New IE Malware Captures Passwords Ahead Of SSL

Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."

www.refestltd.com/cgi-bin/yes.pl

[Theatetus]

When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.

Intrigued, I went to those scumware vendors [refestld.com] and saw that they are, in fact, dishing out scumware. So, in the interests of justice:

whois refestltd.com
Domain name: reflestltd.com

Registrant: Jay Seaton (6PPPG) jay@tremjade.com
United States
(913)6814254

Not that I condone using that information for any nefarious purposes...

Interesting

[xCepheus]

I wonder why the author of the code chose to only look for a certain number of SSL-enabled URLs. Why not just write the code to look for any URL or redirection that's prefaced by "https://"?

Just another good reason to switch to Firefox.

And the wave of IE abandonment begins...

[Billy the Mountain]

I read this article in the Houston Chronicle this morning: Flaws may mean it's time to drop Microsoft browser [chron.com]. It's beginning to look like there's a ton of exploitable stuff in IE.

BTM

Different password entry schemes?

[vanza]

Not to discuss about IE, what about banks using different password entry schemes?

In Brazil there seems to be a new regulation saying that users of ATM and online banking shouldn't type the password in a numeric pad anymore.

Instead, you get 5 buttons on the touch screen (or a small Java applet, or Javascript thing in the case of the bank where I have an account there) with combinations of two numbers. It looks like "press this if the next number is 3 or 8".

The thing is, the combination changes every time you enter your password. The first button that was "3 or 8" before will be something like "4 or 7" next time. And the combinations change too, not only the position of the buttons.

So it becomes more difficult for spyware to monitor keypresses / mouse clicks, or things like this [utexas.edu] to work for the scammer. (Ironic or not, the ATM in the pictures at the UT website is from a Brazilian bank).

I haven't seen anything like that in any US bank; it's always a number pad where you type your password, or a text field to type the password online.

Patched in 48 hours

[ikekrull]

Come on Bill, lets see you put your money (its not like you don't have enough of that) where your mouth is.

Your 48 hours starts now.

Wouldn't hurt me too much

[Zarhan]

...I don't know about banks in the US, but at least my (Finnish) bank gives me a username, password and (most important of all) a list of one-time passwords. When I log in, the only things I can see before it requests a one-time password is the balance on account, EURIBOR interest rates and the few stocks I've chosen to observe (ie, a master summary page). If I try to access anything, such as transaction records (not to mention transfers), I have to type in the one-time password. They mail me a new sheet when I'm starting to run out of one-timers.

If I don't want to use one-time passwords, I can choose to use smartcard reader and a PIN number (which remains constant). I'm not sure if that would be vulnerable. Anyway, this follows the "something you have, something you know"-security model, I know the username/password and have either the smartcard or the one-time list.

Do the US banks only use username/password pair?

And has it ever occured that...

[Mz6]

... you are preaching to the choir here? I mean, there are atleast a few Mozilla/Firefox/Thunderbird stories on here a week! We all know what it is! Rather than preach your comments about switching here, instead, preach to your parents and friends that still might use IE. Send them news stories for them to read. Unfortuntely, it takes a real experience for them to have a change of heart. Don't let that happen!

Re:Coming events

[Carnildo]

Gee, I'm glad I use Firefox on Linux. And why the hell shouldn't I be? In addition to actually supporting standards (CSS anyone?), my decision is constantly reaffirmed by exploints such as these. Do you have a problem with that?

No, except that I prefer Opera on Linux, and that's just a quibble. I was predicting the future.

(Probably should have predicted the "-1 Troll" mod, too)

Certainly!

[mindaktiviti]

The reason why people still use IE - EVEN when an alternative is shown - is because it's familiar, and because: - "my favourite websites don't work!" - "It's slow!" - "What is this crap." Coming from people like my sister. I even tried the IE icon trick but she insisted that I put IE back on. However, articles like this - where your bank password will be stolen if you use IE - well here we go, this is something that I could convince my mom with, as well as my sister.

Why is a gif file getting run as an EXE?!?

[the_skywise]

"The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis."

Does another exploit change the .gif name to .exe or attempt to unzip the .gif file? If not, why does IE allow .gif's to be installed?!

Re:Because it isn't so clear cut

[saintp]

Bah! If the average user doesn't need all these extensions, explain the popularity of all of the various toolbars, extensions, and pop-up blockers for IE. When I'm trying to proselytize, I don't explain that Opera has mouse gestures and tabbed browsing; that interests me, but not them. I explain that it has native, intelligent pop-up blocking. That gets people interested.

IE is not just woefully inadequate for power users. It's woefully inadequate for anyone who wants a reasonable (not to mention decent!) Internet experience.

It's only "good enough" as long as people don't know about alternatives. Then the immediately start downloading extensions to IE -- extensions that you and I know come standard with a real modern browser.

Re:Can someone refer me to a useful BHO?

[Paladine97]

I wrote a BHO to help me leech pr0n. You know those websites that have a big table of thumbnails and each thumbnail is a link to the real picture? Well I wrote a BHO which would enumerate all links that pointed to pictures and then download them. It was smart and inserted the Referer tag so that it would download correctly. It's a sweet BHO if you ask me.

Re:What's going on at Microsoft?

[cmowire]

There's a bunch of stuff going on.

First, Microsoft can't keep up with every possible exploit, so they don't even try. This is why they have yet to tackle viruses and trojans. Heck most of the virus companies aren't doing trojans, either.

Second, most of the fine-grained ability to really solve these sorts of problems is beyond your average user. If they had a switch to turn off BHOs, people would turn them off and then wonder why the WhizBangSuperBHO application they just downloaded doesn't work and wouldn't think to make the connection. Plus, there's no real concept of a proper sandbox, nor is there much ability to do it properly, if the default install gives everybody root.

Third, a page or internal site that uses ActiveX, BHOs, and other Microsoft-only technologies is a page or internal site that doesn't work under Opera or Mozilla. So by disabling such things, they risk turning back the clock towards standards that they've been enticing web designers with.

Fourth, spyware folks *cough*gator*cough* have a tendancy to sue their foes. Which is probably without basis, but still could cause Microsoft to have weird injunctions if they got too active about it.

The problem, and the advantage for the rest of the market, is that all of this hurts Microsoft, if they do anything, or if they don't.

Re:Can someone explain...

[sTalking_Goat]

I did this to my Mom's computer. Deleted all the shortcuts to IE except for the one on the desktop which I put just below the firefox shortcut and then pointed to firefox.exe. I said hey Mom use Firefox (knowing she'd use Ie anyway, which wasn't a problem since it would start firefox ) Three months later I'm there for a visit and she's using IE and getting stuck in pop-up hell.

Apparently her ISP software linked directly to Iexplorer.exe and when it asked her to make it default she clicked yes.

Not her fault but still makes you want to slam yur head against the monitor screen.

secure

[SQLz]

Thats funny considering I can't use my bank's Internet system it says it requires IE for security purposes.

Re:If this won't get people to switch, what will?

[Anonymous Coward]

Acting like a raging zealot isn't going to get people to switch.

No but raging zealots hijack airplanes and crash them to make a point...

Hmmm, actually maybe raging zealots hijack browsers to crash them to make a point. Maybe these exploits are the "advertisements" created by some radical proponents of Firefox. Sure seems to have hit the media just the same.

Re:Because it isn't so clear cut

[Lacutis]

You don't have to use the enhanced features of Firefox in order to benefit from it.

Did you even read the article? It features yet another exploit that IE is vulnerable to that Firefox isn't. Even if you never use the tabbed browsing, the extensions, or the plug in support, you are benefitting from simply USING it.

As far as the looks are concerned, I am pretty sure there are themes available to make Firefox look like IE or pretty close to it.

Re:Coming events

[Anonymous Coward]

I'd agree with you, except my banks aren't supporting standards, and don't work with standards-compliant browsers.

Mine does. Switch to a different bank. Market forces will take care of the rest.

Re:Because it isn't so clear cut

[Pantheraleo2k3]

The nice thing about Moz/Firefox is that it doesn't put those features in your face, like Opera. Fiddle with the IE shortcuts so they point to FF. I think there is an IE theme for FF as well.

And sometimes, the threat of revoking your "Family service plan" will be enough to get the to shape up" That and what one of the parents said about saying that IE let in malware that let people steal your money

Remember: when in doubt, go for the greet jugular.

Their inaction isn't due to lack of funds

[Infonaut]

According to this article [crime-research.org], in the proposed 2005 budget, "The Department of Homeland Security's National Cyber Security Division, which distributed information about the Blaster worm and SoBig virus, would receive $80 million."

"The Justice Department's spending on cybercrime would leap from the $157 million allocated by Congress for the 2003 fiscal year to $265 million. The agency's Internet Crimes Against Children program, which investigates child pornography and "enticement" cases, would receive a $2 million increase, to reach $14.5 million."

Even if the Justice Department "only" had $157M in 2003, you'd think there would be a bit more to show for it. But this is the US government we're talking about. There are doubtless a good number of motivated and competent people in the US government who are dilligently working to combat cybercrime.

The problem is that US government agencies are notoriously slow to adapt to change. Having worked in one before, I can attest to how frustrating it can be to try and get even simple, obvious tasks completed when groupthink prevails. It must be incredibly frustrating for the folks working in those departments who are trying to go after cybercriminals.

Re:Oh, PUH-LEEZE

[Dr. Trevorkian]

"Oooh switch to firefox" is the most ignorant and misguided response to this. Does soccer mom really care about a firefox? Nope.

The good news is, she doesn't care about a Internet Explorer either.

I spent some extra time while replacing my mother's aging and cruft-hobbled Win98SE install (with XP, for the record) to install and configure both Firefox and Thunderbird alongside IE and OE. The fox and the bird are default, but I wanted to make sure that if she found them unacceptable for any reason, her known devices were still there and up for the task.

She was nervous about having to suddenly rely on unfamiliar programs to do her thing but as long as they did the same things as IE+OE she was up for it. I made sure to import her "favorites" and contacts and picked out a theme for Firething with her and introduced her to tabbed browsing briefly. I showed her how to check her mail and where to change things for either program. After that all I could do was walk away and hope for the best.

A few days later I got an email from her thanking me again for my help and commenting on how much speedier everything was. I checked the user agent: Mozilla Thunderbird 0.7. =^)

Firefox IE Skin

[ffejie]

Is there a skin that acts exactly like IE? I'm looking to swap my family computers over and would like an IE interface. I've tried education to the family and it just hasn't worked really well. Tabs? What do they care? Adblocking? Who's got the time? They're just ads. Every feature I introduce doesn't really sell them. So basically, they would like to stick with Internet Explorer. However, clearly, I can't let them with all this crap flying around these days. That being said, I just want a way to make Firefox look like IE so I can do a swap. Anyone?

InterWeb BAD!!!!!!!

[Anonymous Coward]

Okay folks, now is the time to DEMAND your online banking providers to switch to a one-time pad system for passwords.

Many banks in the EU have already done this. Why are banks like BANK OF AMERICA and others still using simple passwords?

Re:Can someone explain...

[TheLetterPsy]

Unfortunately, people have their (usually unjustified) reasons.

Take, for example, my Mom. A month or so before coming home from school, I mentioned that I planned on building a new computer for myself over the summer. She told me that she was just about fed up with our home PC because it was so slow and working so poorly and crashing. I told her definitely not to go do anything silly like buy a new one, just yet.

So when I get home, she has since cleaned up a lot of stuff (she's fairly tech-savvy as far as Aunt Tillie-types go) and the computer is running OK. I immediately installed Firefox on the computer, and told her, my brother and sister to all start using it instead of IE.

I left a week later for my summer job (6 hr drive, first time I go back is this weekend). As soon as the IIS compromise issue came out, I e-mailed my Mom and made sure she was using Firefox because she had told me over the phone that she had a lot of spyware/malware problems. Of course she wasn't using Firefox. I asked her why the hell not and she says, "I'm old and don't want to have to take the time to learn something new" (she is co-owner of a financial consulting firm). So I explain to her how it's not anything new. A browser is a browser, you've got the back button, the forward button, hell, you can even import favorites. So whatever. That was a few days ago.

I called her last night to make sure she started using Firefox, and of course, she wasn't again. I asked her why and this is exactly what she said, "I may be superstitious or something, but ever since Mozilla was installed, that's when we started getting all the nasty stuff on the computer." Well I didn't want to be rude and point out what problems she was having before I got home from school, so I let it go when she promised I could show her how great Firefox is when I go home this weekend.

I only hope she's not using IE to check her bank statements, etc.

Some people are so set in their ways, like my uncle, for example, who refuses to wear a seatbelt. I feel like switching browsers is the same situation. If anyone has any recommendations on how to convince people that are utterly unconvinceable to switch to Firefox, please let me know.

Re:Can someone explain...

[Anonymous Coward]

What worries me is I don't know yet how secure Firefox is. Has anyone even tried to write an exploit for it? It's not even at version 1 yet.

The same argument applies to IE vs other Browsers as it does to Windows vs Linux. The people writing these exploits are targetting the largest audience for the most success.

And yes, IE definitely has many serious security design flaws, and Firefox has been designed with those in mind, but that doesn't mean that Firefox is necessarily free of any security holes.

Re:Coming events

[Anonymous Coward]

Interestingly, both Firefox 0.9 and IE 6.0 function equally well (or poorly) on this page.

So, what was the point?

Re:Coming events

[Too Much Noise]

erm ... this [w3.org] says the html is not valid 4.01. Also, the w3c css validator complains rather heavily on it. So much for standard support ^_^

Re:Because it isn't so clear cut

[Ironica]

For the non-power user IE *IS* preferable.

The non-power user is most vulnerable to the security flaws IE is famous for. They are less likely to notice if something is downloaded to them without consent, and less likely to be able to fix it if it is.

I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.

There's two things I tell/show people about Mozilla when I install it (waiting for 1.0 to start giving out Firefox):

- Look, tabbed browsing. [perform Google search on something they find interesting. Middle-click on a lot of links.] Shiny!

- Look, no pop-ups. This is the big winner.

Oh, yeah, it's more secure, yadda yadda... but those are the two functions that the average person is going to find most beneficial. They may not pick up tabbed browsing, but they sure will appreciate built-in by-default popup blocking.

It may take some persistence. Every time they call you for help, walk them through like they're using Mozilla. If they're not using Mozilla, tell them to use it instead.

IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.

My mom called me last week, when my phone battery was almost dead. Thankfully, it was a short conversation, because it went like this:

"I heard that there's this new web exploit that MS doesn't have a patch for, but it's ok if you update your antivirus. So if I just update Norton I'll be fine?"

"Are you using IE?"

"No."

"Go ahead and update Norton anyway, but you can only get the virus if you're using IE. Keep using Mozilla and you'll be fine."

[bee-oop, bee-oop, bee-oop, phone goes dead]

The last few months of retraining her to think of Mozilla as her default browser have paid off. Yay!

For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.

You could say the same about IE. Most of the security flaws come from having built-in functionality that is only useful in some very esoteric intranet environments, and has no business on the public web. The whole "Trusted Sites," "Internet Zone," etc. thing is WAY more complicated than it should be, and defaults to settings that aren't safe, so you do have to go in there and change things if you want a somewhat secure browsing experience.

In Mozilla, the preferences are very clearly organized, with only a few things on any one screen. Makes it far easier for me to walk someone through changing something, and easier for the novice to find it themselves. The explanations are a lot more useful, too.

To go with the car analogy, using IE is like using the company fleet's Ford Taurus with no right-hand wing mirror or air bags, because it's closer at hand than your Honda Civic Hybrid. In my opinion, anyway.

Re:Because it isn't so clear cut

[rburgess3]

Quoth SimianOverlord:
"Anyway I just wanted to say most users don't need Firefox despite what you might read."

I beg to differ. [slashdot.org]

People need to use something that isn't going to expose them needlessly* to the seamy underside of the internet.

You say it's needed one time in a million, and I think it's much, much more often, but even so, how many millions of people use the internet each day? What percentage of people use IE to do so? I'd hazard a guess at upwards of 90%. So, even pulling a lowball figure out of my... errmm... gluteous maximus... of 6 million people on the internet on any given day, that means that 6 people every day get hit by an IE exploit. It's not fair to them and it's not fair of you to say that they shouldn't be using a '4x4' to go shopping for groceries.

If I were in the analogy bending department, I'd be extorting everyone to use a Land Rover (firefox or other moz clone) because the internet is a freakin' jungle and anything less will get you stuck and in loads of trouble eventually.

* I say needlessly because MS is well known for:
A) Ignoring security flaws until they're good and ready to do something about it and...
B) Lazy, insecure programming practices in the first place.

What the?!?!?!

[Anonymous Coward]

What the hell!?!? Microsoft promised me that Windows was more secure then Linux1?!?

-=-=-=-

And yes, a bug in Explorer counts as a bug in Windows, after all they're the ones that were so insistant on building the web browser directly into the OS.

Re:What, exactly, is the FBI doing about this?

[Anonymous Coward]

You forgot chassing the wrong guy for spreading anthrax......

Re:How to switch to firefox on windows...

[scribblej]

One more tip after that:

Go to your Internet Explorer settings, set it to use a proxy, set the proxy to 10.0.0.1

I have yet to encounter another program that reads it's browser settings from IE, but I have many programs that will pop up IE to load shit I don't want, and this makes it so IE can't talk to anything.

Firefox continues to browse just fine.

problematic idea

[lordcorusa]

While this naively may seem like a good idea, it has enormous potential to blow up in your face.

By installing software on a computer-illiterate person's computer, you are implicitly taking *personal* responsibility for that computer, whether you want to or not. From that moment forward, that person will insist that you provide free technical support for them whenever you need it. Refuse this, and you will cast a bad light on open source. (ie: That Mozilla thing broke my Internet and no one will help me!) From experience, Murphy's law will go into effect, and any and every thing will go wrong.

Be wary whenever you offer to help someone with their computer. I have been so burnt out from helping so many people over the years that I refuse to help anyone, even family members, or even talk to them about computers.

Like it or not, open source cannot forever rely on legions of selfless geeks helping everyone. It's just not infinitely scalable. "Mainstream" open source projects like Mozilla, OpenOffice, etc need to 1) proactively focus on usability by recruiting (by paying if necessary) human-computer interface experts and focusing all development on usability and 2) forming political relationships with as many computer manufacturers, banks, and any other organizations we can to get our stuff in front of mainstream users. There is already some movement on these fronts, but it needs to be at least an order of magnitude greater.

Re:Because it isn't so clear cut

[Anonymous Coward]

I have recently deployed Mozilla at my work to replace IE on the users' desktops. Now I am going back and changing that to Firefox.
Why you ask?
The answer is simple enough:
I work as IT for an insurance company. Now, you might think that the insurance industry is part of the bleeding-edge of the IT world, but you might be surprised.
98 percent of all the agencies that we work with have zombified computers running IE and Outlook that constantly spam and virus message us all day long because we are in their address books.

When I made the switch, some people resisted. These people needed time to figure out that the stop sign had changed to a stop light.
Others (including the VP) were excited to try this new, more secure piece of software. He was coming into my office every couple of minutes to tell me how much he loved it.

He is about as much of a newbie as you can get.
He has used IE 100 percent of the time that he has used computers, and he instantly picked up and loved mozilla.

Hope for the future?
-Nickrooster

OK, I'll take the bait

[Infonaut]

Now looking at the BHO I am wondering why you think using FireFox on Linux is safer than IE? Someone else could just as easily (Anything is possible, so don't say it can't be done) program a plug-in for FireFox/Mozilla that does the same as BHO and people can just as easily download this plug-in and experience the same issues on FireFox/Mozilla as any Windows user using IE.

Someone could just as easily program a plug-in for Mozilla/Firefox/whatever that does the same thing as BHO? Do you also think that all operating systems are equally secure inherently? Is it just as easy to program in Python as it is to program in Pascal? Microsoft has a long history of creating application environments that offer extensibility through plug-ins that are inherently prone to security exploits. This makes it easier to create exploits for their products.

IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.

Like back in the day, when Netscape ruled the browser market? Yep, there were a lot of adware/spyware/trojan-ware apps back then.

Maybe you should be happy that IE is used by so many.

Actually, no. I think most people would be a lot happier not to have to deal with such a crappy browser that is always introducing security problems, isn't standards-compliant, and doesn't have any of the most recent "must have" features that so many other browsers share. It would be easier for web developers, users, and security managers if IE weren't such a piece of crap.

Firefox Too?

[RichiP]

Isn't Firefox with its plugins system also susceptible to malware? How secure is the area in which plugins can play? It would be interesting if someone would take up the challenge of writing a similar piece of software as a plugin for Firefox and see if they can insinuate it in the Plugins repository.

It's not that I wish such a thing on people, but I'd like to know how secure the repositories are and what kind of damage we're looking at if it isn't.

The same system in Switzerland

[WARM3CH]

Here in Switzerland, the online banking system is the same with "scratch-list" or a list of one-time passwords that are used one by one for each access to the online banking service. Recently, UBS and some other banks have even a better solution. Instead of a paper list that somebody may secretly take a copy of, they give the customers some type of smartcard and a special small calculator-like device to read it. Each time you access the bank's website to do some banking transactions, you enter your user and password, then a number is displayed on the screen. You enter this number in the card-reader holding the smartcard you have, and it returns back a hash value that you enter in the webpage. Now, each user have a unique smartcard and the number that the webpage generates is random so there is practically no way to predict the needed hash value to access the banking record unless you can physically access the smartcard. And needless to say the smartcard has itself a user selectable password that can be changed using the card-reader to protect it against theft. This way, even bank employee can't steal your password and/or scratch-list!

My CTO's commenting Firefox

[FedeTXF]

I sent a mail to all the company when last friday's attack hit the media. I told people to be careful with IE and if they wanted a browser that didn't have that problem download firefor (provided a link).

The company's CTO mailed me back and told me:
"Despite we give users admin right in the [w2k and XP based workstation] machines, you cannot install software without first checking out with the IT department. This is more important when we are talking about basic OS components, specially to those doing web development because it could lead to diferent rendering results."

My answer was: "I never told them to install anything in the office PC, I assume some might have a PC at home."

What I like is the part where he think a browser is a basic OS component.

A suggestion to Microsoft...

[BumpyCarrot]

Tear everything down and start again. If you can get someone to properly document your kernel, so that your own employees will have a chance of understanding it, go that deep.

Go as far as you need to to actually secure your OS and supporting suite. People aren't going to put up with this crap forever.

Windows had the potential to be a good system when you originally bought DOS, until you started piling "functionality" onto it.

Why People Still Put Up With This Crap

[Angry Prick]

With IE security holes and exploits being announced almost daily, it might make you wonder why people would continue to use a piece of crap like IE. I wondered the same thing until recently when I had the following conversation with a friend, who is not exactly "computer savvy".

Friend: [asks me a bunch of questions about IE and Outlook Express]
Me: "I really don't know. I never use those programs"
Friend: "Oh. [looking very surprised] I thought you *HAD* to use them."

Re:SF article

[Anonymous Coward]

Hasn't Gates been "that way" for a long time?

I remember him saying when Windows NT was still vapourware that," NT will be so easy to use, all point 'n click, that you will be able to hire sysadmins "off the street."!

He still, even now, doesn't get it!

Re:Firefox Too?

[jesser]

Firefox extensions can do anything the browser can do, so a malware executable could probably install a Firefox extension and do the same thing as this site. But a malware executable could instead modify the browser itself or install a keylogger, so it doesn't make sense to call Firefox's extension system "insecure". The only security hole (if any) is the one that allowed the malware executable to run in the first place.

It would be nice if operating systems could protect applications from each other. Then we could discuss whether BHOs or Firefox extensions are secure. Are there any operating systems that do that?

Re:Can someone explain...

[bryhhh]

Maybe the problem is with another part of your system? I only wonder this because I've been using Firefox as my primary browser since the day 0.1 was anounced on slashdot. I've never seen it lock up once, and I have slashdot set as my homepage.

I regulary use it on different platforms, and have deployed it to a network of over 500 windows computers, and never had a single problem reported.

I've probably seen firefox crash less than five times in this time. Not bad for a 0.x release really.

Re:Coming events

[AstroDrabb]

No offence, but I think that is a poor attitude. One opinion can make a difference, though there are no guarantees. For example, about 1 year ago, I was having problems with online banking for my bank. The site sucked and said you need/should use IE. I keep a long list of links to IE/Windows holes, exploits etc. I wrote up a very good technical email with links to all the problems with IE. I basically asked my bank why would they force me to use the most insecure web browsers to do transactions that are so important to me and their business. Not too long after that the site now works great in Mozilla/Firefox. Now I don't know if those changes were because of me or because other users complianed or the bank IT dept figured it out on thier own, but the changes happened. I also put in the email that I would take my money to a competitor that does have a standars compliant site.

And if your bank does not change. Then you change. Take your money to a different bank. It may be a little bit of a pain to have to do that, but that is the only power we have left as consumers, so exercise it.

Re:Coming events

[Lispy]

My bank changed it too. I called phone support and after a week or so I was suddenly able to surf to the page with mozilla. Half a year later they relaunched their page and got rid of the Java crap they have been using before. Actually, when I called lately and they told me about another update I asked again and they replied "Of course we will support Mozilla, we wouldn't be so stupid to annoy many of our customers!" It seems that their IT is at least aware that there are other browsers out there.

FYI: It was this [dresdner-bank.de] german bank.

Re:Darwinian selection in action

[Artful Codger]

One problem with your little scenario.

The "rabbits" are consumers! They pay to buy and sell stuff, pay to read about other rabbits, pay to view pictures of young shaved rabbits, pay to manage their carrot hoard online, all on the websites we're paid to build.

If there's fewer rabbits, we get paid less.

If rabbits tell other rabbits that one particular "field" (the internet) is full of foxes, they'll stay away, and the rabbits will move off to somebody else's field (like maybe a "secure" proprietary network owned by a big corporation).

Let me make my point another way - instead of the web, let's consider a shopping mall that has pickpockets. By your Darwinian model, we should just sit back, let the shoppers get pickpocketed, and hope that only paranoid shoppers with tight pants will shop in our mall...?

Re:Coming events

[milkman_matt]

Gee I'm glad I use FireFox on Linux.

Gee I'm glad I use FireFox and Safari on Linux, OS X, and windows.

Reading this prompted me to push harder on my moving all of my friends and family over to FireFox. I've already converted my parents and neighbors.

This story though, got me thinking.. the other day my neighbor complained about his new system being slow after his g/f came to visit for a couple weeks and used kazaa to download some stuff... I knew immediately to install and run ad-aware, found over 800 issues and deleted them all. What's this have to do with anything? Well what's to say that this won't become the next wide spread kazaa malware?

Everyone I know has had SOME malware installed on their system without their knowledge, usually it's the same few programs, too. If this becomes one of those programs, then there's a lot of people at serious risk.

I'm pretty sure my parents aren't using IE anymore, but they do bank online, and I'm going to make sure to delete every shortcut to IE they have easy access to on their system to ensure that they are not at risk for this.

Also I know a few people who really honestly like IE and dislike FireFox... I don't see why, I'd think that from the lamans view they'd be identical.. Either way, I'll be pushing them to migrate as well.

Or do all browsers have this behavior?

This could be the permanant fix.

[BCW2]

If this is another case of sloppy programming by M$, everyone that looses money can sue. A class action suit for negligence, starting price 10 Billion. We will of course demand actual reimbursement of damages besides that fine, and we are always willing to negotiate.......UP.

Break the bank, problem solved.

Re:Coming events

[omglolbah]

Or, get a *real* ebanking system...

I live in norway and most net-banks here use both your "birth-number" *and* a "securitycard" to generate a key.

The key generated by the securitycard is never the same, and you need a 4 digit pin-code to even get it to generate a code. You type in the first 6 digits and hit "log in" and on the screen you get the last 2 digits, if these match with the ones on your "securitycard" you can be resonable sure that you are really talking with your bank.

Sniffing the password etc wont help you one bit, since it will only be active for a few minutes. After that, you need a new number to log in.

Steal the card? I would just call my bank and they would issue a new one, and put the other on the "watch list" someone try to log on with it: ups, their IP is logged and you have a trail for the police ;)

Another great thing about this way of doing it is that you can access your netbank anywhere and within a few minutes, any information logged by a keycatcher is invalid.

How it executes automatically

[bumbobway]

For those of you who don't take the time to read the analysis of the trojan, here's what is said:


The HTML here attempts to exploit a known flaw in Internet Explorer to load and
execute a .chm file. At the same time, it appears to have executed a script on
www.mymaydayinc.com called photos.php. At this point, the packet captures provided
by the victim end, but it is possible to make some intelligent guesses as to what happened
next.
The victim of the attack found a file called "img1big.gif" had been loaded onto their
machine. Because of the account restrictions on the person running the machine, it had
failed to install properly, which was why it had come to their attention. It is this file that
they forwarded to the SANS Internet Storm Center for analysis.
The file "img1big.gif" is not a graphic file at all. It is actually a 27648 byte Win32
executable that has been compressed using the Open Source executable compressor UPX.
(Hypothesis: the .chm exploit, shown above is likely used to rename and execute this
file.)

So basically, it allows a CHM file (Compiled Help, used in your standard help files) to auto-install a DLL, which in turn regisers itself as a Browser Helper Object (BHO). BHO's are typically used for things like Browser Toolbars (like the one Google provides).

Microsoft should not allow auto-execution of any file type. It should be an easy fix to IE though.

they are afraid

[zogger]

Really, most of those people who won't switch are just plain afraid to do it. They get their machines broken and stuffed with malware while doing nothing wrong! No matter what they did last week to make it better, this week there's something else that will break their machines. They barely can run what they have now, so they get scared to start from scratch with a brand new learning (and potential expense in their minds) experience. These things -das komputarz- are sold all over as "easy to use", All you are supposed to have to know is click here, fill in the blank, click again, get online, open browser, go surfing. Really, see the ads for computers all over. NEVER do they claim it's hard and you will need to jump through hoops daily. People know that kindergarteners 'can use computers' now, so in their minds any normal adult can just get one, turn it on and use it.

So, they do that, they buy one, get online, 15 minutes later they get borked. They surf for a week, they got 293 weirdo scripts, cookies, warez, whatevers crawling all over their machines and the thing barely moves. They haul it to the local shop where the helpful windows computer expert trusted computar guy charges them 50$ to run a few cheap programs against it, it gets cleaned up. They drop another 50$ on an antivirus program at his recommendations. Next week it's broken again, back to the shop. 50$ to fix it, another 50$ to get a "firewall". Back home. Next week they get borked again, then they say "FxxK IT! Enough!" they won't care after that point, and no way do they want to start fresh all over with something new that is pushed the same exact way they got borked in the first place, with the recommendation of "go ahead, drive it, it's easy, a kid can do it, it's the same as you had before, just different".

Uh huh, that's gonna make them want to switch. Yep. Sure it is.

That's my theory anyway

There's little to no long term money in making windows or explorer secure or functional. What would they sell from then on if they actually released a product like that? They'd sell it ONCE, that's it. You wouldn't have a need to upgrade. You wouldn't need mr. fixit and even more expensive mr. consultant. And now MICROSOFT is going to sell antivir because their crap is so lame and PEOPLE WILL BUY IT!

There's a cubic metric boatload of megatons of money in making MSOS and browser (and server and email client and etc) *almost* secure and *almost* functional, for microsoft themselves down to the thousands of helpful windows/computer experts at the local whitebox stores and in the consulting yellow pages.

Re:Coming events

[DissidentHere]

A relevant side comment; banks are generally very concerned about security, online and in general. This is because it is a liablity for them. I work in the banking industry in fraud detection and prevention, and its big business. In the US at least, the consumer is only liable for the first $50 in a case of check card fraud, credit card companies are liable for the whole thing. I've had my work slow to a crawl because a bank's IT dept blocked _all_ attachements during a worm outbreak, I've FedExed CDs with 2 10K files because no one knew when attachments would be allowed again.

Speaking up really could make a difference, especially if you can get in touch with a techie. He/she can then go to the PHB with some ammo that consumers demand compatibility with more secure browsers such as Mozilla/Safari/Opera etc. (He/she already demanded this compatibility, but you know PHBs).

I'd not be the least bit surprised if the banking industry became a major driver in getting users to switch away from IE. Online fraud losses are creeping up on more traditional fraud s.a. check fraud. Add in the liability if consumer data gets out on the net and banks may begin to _only_ support non-IE browsers. Maybe not today, maybe not tomorrow, but someday, an IE hole is going to blow so big banks won't want thier customers on it because of the liability concern. At least this what the IT and loss prevention people would prefer.

--
IE isn't a feature, its a bug

Re:Coming events

[plover]

A keykatcher [yahoo.com](tm) is a piece of hardware that the bad guy (or your employer) sticks between your keyboard and your PC.

Knoppix, Linux, DOS, OS/2 -- the OS doesn't matter. The keykatcher is hardware dongle-like thing, looks like an elongated keyboard plug. And all it does is keeps the last 65K of keystrokes you've typed.

You can download it to a floppy without removing it from the PC (if you're running Windows) or you can remove it, download it to a different PC and replace it later. Or, you can remove it, download it to a different PC, and then place it on the next guy's keyboard.

So, the truly paranoid person now has to cut-n-paste bits of their password with the mouse, and hope the bad guys haven't installed Back Orifice.

i've been duped with mozilla

[Anonymous Coward]

I'm typing away in a form,
the website had a meta refresh to install software,
the prompt pops up just as i'm hitting enter and BAM, i got fucked

Re:Why is a gif file getting run as an EXE?!?

[darf]

I am one of the folks that submitted this to SANS. I actually looked at the file prior to my teammate sending it and the initial report. The .gif file was really an executable file without the .exe extension. The file had an executable's header and link information strings referring to DLL load points at the end of the file. The middle of the file was compressed binary cruft. The attack vector used the CHM vulnerability to launch.

Another interesting thing we've noticed lately is how many attacks are now using multiple vectors. After dealing with this issue and a bunch of related ones we have come across I have to say that the entire banner ad system is corrupt and infected.

I never thought anything I had a hand in would show up on ./. My life is complete...

registry permissions

[tabby]

"When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE."

So if I write protect this section of the registry so no user can write to it then IE will never load the BHOs? I starting to think that read-only for the entire "\Software\Microsoft\Internet Explorer" might be a good idea.

FYI: I work at an internet gaming cafe, I don't think I've ever seen so much spyware :(

*That* did it! I just switched!

[callipygian-showsyst]

I'm a big Microsoft fan! I think C# (seriously) and the .NET environment is the best programming environment around today.

I used to write off all these Microsoft problems as "well, they have 95% of the market, so that's why they get targeted for these things."

But this latest problem made me reconsider! I switched to Firefox (and Thunderbird!) yesterday, and don't miss IE and Outlook one bit.

Thanks, /., for encouraging me!