New IE Malware Captures Passwords Ahead Of SSL 986
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
SF article (Score:5, Informative)
Gates Defends Microsoft Patch Efforts [securityfocus.com]
spybot S&D (Score:3, Informative)
usually a good idea (Score:5, Informative)
There is the slight problem that malware can silently reenable it when they run, but I doubt many do.
grr.. typo above (Score:3, Informative)
That query is for "refestldt.com" and I stupidly typed "reflestldt.com" after "domain name". The whois info is accurate, just not what I typed there.
The fellow in the article... (Score:5, Informative)
Let's not be hasty... (Score:2, Informative)
Re:Can someone explain... (Score:1, Informative)
It's probably fake: Blue Valley High (Score:4, Informative)
In other words, it's almost certainly a bogus phone number attached to bogus domain-registration info.
Re:Can someone explain... (Score:5, Informative)
I think this will change when non-IE browsers start ruling a larger percentage in the server logs and too many customer complain. I always take the time to send a nice e-mail to websites that are broke with Mozilla.
Companies need know that they are limiting their customer base and are losing sales.
Just yesterday I was signing up for a dedicated server at a vendor and their webpage was not working correctly, I brought up IE and worked fine. Ticked - I left and signed up with the competition (servermatrix).
Funny CIAC issued a warning in 2002 (Score:5, Informative)
Re:Can someone refer me to a useful BHO? (Score:4, Informative)
It's used for adobe acrobats PDF plug in for IE. I turn all of them off on my computer using BHO Demon [definitivesolutions.com]
Re:What, exactly, is the FBI doing about this? (Score:3, Informative)
Re:Can someone explain... (Score:2, Informative)
I tried the same and it worked over here - you might also add a good fancy theme to mozilla/firefox to make it more attractive.
No (Score:3, Informative)
No, I just meant the whois query was for the correct domain but when I was typing the response here I accidentally added an "l". That info is the whois query for refestltd.com.
Re:If this won't get people to switch, what will? (Score:4, Informative)
That sounds nice and all, but if your bank's site only works in IE -- as is true for many banks both large & small -- then the customer doesn't really have a choice in the matter.
I know people that are perfectly happy to use Mozilla 90% of the time, but when they have to log in to Fleet [fleet.com] (or whatever other bank site), they must use IE there.
Yes, the problem here is the bank's broken site, but what can you do? Their standard response is "95% of people use IE, so that's what we support", completely ignoring the line of thought that if they wrote in a portable, standards compliant way, they wouldn't have to think about these issues, and their customers would be much happier. But there we are -- stuck.
Your exclamation points are appreciated, but until the banks & other IE-only sites realize the errors of their ways, you're just berating the victims of the larger crime here.
Re:Why is a gif file getting run as an EXE?!? (Score:4, Informative)
Another happy firefox user... (Score:3, Informative)
But for those that are unfortunately enough to have to help those that insist on IE, for whatever reason, a program called BHODemon might help you. It lets windows users see what BHO's are loaded at any particular time, so I would assume that this malware would show up here as well. Its a quick way that someone can find out just what is running in the background.
http://www.definitivesolutions.com/bhodemon.htm
BHODemon 1.0
How to switch to firefox on windows... (Score:4, Informative)
- go to http://www.mozilla.org/products/firefox [mozilla.org]
- download the windows installer
- run aforementioned installer
- Realise that installer automatically imports IE favourites
- Select the Internet Explorer icon, press "Del" key
- When asked if you are sure,say yes (with extreme prejudice)
it's really that simple, for added effect you could try replacing the firefox icon with the explorer one (right click|properties|change icon|browse to iexplore.exe|select the icon from the ones that come up), that's what I did as I was used to clicking on a blue e. After a while I weaned myself off.Re:So.. (Score:1, Informative)
In order to make their products easy to use and in order for people to want to use 'em Microsoft makes 'em as intuitive and as filled with features as possible. But -- the more code you add, the more likely bugs are going to exist. (ActiveX comes to mind.)
Re:Can someone explain... (Score:2, Informative)
BHOs and you (Score:4, Informative)
Maybe this is the kick of the pants that M$ will get now that financial institutions are targetted with a n exploit from a badly-design browser model.
Which is nice.
Re:I love IE (Score:4, Informative)
Uh, no. An Apple Mac couldn't run the executable, it uses a different family of CPU. Even if it could, IE's browser share on Mac OS X is very low.
Disclosure? (Score:3, Informative)
Re:Coming events (Score:5, Informative)
Do this for a few power users, and within a very short time, the IE-only requirement goes away pretty fast.
Written by Anti-Spyware Site? (Score:2, Informative)
Re:Wouldn't hurt me too much (Score:4, Informative)
The list is a credit-card shaped piece of plastic that has a bunch of numbers on both sides. Goes easily in wallet. Doesn't matter if it gets stolen because you still need the username/password pair and you can get a new list by calling your bank.
And like I said, you can still use the smartcard version (so you'll skip the typing of one-time-password entirely).
Re:So.. (Score:5, Informative)
There is no feature in Firefox that would prevent the writing of the application.
There is, however, a feature that would prevent the installation of the application. From my experiences so far with Mozilla's various incarnations, you can't silently install plugins.
I can puzzle out a way for this to run under Mozila, but it's a lot more complicated than under IE. IE uses the global (HKEY_LOCAL_MACHINE) and user (HKEY_CURRENT_USER) registry keys to keep track of plugins. As far as I've been able to find, Mozilla uses a separate registry per profile to keep plugins and customizations working; probably due to an offshoot of cross-platform compatibility.
The tools for installing the IE exploits are already in place: just convince IE to run some code via a buffer overflow or somesuch, have the code run "regsvr32 myfunexploit" and the exploit is installed into HKLM as a browser helper object. With Mozilla, you'd have to do a bit more work: find a buffer overflow exploit to execute remote code, have your code figure out where the profile directory for the user is located, run through that directory looking for a Mozilla installation, parse out the Mozilla registry, install your exploit code and (probably) wait for the user to restart Mozilla before it's loaded.
As the article noted, you need a third party application to easily list and modify BHO plugins. Under Firefox, at least, it's a single click to see what plugins you have running.
This could, in theory, be done with Mozilla-and-friends, but most of the features in the browser, simple plugin viewing and a separate registry, make it, if not unlikely to happen, at least more easily noticed by the end user.
Re:Can someone refer me to a useful BHO? (Score:5, Informative)
I will upload the project tonight for your downloading pleasures. And yes, of course it's GPL! Well actually it doesn't really have any licenses yet, so it will probably end up being GPL or BSD.
Re:Coming events (Score:5, Informative)
It's not anything like IE's bugginess and incomplete support. You don't see freak bugs like IE's margin-doubling [positioniseverything.net]. IE also lacks support for
And the fact is, no browser supports all of CSS2. Mozilla (Gecko) has much better support than most browsers, and they are constantly improving it's rendering. Compare that with the stagnation of IE's development over the last several years.
Re:Coming events (Score:3, Informative)
So yes, if you have uptodate virus definitions, a firewall, patched machine and use a real browser, you're unlikely to be infected. Still, there're other problems, and often the most voiced are the *nixers, which was what the poster was referring to.
Stupid hacker.... (Score:5, Informative)
Re:So.. (Score:1, Informative)
Re:Can someone explain... (Score:2, Informative)
Re:Coming events (Score:2, Informative)
too late:
http://www.chris.com/ascii/art/html/nakedladies.h
Re:Well, it's not that simple (Score:1, Informative)
This is a
Don't you see a number of design problems with this approach? Don't you have to wonder whether Microsoft actually wants trojans and spyware when you see this? And if they do want trojans and spyware, what kinds of holes do you think they will design into
Re:Can someone refer me to a useful BHO? (Score:3, Informative)
And, of course, Firefox is by far the better porn browser with extensions such as magpie [mozdev.org]. See pornzilla [squarefree.com] for more details.
Re:Can someone explain... (Score:3, Informative)
MS = Serious about security my ass... (Score:2, Informative)
something as simple as the OS prompting for an account password (ala just about any flavor of *nix comes to mind), would do wonders for windows pathetic security...i looked around all the new features that are said to be included with win xp sp2...this wasn't among them....
why is it that the second that i have logged in, anyone could sit down and my system and if i happen to not have a password on the screen saver or have the system set to automatically log me out after x minutes of activity, ANYONE could install ANYTHING on my system...and just extend that a brief moment to any perpetrator online installing malware and any other executable trojan to turn a windows box into a spam zombie....
i just don't buy that MS is serious about security...this is a pretty easy solution that shouldn't take months of ripping apart the OS for implementation....
i don't get it...?
PS - i'm not trolling, i'm serious...this seems like a pretty simplistic fix that wouldn't take a rocket scientist to figure out...
- bliSS
w00t (Score:5, Informative)
Use IE if you must... (Score:2, Informative)
http://www.pcmag.com/article2/0,4149,270,00.asp
HTH
Re:"people who really like IE, I don't see why" (Score:2, Informative)
1. On Win (which I must still use sometimes), ffox is the slowest of the 3 (especially re-draw), even though I'm always on the latest release.
Well, not having used Firefox, I don't know. But I find it hard to believe anything could be slower than IE in my experiance. 40+ seconds(on dial up true) to load a page that takes 11 seconds in Opera. Pathetic.
2. I can't get the other browsers to do the simplest, stupidest things I can do in IE, e.g.: drag/drop shortcuts between address-bar & folders, or File=>Send=>Shortcut To Desktop, or drag a link from a page to the address-bar (a sure-fire "use the same window, dammit"). I dunno, maybe I just didn't RTFM.
I can't grok why anyone in their right mind would want to do this, but I believe you can just go add to bookmarks that is at the top of the list inside a submenu in the bookmark list. Can't send a shortcut to the desktop... you can copy the address... again, I can't see any real reason to do this. It's pretty easy in Opera to open a link wherever you want, either as a button/click or rightclick option, but you can also drag a link from a page to the address bar.
3. I make genuinely productive use of toolbars (e.g. Google) unavailable on other browsers.
Again, in opera it comes default with a search option box for google, amazon, alltheweb, etc... You can add your own. Opera comes with pop-up blocking. I can't comment on other bars as I don't use them, nor have any idea which others you use but did not mention.
I don't grok the excitement of tabbed windows. I much prefer being able to position pages independently in separate windows. And if one of those windows crashes or hangs, I don't lose the others (or their back-traces).
You are very lucky, every time IE crashed for me, it took all it's windows with it, and the task bar(system tray stuff) - even in XP pro.
Opera has MDI, which is more than tabbed windows, you can arrange as desired inside Opera - much less task bar clutter. Ever tried the Continue from last time? Right back where you were - even after a crash, and keeps history (what you mean by back traces I think).
As for security, I do quite well with the combo of common sense, frequennt AV updates, SpyBot, AdAware, WebWasher, and very aggressive/paranoid firewall settings. (I love Agnitum Outpost, which lets me control cookies, ActiveX, JavaScript, etc. -- each *separately* -- on a per-domain basis.)
Well, I use AV, spybot etc, but since I stopped using Kazaa, and have been using Opera, guess what? I haven't found any spyware with SpyBor or AdAware (I don't use webwasher as it costs $$, and as I'm not getting infected I don't see the point of wasting money). Good firewall settings are a good idea, and I commend you. However I don't have to use my firewall to keep my browser in line just by using Opera. Much easier. Although, I do also recommend Proxomitron. Great ad control.
Europe is largely unaffected... (Score:3, Informative)
the TANs come one a one-time-pad kind of sheet and you can use each number once before they become invalid. Therefore, if somebody is scanning my TANs (along with other things), they can do exactly nothing with it.
The sheet of TANs is generated on some bank server and sent to me via postal mail.
Admittedly, i wouldn't want anyone browsing my bank account. But the damage they can do with that is limited (changing passwords and so on requires a TAN too).
Re:Coming events (Score:2, Informative)
I had a hell of a time removing the CWS thing and used spy-bot [spy-bot.net], Ad-Aware [lavasoftusa.com] and CWShredder [spywareinfo.com] all to no avail. I wrote my own BHO remover [olderchurch.net] which will delete the Browser Helper Objects, but remeber that you shouldn't have any browsers or explorers open when using this program! And restart your computer after deleting any BHO's.