Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New Microsoft IE Malware
SANS ^ | 6-29-2004 | John Bambenek

Posted on 06/29/2004 2:07:10 PM PDT by zeugma

Handler's Diary June 29th 2004

Updated June 29th 2004 18:17 UTC

BHO scanning tool and New Scam Targets Bank Customers

------------------------------------------
Browser Helper Objects (BHO) scanning tool
------------------------------------------

BHODemon is a free tool that will list all Browser Helper Objects that are installed on a Windows system by scanning the registry and give you the ability to disable them. This will also list "good" BHOs as well, but nevertheless is a useful tool in detecting and disabling malicious software.

It is available at: http://www.definitivesolutions.com/bhodemon.htm

-------------------------------
New scam targets bank customers

-------------------------------

On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.

The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.

The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer.

A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.

When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.

A complete write-up of Tom's findings is available online at http://isc.sans.org/presentations/banking_malware.pdf

Please direct any questions about this issue to the Storm Center using our online contact form at http://isc.sans.org/contact.php

{Posted by Marcus H. Sachs, SANS Internet Storm Center Director}
----------------------------------------------------------------
Handler on Duty: John Bambenek, jbamb-at-pentex-net.com



TOPICS: Business/Economy; Crime/Corruption; Culture/Society; Miscellaneous
KEYWORDS: explorer; malware; microsoft; virus; worm
Navigation: use the links below to view more comments.
first 1-5051-100101-113 next last
Yet another reason not to use "internet explorer".

I stole the following from someone. Can't remember who. Thanks to whoever you are!

FREE PC PROTECTION:
(Not an exhaustive list. Your results may vary. Void where prohibited. For entertainment purposes only. No wagering, please. Whattayawantfernuthin'.)
(Thanks, but "Buy a Mac" doesn't qualify as "FREE PC protection")


1 posted on 06/29/2004 2:07:11 PM PDT by zeugma
[ Post Reply | Private Reply | View Replies]

To: sauropod

read later


2 posted on 06/29/2004 2:12:37 PM PDT by sauropod (Which would you prefer? "Mr. Gorbachev, tear down this wall" or "I did not have sex with that woman?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

Just read this on CNET. Very serious, although if you keep up with the MS patches you will be OK. These pop-ups are the one you see on Drudge all the time that emulates a Windows Pop-up window and says you have computer problems.

I suggest you install all MS patches ASAP.


3 posted on 06/29/2004 2:15:31 PM PDT by devane617
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

thank you!


4 posted on 06/29/2004 2:29:06 PM PDT by RoseD (Oklahoma)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
Yet another reason not to use "internet explorer".

Not so sure about that this time.

From CNET second to last paragraph.

While the latest program is installed on Windows computers using a known vulnerability, the helper file hack exploits a feature, not a flaw, and could work with most major browsers, Sachs said.

5 posted on 06/29/2004 2:39:02 PM PDT by Musket
[ Post Reply | Private Reply | To 1 | View Replies]

To: Musket
"While the latest program is installed on Windows computers using a known vulnerability, the helper file hack exploits a feature, not a flaw, and could work with most major browsers, Sachs said."

When they have a working exploit in the wild which works against Mozilla 1.7, please let me know so I can get the update which will actually be available in a timely fashion. Remember that guy who was tracking unfixed IE vulnerabilities? He had some that had sat for like two years without a working fix.
6 posted on 06/29/2004 2:48:11 PM PDT by NJ_gent
[ Post Reply | Private Reply | To 5 | View Replies]

To: Musket

Thankfully, I don't have any cash, thus I-net money transactions are irrelevant at least at this time.

But with ZoneAlarm, Norton, and the Win firewall up (and all patches to-date installed,) GRC gives me good marks and there are no bugs on this box.

Find wood, knock hard and often...


7 posted on 06/29/2004 2:50:01 PM PDT by ninenot (Minister of Membership, TomasTorquemadaGentlemen'sClub)
[ Post Reply | Private Reply | To 5 | View Replies]

To: devane617
although if you keep up with the MS patches you will be OK.

Ever try running MS's Windows update? That piece of crap looks for ways not to run on your machine. XP, anyways, and MS's help is of no help at all.

I get better info from sites not affiliated with MS.

8 posted on 06/29/2004 2:50:10 PM PDT by Calvin Locke
[ Post Reply | Private Reply | To 3 | View Replies]

To: ninenot
I do my banking on an old Mac but I know someday I'll have to switch to Windows so I'm trying to run as secure as possible.

I've got pretty much the same setup going--check Windows Updates regulary, auto update the Norton Antivirus, run Spybot Search and Destroy regulary, run Ad-Aware regulary, running Zone Alarm always, and have NAT at the Linksys router. And now using Mozilla Firefox browser. I too get high marks from GRC. But that's an awful lot of stuff to keep up with. Are normal people actually doing all of this stuff? I kinda doubt it.

9 posted on 06/29/2004 3:11:28 PM PDT by Musket
[ Post Reply | Private Reply | To 7 | View Replies]

To: devane617; rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; ...
I suggest you install all MS patches ASAP.

..While I suggest a better alternative, due to this CERT advisory.

10 posted on 06/29/2004 3:18:31 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 3 | View Replies]

To: zeugma

These people should be shot in the street and left for the rats to pick their bones.


11 posted on 06/29/2004 3:27:07 PM PDT by IronJack
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
Amen to using Mozilla as an alternative to IE. The spyware that shows up on my machine has dropped almost to zero since I made the switch.

Avoid online game sites--when others use my computer to play games is when I get spyware. At all costs DO NOT download Kazza. My daughter did this and I spent nearly 8 hours removing nearly 500 pieces of spyware and malware from her less than one month old computer.

12 posted on 06/29/2004 3:27:26 PM PDT by The Great RJ
[ Post Reply | Private Reply | To 1 | View Replies]

To: The Great RJ

I just started using firefox. When I run a browser check it says that my browser is Netscape and the liscense is Mozilla/firefox. Does this mean that I need to update my Netscape and Firefox? sorry just a little confused how the two interrelate.


13 posted on 06/29/2004 3:38:51 PM PDT by mlbford2 (Sorry for spelling errors, I'm a product of a state university)
[ Post Reply | Private Reply | To 12 | View Replies]

To: The Great RJ

An alternative is Kaza Lite. It doesn't load the spyware nor the popups and it has a "speed up" feature to download from several people at a time. Works great and no headeaches.


14 posted on 06/29/2004 3:45:47 PM PDT by Smartaleck
[ Post Reply | Private Reply | To 12 | View Replies]

To: Musket
While the latest program is installed on Windows computers using a known vulnerability, the helper file hack exploits a feature, not a flaw, and could work with most major browsers, Sachs said.

So, are you saying that the real fix is to install Linux and Mozilla? I would agree that this would be a much better solution to staying with microsoft windows.

15 posted on 06/29/2004 3:45:51 PM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: IronJack
These people should be shot in the street and left for the rats to pick their bones.

Tell us what you really,?i> think IronJack. I'd have to agree, but personally, would like to see fire somehow thrown into the mix. I can't think of a worse way to die.

16 posted on 06/29/2004 3:48:34 PM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: zeugma; Musket
So, are you saying that the real fix is to install Linux and Mozilla? I would agree that this would be a much better solution to staying with microsoft windows.

That's where I'm headed... Firefox already on both home machines, and 3 MandrakeLinux CD's that I burned yesterday sit before me waiting to be installed.

I wasted days trying to get rid of a new hijacker and I'm tired of doing Microsoft's cleanups for them.

BTW, here's the best forum I found so far:

SWI Forums

...and irony of ironies, I found it via a porn site that hates this garbage as much as I do.

17 posted on 06/29/2004 3:55:59 PM PDT by backhoe (-30-)
[ Post Reply | Private Reply | To 15 | View Replies]

To: zeugma

Well sure, Linux or Mac would be the safest way to go, but I'm going to school for networking and it's pretty much all Windows - with a little bit of Linux. I've got Mandrake on the other half of this XP machine and I'd love to use it all the time but I have to get real cozy with Windows and all the crap that comes with it. That's the way of the real world.: (


18 posted on 06/29/2004 4:08:49 PM PDT by Musket
[ Post Reply | Private Reply | To 15 | View Replies]

To: Calvin Locke

Ever try running MS's Windows update? That piece of crap looks for ways not to run on your machine.

====

I hear ya! That's when the start of my recent problems began, on my last update that didn't finish (XP Pro). Either that, or as someone suggested here earlier, going to a linked photo may be a big problem. Don't know, haven't figured out my problem yet, even after trying to use the IE troubleshooter. I can't connect for more than 3-4 pages, then IE quits "can't find server". Even Netscape (my preference) is affected.

I tried all steps here also at http://support.microsoft.com/default.aspx?scid=kb;en-us;314067&Product=winxp

No avail, think I'll have to call the local weenie to help me out pretty soon, lol.

So, how do you update XP? (Please answer private, so's to be sure I see it.)

PS, in case anyone wonders, I have to log on to my employer's server to get here.


19 posted on 06/29/2004 4:26:45 PM PDT by JLO
[ Post Reply | Private Reply | To 8 | View Replies]

indexing bump


20 posted on 06/29/2004 4:29:01 PM PDT by meadsjn
[ Post Reply | Private Reply | To 1 | View Replies]

To: JLO
I'm still pretty green on Windows, but I think if my Windows Update failed and caused problems, the first thing I would try would be to go back a few days or so and do a System Restore.

Anybody else have a suggestion?

21 posted on 06/29/2004 4:45:06 PM PDT by Musket
[ Post Reply | Private Reply | To 19 | View Replies]

To: Musket

I've had all the necessary checks/balances in place and always update everything. I still got recent problems. Haven't figured them out yet (see post of mine just a few minutes ago for particulars.) So, I do think people are aware and doing updates, etc. but, something new is always around to bite us in the A$$, seems to me.


22 posted on 06/29/2004 4:46:22 PM PDT by JLO
[ Post Reply | Private Reply | To 9 | View Replies]

To: Musket

new firefox user bump for later...


23 posted on 06/29/2004 4:49:25 PM PDT by Ulysses ("Most of us go through life thinking we're Superman. Superman goes through life being Clark Kent!")
[ Post Reply | Private Reply | To 21 | View Replies]

To: Musket
I wish I had suggestions. I rebuilt my system weekend before last and when problems cropped up less than a week later I attempted a series of restores, which did not "take", and the OS did not allow an "undo" of the restore.

Windows XP.
I now have a 30-pound doorstop.

24 posted on 06/29/2004 4:53:46 PM PDT by Publius6961 (I don't do diplomacy either.)
[ Post Reply | Private Reply | To 21 | View Replies]

To: Publius6961

"I now have a 30-pound doorstop."

Ouch! Have you tried pulling the drive, jumpering as slave, and using a working machine to examine the drive & files? You might be able to get some of your data back.

A self-booting Linux CD like Knoppix can sometime help, too:

http://www.freerepublic.com/focus/f-news/1024002/posts
Knoppix Linux penetrates Windows security. I used it to rescue/recover from Windows crash


25 posted on 06/29/2004 5:09:35 PM PDT by backhoe
[ Post Reply | Private Reply | To 24 | View Replies]

To: Musket

Hey thanks, but that was the first thing I did. And have tried numerous times, using different dates, for several months past. It really seems like TCP/IP connectivity doesn't respond to that fix. Thanks for the response though!


26 posted on 06/29/2004 5:29:43 PM PDT by JLO
[ Post Reply | Private Reply | To 21 | View Replies]

To: Publius6961

Hey FRiend, let me know if you get a fix, will ya, by Freepmail? I've got a similar doorstop with XP Pro, LOL!


27 posted on 06/29/2004 5:40:41 PM PDT by JLO
[ Post Reply | Private Reply | To 24 | View Replies]

To: ShadowAce

Firefox user bump.

I love my XP box for things like games and Windows apps, but Firefox and Thunderbird are a nice layer of protection.

Plus, I don't know what I ever did without tab browsing.

I am building a Fedora v2 laptop for general browsing and email at home.


28 posted on 06/29/2004 6:10:38 PM PDT by CyberCowboy777 (Veritas vos liberabit)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Musket
yep

bottom line is many apps are still reliant on windows and most businesses still run windows environments.

I look forward to the day when Microsoft has to build a more secure product because of market forces, but the current state of affairs with MS is proof positive that Linux has but a very small place in the PC world.

BTW - What are you taking specifically? A DNET program of some sort?

29 posted on 06/29/2004 6:22:12 PM PDT by CyberCowboy777 (Veritas vos liberabit)
[ Post Reply | Private Reply | To 18 | View Replies]

To: JLO

Your on the right track, it is a connectivity issue.

What kind of connection do you use? dial-up?


30 posted on 06/29/2004 6:26:13 PM PDT by CyberCowboy777 (Veritas vos liberabit)
[ Post Reply | Private Reply | To 26 | View Replies]

To: zeugma
A complete write-up of Tom's findings is available online at http://isc.sans.org/presentations/banking_malware.pdf

Am I the only one for whom half of this PDF file (wherever he's quoting code) is a bunch of unreadable gunk?

31 posted on 06/29/2004 6:28:15 PM PDT by Dont Mention the War (we use the ˇ°ml maximizeˇ± command in Stata to obtain estimates of each aj , bj, and cm.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Musket
Are normal people actually doing all of this stuff? I kinda doubt it.

Some people don't change the oil in their cars, nor keep enough air in their tires. Some people don't paint the exterior wood on their houses.

Some people don't wash their hands before eating.

Some people spend a lot to REPLACE stuff that's in an early grave, too.

32 posted on 06/29/2004 7:09:29 PM PDT by ninenot (Minister of Membership, TomasTorquemadaGentlemen'sClub)
[ Post Reply | Private Reply | To 9 | View Replies]

To: zeugma

bump


33 posted on 06/29/2004 7:15:07 PM PDT by VOA
[ Post Reply | Private Reply | To 1 | View Replies]

To: CyberCowboy777

I also use Thunderbird and Firefox.


34 posted on 06/29/2004 7:15:42 PM PDT by rintense (Screw justice. I want revenge.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: rintense

new user to the mozilla browser also. then i installed firefox and thunderbird. this was last week i had been having nothing but trouble with spyware on my machine. after closing IE for the last time i can report that i have been bug free!!! i have kinda made my mozilla my fave although i do like firefox and thunderbird ,so iam keeping them all. great products!


35 posted on 06/29/2004 7:40:02 PM PDT by suzyq5558 (Slicks braclet is a secret mood ring when its red he's fondly remembering the KSNAP of the thong)
[ Post Reply | Private Reply | To 34 | View Replies]

To: CyberCowboy777
BTW - What are you taking specifically? A DNET program of some sort?

An 18 month course called "Network Security Systems" at a trade school here in Chicago. I'm about halfway through.

36 posted on 06/29/2004 9:45:55 PM PDT by Musket
[ Post Reply | Private Reply | To 29 | View Replies]

To: zeugma

BTTT


37 posted on 06/29/2004 9:50:04 PM PDT by Fiddlstix (This Tagline for sale. (Presented by TagLines R US))
[ Post Reply | Private Reply | To 1 | View Replies]

To: Musket
Anybody else have a suggestion?

I can't say this enough to anybody who'll listen. Image your machine(s).. Don't care what you use - Ghost, Drive Image, etc. You may need to purchase a CD burner or a second HD, but it's well worth it. I re-image at least once a week. Takes all of 20 minutes and !voila!, I'va got a clean install - all apps, settings, etc - just the way I left 'em.

38 posted on 06/29/2004 10:00:38 PM PDT by TomServo ("I'm so upset that I'll binge on a Saltine.")
[ Post Reply | Private Reply | To 21 | View Replies]

To: Musket
Well, I feel your pain. I've found that even here in the real world outside of school, that there are ways to avoid microsoft operating systems for the most part.

I'm in the process of looking for a new job myself at the moment, because the MS zealots are incrementally making my life more difficult day by day.

If it were up to me, companies that put critical infrastructure on microsoft operating systems would be held criminally liable for their actions. :-)

39 posted on 06/29/2004 10:18:55 PM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 18 | View Replies]

To: TomServo
Image your machine(s)

Excellent advise.

40 posted on 06/29/2004 10:32:44 PM PDT by Musket
[ Post Reply | Private Reply | To 38 | View Replies]

To: zeugma
MS zealots

I've got a couple in my class. I call 'em MS coolaid drinkers. They're so pigheaded. They won't even TALK about something else - let alone consider it an Operating System. I asked one of 'em the other day what he would do if his boss told him to install a Linux server. He said he would quit his job. Something wrong with those people.

Sure it's possible to avoid MS products and my hats off to you if you've found a way to do it.

41 posted on 06/29/2004 10:48:42 PM PDT by Musket
[ Post Reply | Private Reply | To 39 | View Replies]

To: backhoe

I was firing up Suse Linux 9.1 Professional when My Motherboard crapped out, so that machine is sitting on the patio workbench while I think about what to do.

Installed in less than an hour complete with browser.....
I was impressed....

Got to figure out how to get Firefox installed on when the machine is running again!



It was going to be my main machine, AMD64 with a gig of fast memory, but it has just given me headaches .


42 posted on 06/30/2004 11:51:44 AM PDT by Ernest_at_the_Beach (The terrorists and their supporters declared war on the United States - and war is what they got!!!!)
[ Post Reply | Private Reply | To 17 | View Replies]

To: ShadowAce
Firefox is working Great!!!!!

I like the ability to choose whether to open a new window or open a new Tab, helps give some organization when you have dozens of documents open!!!! A

And downloads going ....etc!
43 posted on 06/30/2004 12:05:53 PM PDT by Ernest_at_the_Beach (The terrorists and their supporters declared war on the United States - and war is what they got!!!!)
[ Post Reply | Private Reply | To 10 | View Replies]

To: backhoe; ShadowAce

Oh that is a great website.... we were talking about that the other day on a thread Shadowace started.

Got several of us to try Firefox..


44 posted on 06/30/2004 12:09:13 PM PDT by Ernest_at_the_Beach (The terrorists and their supporters declared war on the United States - and war is what they got!!!!)
[ Post Reply | Private Reply | To 17 | View Replies]

To: Ernest_at_the_Beach
I was firing up Suse Linux 9.1 Professional when My Motherboard crapped out...

Must be "bad computer Karma" month- the Mobo on my backup PC died about 3 weeks ago- power supply zapped it.

Oddly enough, I tried SUSE's 9.1 home version, but the bleeding thing wouldn't log on to the internet, or let me log in to the system at startup ( naturally, being the one who set it up, I was administrator ) so I finally RMA'd it back to them. Ironically, their LiveCD that boots off the CD worked fine, so I suspect a defective disc.

Anyway, I am a-setting here looking at those CD's I burned and wondering "how badly do I want to learn yet another OS?"

45 posted on 06/30/2004 1:03:22 PM PDT by backhoe
[ Post Reply | Private Reply | To 42 | View Replies]

To: Ernest_at_the_Beach
I like the ability to choose whether to open a new window or open a new Tab

Let me ask you a dumb question- how do you do that? I've been using the old Netscape control-n to pop up another browser when I need it.

46 posted on 06/30/2004 1:12:40 PM PDT by backhoe
[ Post Reply | Private Reply | To 43 | View Replies]

To: backhoe

Well with Firefox, on the bookmarks, work your way thru the folders to the entry that you would normally just click on with the left button, use the right mouse button instead and you will get a list of options, my system shows nine such....
for me...the top three say open, open in new window, open in new tab.... so I normally use one of the two latter ones, so I would keep each new thread in its own window, and cut and paste , reply activity for that thread in that window but on a new tab.

Now when I want to close out the thread and my activity, the other tabs, just click on the big red X in the upper right corner and respond to the question box that firefox throws up asking if you want to close the window and all associated tabs......pretty neat.

I have looked at other browsers and I don't recognize that they have the capability quite like this.


47 posted on 06/30/2004 2:21:41 PM PDT by Ernest_at_the_Beach (The terrorists and their supporters declared war on the United States - and war is what they got!!!!)
[ Post Reply | Private Reply | To 46 | View Replies]

To: backhoe
Anyway, I am a-setting here looking at those CD's I burned and wondering "how badly do I want to learn yet another OS?"

RIGHTO!!!!!!

But you are some ways there, if you can run knoppix...

I am not a total novice since I had some training on AIX before I left Big Blue, but it didn't stick very well.

48 posted on 06/30/2004 2:25:51 PM PDT by Ernest_at_the_Beach (The terrorists and their supporters declared war on the United States - and war is what they got!!!!)
[ Post Reply | Private Reply | To 45 | View Replies]

To: Ernest_at_the_Beach
Well with Firefox, on the bookmarks, work your way thru the folders to the entry that you would normally just click on with the left button, use the right mouse button instead and you will get a list of options, my system shows nine such.... for me...the top three say open, open in new window, open in new tab....

Appreciate it... as I slap my head and go "Duh!"

I keep forgetting that "advanced Windows" is right-click. There are days I miss the command line where you tell the damned thing what it's supposed to do. Of course, this is from a guy who was content with DOS 3.3 until around 1998...

49 posted on 06/30/2004 3:00:33 PM PDT by backhoe
[ Post Reply | Private Reply | To 47 | View Replies]

To: backhoe

Just go around clicking the right mouse button, all kinds of interesting options show up,.... works with the Free Republic,
post, search, my comments,....etc.


50 posted on 06/30/2004 3:08:06 PM PDT by Ernest_at_the_Beach (.)
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-100101-113 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson