows destructive executables to be installed without permission, rather than harmless image files. Rest assured that the programmers who let this "feature" slip through will be dealt with.

Re:So..

[NanoGator]

" The question should be, "What fancy-ass special feature does Firefox NOT have."

That question inhibits Firefox's widespread adoption.

Re:In other news...

[Anonymous Coward]

Gates says MS is getting faster fixing security holes.

I have verified this. Microsoft technical support now tells me to reboot my machine instantly, rather than asking what the problem is first.

Re:Coming events

[FuzzyBad-Mofo]

Fortunately, this problem is fixed in Mozilla Moondog. (actually .9.1 with Firesomething installed for fun)

Re:Because...

[Iron Chef Unix]

You laugh, but just yesterday my girlfriend's roommate told me that she didn't like all the pop-ups with IE, so she just uses AOL. She actually uses AOL, and they have a broadband connection! I asked her why, and she said, "that's what I have always used." So, not only does she use AOL solely for the browser, but she pays for it. Argh!

Not only that, I suspect from the huge amount of pop-ups that she gets, that she has some major spyware, etc on her computer.

I told her she should probably fix that and install a new browser/pop-up blocker. Her response:

"When can you do that for me?"...

Re:So..

[Feyr]

what about the "too fuckin cumbersome to install a plugin on" line ? because it sure fits firefox nicely

Doesn't effect me...

[buddhahat]

My passwords are just little black dots when I type them.

Re:Coming events

[MarkGriz]

Better yet... they should do their online banking on their own time.

Re:Coming events

[sentientbeing]

Gee im glad im continously overdrawn and therefore have no money whatsover in my bank account...

the last time i asked for money at the bank they knocked me back.

"Fine!" I said, im taking my minus 1500 elsewhere...."

Re:Coming events

[freakmn]

I'm glad I use AOL on Windows ME!

If I actually did, I think I would puke...

Re:Coming events

[Phexro]

True, but they are testing with "Mozilla 5."

Since Mozilla just hit 1.7, this webpage must have fallen backwards in time through a freak wormhole.

If you look in the comments, it also mentions something about IE developers being "the first up against the wall when the revolution came."

Problem solved!

[Whatthehellever]

We'll just add the following Javascript into websites:

var userAgent = navigator.userAgent;
var MSIEIndex = userAgent.indexOf("MSIE");
if (userAgent.indexOf("Win") != -1 &&
userAgent.indexOf("MSIE") != -1 &&
userAgent.substring((MSIEIndex + 5),(MSIEIndex + 8)) >= 5.5)
window.location.replace("IE_BAD.htm"); //

and let those still using IE suffer.

My apologies

[Flower]

Log in, get, get, get owned. MS IE is a joke on your backbone. Log in, get, get, get owned. MS IE is a joke on your backbone. MS IE is a joke.

I really must stop watching Comedy Central.

Re:Coming events

[cynic10508]

You just wait, mister, until enough people start using Lynx. Then they'll start coding malware for Lynx. Just think! Pop-ups, Homepage changing... You might even get browser-hijacked to porn sights!

Mmm... ASCII porn...

Re:Because it isn't so clear cut

[GTRacer]

So-o-o-o... These people are clubbing grocery clerks and movie ushers with a piece of fencepost they keep in the company garage?

California is one weird place!

GTRacer
- Needs a new fence

Re:Coming events

[blair1q]

$ telnet www.slashdot.org 80

it's the only way to fly

Re:Complain, Complain, Complain!!!

[Just Some Guy]

oftware that has a negligible sercurity record.

I do not think it means what you think it means. OpenBSD has a negligible security record. Apache has a negligible security record. IE's security record is about as gligible as it can get without torch-bearing masses tearing down Microsoft's doors in search of the Developers! Developers! Developers!

Re:Coming events

[mangu]

Oh, now I know where the ASCII-art goatse came from!

Re:Coming events

[DarkHelmet]

Port 80? Amateur! Try it on 443 :)

Re:Coming events

[zsau]

Have you not heard of the exploit in Firefox that causes the launch of Internet Explorer? If you, like me, run a Linuxbox, you won't have a problem with it because no matter how hard it tries, there's simply no IE to launch. Once IE is launched, the system is just as vulnerable as if IE was used in the first place!

I read about the exploit here on Slashdot a few days ago, so obviously it's reliable. It doesn't use Javascript so disabling that won't help. IIRC, the code that causes it is something along the lines of:

<b>This page is designed for Internet Explorer, and will not work on other browsers. Please use Internet Explorer.</b>

There is no known fix for this exploit! (Other than removing Windows from your system.)

Re:Quit the handwringing and DO SOMETHING!

[Anonymous Coward]

they are right up the street from me

i can handle it in a few minutes