New Microsoft IE Malware

SANS ^ | 6-29-2004 | John Bambenek

[zeugma]

Handler's Diary June 29th 2004

Updated June 29th 2004 18:17 UTC

BHO scanning tool and New Scam Targets Bank Customers

------------------------------------------
Browser Helper Objects (BHO) scanning tool
------------------------------------------

BHODemon is a free tool that will list all Browser Helper Objects that are installed on a Windows system by scanning the registry and give you the ability to disable them. This will also list "good" BHOs as well, but nevertheless is a useful tool in detecting and disabling malicious software.

It is available at: http://www.definitivesolutions.com/bhodemon.htm

-------------------------------
New scam targets bank customers

-------------------------------

On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.

The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.

The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer.

A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.

When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.

A complete write-up of Tom's findings is available online at http://isc.sans.org/presentations/banking_malware.pdf

Please direct any questions about this issue to the Storm Center using our online contact form at http://isc.sans.org/contact.php

{Posted by Marcus H. Sachs, SANS Internet Storm Center Director}
----------------------------------------------------------------
Handler on Duty: John Bambenek, jbamb-at-pentex-net.com

[Ernest_at_the_Beach]

They had dropped a cookie on my system,
Karen's package shows you the website address.

[COEXERJ145]

These problems are supposed to be fixed when Windows XP SP2 comes out sometime next month. Until then, best bet is to use Mozilla or set your IE security settings to "high".

[Ernest_at_the_Beach]

Another one:

_________________________________________________________________

It's Free…and informative

Thank you for your interest in our ad management and Web analytics solutions. Please enter your contact information below, and a representative will contact with you within one business day to schedule your free online software demo.

*Required fields are bold.

First Name:
Last Name:
Company:
Web Site:
Email:
Phone:
How did you hear about us?
Select the solution you are interested in seeing a software demonstration of: Open AdStream® Local (Enterprise Solution) Open AdStream® Central (ASP Solution) Open AdvertiserTM Insight XETM (Web site Analytics) How many average ad impressions does your site currently serve per month? How many average page views does your site currently get per month?
I would like to receive email updates regarding 24/7 Real Media products and services.

------------------------------------------------------

From here :

24/7 Real Media's Insight XE

This phrase Web site Analytics must include the cookie dropping exercise. To see how often you come back.

[Ernest_at_the_Beach]

And one of the originals, it seems

_________________________________________________________________________

Welcome to selectmetrics.
	selectmetrics started life as MeasureCast in 1999, the first company to provide Internet broadcasters and advertisers with innovative technology for streaming audience measurement. Our industry leading technology provides accurate, timely, third party reports on audience size and demographics - information essential to making educated media placement and analysis. In November, 2002, we licensed our streaming measurement technology to Arbitron, creating Arbitron's Internet Broadcast Service, making it the sole standard in internet streaming broadcast measurement. Now under the name selectmetrics, we are continuing development of innovative Internet audience measurement technologies. Our partners and investors include Nielsen Media Research, Nielsen//NetRatings, TransCosmos JP, and CoMotion VC.

Website

selectmetrics started life as MeasureCast in 1999

[backhoe]

Better yet. Forget the mouse and Ctrl-N for new window, Ctrl-T for new tab. I hate using the mouse..

Thanks Tom- I despise the $%!& mouse... use trakballs here.

[backhoe]

BTW, another nice feature of Firefox?

Hilite a block from a webpage, and right-click... the source code, already hilighted to copy & paste, pops up, Like "view partial source" in IE, but easier.

[Ernest_at_the_Beach]

Yah, I am using the heck out of that.

[Eagle9]

Have you tried BHODemon ? I just ran across it while reading more on BHOs and haven't yet tried it. It looks promising and is free. I'm using Firefox almost exclusively, but still have IE for certain websites.

_____________________________________________________

Try BHODemon - it's Free!

Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually.  BHODemon is free, runs in the "tray" area, and works on Windows 95 or later operating systems (in other words, Windows 95, Windows 98, Windows 98SE, Windows ME, Windows NT4, Windows 2000, and Windows XP).

[JLO]

ZA now reinstalled. And I do a daily AVG virus update and run. Nothing shows up as tainted. But...I gotta read this whole thread now current; on first skim, it looks like there's a fix in the works.

Thanks as always.

[JLO]

Hey, TomServo, old buddy, old pal (LOL -not really, as I don't think we've talked before) - just a FRiendly greeting, ok?

I've asked my local computer 'experts' about ghosting. They couldn't tell me what is required, and how to do it. Or they WOULDN'T, just so they were the only ones around here up north in the boonies of MN who could do it for others, and not explain how to do it.

I have a CD burner, I guess. Never used it. Don't know how to. Read instructions awhile back. Didn't care then. Instructions??????????? Where in the world would I have put THOSE --- LOL.

[JLO]

Hey, thanks a bunch! I will for sure try that!

[dfwgator]

My Zone Alarm is getting bombarded with pings from some DNS addresses name server1-killer-pimp.com and reversetheplanet.com.

Has anyone else seen this on their ZA logs?

[JLO]

Wow, hey! That seemed to work! I've been connected locally for a few hours now.

Can't thank YOU enough!!!!! Ernest_at_the_Beach

[Ernest_at_the_Beach]

So what did you do?

[JLO]

Hey, kinda funny - I didn't actually DO anything different than before. But - for some reason, or other - after clicking your link - and reading, is all, I swear...I now can connect locally long-time.

You must have magic, long-range fingers, LOL!

[JLO]

Sorry! I forgot to say! I had to reinstall ZoneAlarm.

[Ernest_at_the_Beach]

Maybe Zonealarm had a problem.

[JLO]

Yes, guess so. Whatever problem I had wiped it out, I think. Or fixed it, or something.

Reinstalling it, seemed to work. And I can't thank you enough with your help, and saving me from the locals.

THANKS Ernest_at_the_Beach!!!

[TomServo]

'Ghosting' is a term for the imaging software known as Norton 'Ghost'. I highly recommend it for imaging your machine. The first thing you need to determine is if your CD burner is supported by Ghost, which you can find out by clicking Here.

After determining if the it's compatible, simply go out and buy it online. You can start Here. Make sure you buy a version compatible with your OS.

After purchasing it read the manual before proceeding any further. You can wreck your current software installation if you're not careful.

[JLO]

LOL - 'You can wreck your current software installation if you're not careful"

Well, now you done scared me.

I sure appreciate your links, and all, but I'm afraid. Thanks TomServo,I'll check them out. :-)