Posted on 06/30/2004 5:37:14 AM PDT by Happy2BMe
A malicious program that installs itself through a pop-up can read keystrokes and steal passwords when victims visit any of nearly 50 targeted banking sites, security researchers warned on Tuesday.
The targeted sites include major financial institutions, such as Citibank, Barclays Bank and Deutsche Bank, researcher Marcus Sachs said Tuesday.
"If (the program) recognizes that you are on one of those sites, it does keystroke logging," said Sachs, director of the Internet Storm Center, a site that monitors network threats. Even though all financial sites use encryption built into the browser to protect log-in data, the Trojan horse program can capture the information before it gets encrypted by the browser software. "The browser does not encrypt data between your keyboard and computer. It's encrypting it (when it goes) out onto the Web."
Sachs said the Trojan horse was first discovered on the computer of "an employee at a major dot-com." The victim apparently picked up the program from a malicious pop-up ad that used a flaw in Internet Explorer's helper server to install itself on the user's PC. In this case, because of the computer's security settings, the installation failed. Microsoft said IE users should raise the security settings to high until the company issues a patch.
Two other IE flaws, which Microsoft has yet to fix, were used recently in two other hacking schemes, one last week that turned some Web sites into points of digital infection, and another, earlier in the month, that installed a toolbar on victims' computers that triggered pop-ups. This most recent Trojan horse differs from the attack software used in last week's Web site compromises but could be paired with that technique to spread spyware.
Researchers at the Internet Storm Center studied the Trojan horse file, called "img1big.gif," which was provided by the dot-com. Working through the weekend, the security experts reverse-engineered the program and discovered that it targeted a long list of banks and attempted to steal the account information of those institutions' customers.
The program points to a recent trend in computer viruses and remote-access Trojan horse, or RAT, programs: Attackers are increasingly after money. In April, security experts warned that 'bot networks'--large networks of zombified home PCs--are a greater threat than high-profile worms such as Sasser and MSBlast, because they could be used to steal financial information or to send untraceable spam.
"In the past, the most common way to collect financial information was through fraud like the Nigerian e-mail scam," said Oliver Friedrichs, senior manager in antivirus company Symantec's security response center. Friedrichs said that in the past few months, Symantec analysts have studied threats similar to the current Trojan horse.
Because it carries a .gif file extension, the Trojan horse appears to be a graphic in a compressed format commonly found on the Internet. In reality, it's two programs: a browser helper file that surreptitiously captures usernames and passwords; and a "file dropper" that installs the keyword logger on the victim's computer.
The first file attempts to run itself by using an old Internet Explorer flaw, and the second file uses a feature of most major browsers, known as helper files, to intercept data, Sachs said.
"Before data goes through your browser, it can be processed by a helper file," he said. "What makes this one really clever is that (it takes) advantage of the ability in all browsers to use helper files and defeat the encryption."
Once the Trojan horse captures financial information, it encrypts the data by using a program hosted on an Internet server and sends the data back to the attackers, who appear to be in South America, Sachs said.
Security experts have stressed the vulnerability of Microsoft's Internet Explorer recently, following public warnings of vulnerabilities in the browser that could enable attackers to install malicious programs. Those flaws have not yet been fixed by Microsoft.
An attack that had used a vulnerability to turn some Web sites into points of digital infection was nipped in the bud Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached.
While the latest program is installed on Windows computers using a known vulnerability, the helper file hack exploits a feature, not a flaw, and could work with most major browsers, Sachs said.
"Sometimes, there's not much difference between a feature and a flaw," he said.
Internet Explorer is the most vulnerable browser, by far.
It seems this is particularly true if you're using a Microsoft product.
Keep your anti-virus software up to date and install Ad-aware and Spybot and run them regularly. And don't download files from a source you don't trust.
No, they do not have same flaw.
Also, some very good info & links regarding malware in general:
One question:
...Internet Explorer's helper server...
What's that? Possibly a mirror site that is used to get IE?
In a greater sense - It amazes me that the whole infrastructure still works. I am constantly engaged in best management practices. I have maintained a pretty safe environment (patches, updates, complex passwords, cookie management, etc). I find it hard to believe that most folks take the time that is needed to (help) ensure secure systems. So - again, I am amazed that it hasn't yet come to a grinding halt.
Thanks for the article.
It's 10 PM - do you know where your POP-UPS are?
Pop-ups are those things you put in your toaster in the morning.
#2 son was going to install Mowzilla on my computer over last weekend, but he didn't do it. Gotta get after him!
One flaw lets an attacker run a program on a victim's machine, while the other enables malicious code to "cross zones," or run with privileges higher than normal. Together, the two issues allow for the creation of a Web site that, when visited by victims, can upload and install programs to the victim's computer, according to two analyses of the security holes.
The possibility that a group or company has apparently used the vulnerabilities as a way to sneak unwanted advertising software, or adware, onto a user's computer could be grounds for criminal charges, said Stephen Toulouse, security program manager for Microsoft.
"We consider that any use of an exploit to run a program is a criminal use," he said. "We are going to work aggressively with law enforcement to prosecute individuals or companies that do so."
Microsoft learned of the issue when a security researcher posted an analysis of the problem to the Full Disclosure security mailing list Monday. The software giant has already contacted the FBI and is in the "early stages" of building the case, Toulouse said. The company is considering creating a patch quickly and releasing it as soon as possible, rather than waiting for its usual monthly update.
The flaws are apparently being used to install the I-Lookup search bar, an adware toolbar that is added to IE's other toolbars. The adware changes the Internet Explorer home page, connects to one of six advertising sites and frequently displays pop-ups--mainly pornographic ads, according to an adware advisory on antivirus company Symantec's Web site.
On Tuesday, security information group Secunia released an advisory about the problem, rating the two flaws "extremely critical."
"Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0," the group wrote. "It has been reported that the preliminary SP2 (a major security update being developed by Microsoft) prevents exploitation by denying access."
The flaws could let any attacker with a Web site send an e-mail message or an instant message with a link that, when clicked on by an Internet Explorer user, would cause a program to run on that victim's computer.
The original analysis, written by a Netherland student researcher, Jelmer Kuperus, who found that the type of programming needed to take advantage of at least one of the flaws required sophisticated knowledge of the Windows operating system.
"While sophisticated, it's so easy to use, anyone with basic computer science can set up such a page, now that the code is out there in the open," Kuperus wrote in an e-mail interview with CNET News.com. "It's just a matter of changing two or three (Internet addresses) and uploading another" executable file.
Kuperus, who used an e-mail account based in the Netherlands, wrote in a Monday e-mail that he had been tipped off to the adware Trojan horse by an unnamed individual.
"Being rather skeptical, I carelessly clicked on the link only to witness how it automatically installed adware on my PC!" he wrote.
The Internet address from which the adware Trojan horse was downloaded resolves to I-Lookup.com, a search engine registered in Costa Rica that antivirus firms Symantec and PestPatrol have linked to aggressive advertising software. Two of the top three searches on the site relate to removing such programs, according to I-Lookup.com's own statistics.
A domain name search shows i-Lookup.com's parent company to be Aztec Marketing, but Pest Patrol links the site with iClicks Internet. E-mails sent to both companies for comment were not immediately answered.
Kuperus believes that i-Lookup.com's parent company may not be directly responsible for the adware-installing Trojan horse program, but that it could be rewarding the creator through an affiliate program.
"It does pass along a referrer code when downloading," he said. "Whomever created this probably is getting money for every install, so if the folks at (i-Lookup.com) would be willing, they would be able to track down the perpetrators."
Microsoft's Toulouse said Internet Explorer users could harden the software against such attacks by following instructions on the company's site. Other browsers available on Windows, such as Opera and Mozilla, do not contain the flaws.
That's not what the article says, " and the second file uses a feature of most major browsers, known as helper files, to intercept data, Sachs said.
For IE users, Microsoft offers this:
In January, Paul Haigh downloaded Google's toolbar to dispel annoying pop-up ads. By March, they were back.
Google's pop-up blocker, included as part of the Web search engine's popular browser plug-in, "worked fantastically well for about two months, blocking everything," said Haigh, a photographer from the United Kingdom. "Then the odd pop-up started to appear, mainly on highly ad-displaying sites based in the United States."
"I know they are on the increase because they are annoying me again," he said, adding that he's received three this week.
Pop-up purveyors are finding ways around popular new filters that aim to stomp them out, the latest sign of an Internet arms race over one of the most effective and controversial Web advertising formats around.
Google, America Online, Yahoo, EarthLink, Microsoft and a slew of niche software developers have begun offering consumers easy-to-install, free blocking software. As much as 30 percent of the Internet population uses a pop-up guard, according to estimates from ad technology companies. That number is set to soar when Microsoft releases an update to its Windows XP operating system later this summer that is expected to include a pop-up blocker for its Internet Explorer Web browser, which serves about nine in 10 people who surf the Web.
Because IE so thoroughly dominates the browser market, ad executives and Internet watchers believe the changes could finally burst the bubble for pop-ups.
But marketers intent on preserving and extending the lucrative format have already developed workarounds that are duping existing blockers, setting the stage for a major battle for control over consumer PC screens.
"Relatively quickly (IE) will displace all other pop-up blockers, then people will try to figure out how to get around that," said Richard Smith, a privacy and security expert.
At stake is the future of a form of online advertising that many ad executives say is among the highest performers for Internet marketers--despite severe negative reactions from a majority of Web users.
Research shows the ads have only become more predominant since the rise of pop-up guards. In the last two years, the number of pop-ups and pop-unders delivered to Web users has more than tripled. (Pop-ups appear over a Web page, while pop-unders appear behind one, but otherwise they function the same way.) They made up 6.4 percent of all online ads in April of this year, compared with 1.8 percent in the same period of 2002, according to data from researcher Nielsen NetRatings.
Publishers willingly allow pop-ups or pop-unders because they command higher prices, and they're in high demand by advertisers. Ad executives say they can cost advertisers about $10 per thousand sent for top-rated sites. That compares with between $2 and $3 per thousand for a static banner ad that appears on the same popular site.
The Web sites that sold or disseminated the most pop-up ads in the month of April include CNN.com, ESPN.com, Excite.com, Weather.com, and The New York Times.
Click rates, or the number of times people click on an ad, could explain the growth of pop-up ads. Marketers say between 2 percent and 5 percent of the people who receive them will respond with a click. That compares with less than 0.35 percent for the most widely used ad on the Net today, static banners, according to an ad server report from DoubleClick.
"Pop-unders still yield the best performance," said John Enghauser, business development manager for TrafficMarketplace, an ad network and one of the biggest distributors of pop-ups. He said that his company does not do any workarounds to deliver the ads.
Blocking software typically suppresses a new window. It detects a command known as "openwin" for opening a new window, which would be written into the HTML (Hypertext Markup Language) of a Web page. That command calls on a third-party server to deliver the pop-up or pop-under.
Deflating pop-up blockers
Some new pop-up techniques simply avoid that command, thus subverting blockers that rely on suppressing it. For example, some advertisers are sending pop-ups through a "user initiated command" triggered when people mouse over an object on the page, according to ad executives familiar with the technique.
"It initiates a JavaScript command, and it gets around pop-up blockers that don't block user initiated commands like Google and Yahoo," said Adam Tuttle, director of Adserver sales for Fastclick, another ad network. Adserver does not use the technique, he said, because it does not behoove the company to send an ad to someone wishing to avoid it.
|
Mainstream advertising networks and distributors are reluctant to discuss what steps, if any, they are taking to circumvent pop-up blockers, although some admit that they've developed new methods to serve such ads. In addition, some advertisers are busy developing intrusive formats that mimic pop-ups in their ability to grab attention, but that don't surrender control over when and how they're displayed to consumers' Web browsers.
Publishers have taken to spawning in-pages ads in lieu of pop-ups, called "overlays" or "floater ads." Like stacking paper, the ads will float over the middle of a Web page to catch people's attention before reading requested content. Visitors typically can't manipulate the ads like they can a pop-up or pop-under by minimizing the window or clicking the exit button. Floating ads will remain on the page until they disappear, or until the visitor leaves the page.
Pop-up blockers like Google's or Yahoo's don't prevent these ads from appearing because they use a different command.
Floating ads appear because they're written in coding language called dynamic HTML, which contains a series of embedded commands that ad blockers typically don't block.
Sites including Netscape and MSN Money use overlay advertisements in lieu of pop-ups.
Many ad-delivery companies are now using technology to detect whether or not a computer or visitor has installed a pop-up blocker. If one is detected, it will deliver a floating ad to the page instead. Burst Media, for example, is one company that is experimenting with the overlays.
"Instead of a pop, they float over the page," said Jarvis Coffin, CEO of Burst Media, which represents ad sales for about 2,000 sites.
Undertone Networks, one of the largest distributors of pop-under ads, with customers including Yahoo Personals, HBO and Orbitz, uses pop-up blocking detection technology from Zedo, an ad delivery company based in San Francisco.
Yahoo spokeswoman Stephanie Iwamasa said that because the ads are delivered differently, the company doesn't necessarily consider them pop-ups and therefore doesn't block them. However, she said, Yahoo is always evaluating new technologies to help improve consumers' experience on the Web.
Pop-ups came into fashion during the dot-com bust, when publishers were desperate for ad dollars and sought to please marketers with more attention-grabbing means to reach consumers. But Web surfers came to loathe them, and publishers such as the Web site for The New York Times moved to regulate how often people receive them.
Downloadable software to block the ads also has become ubiquitous; major Internet service providers, software companies like Panicware, and even Amazon.com offer tools to staunch them.
Yet it remains to be seen whether they will die out now that the overall Internet advertising industry has rebounded. Last week, the trade group Interactive Advertising Bureau reported a record quarter of sales for the industry, the highest since it began tracking the sector in 1996. Sales for the first three months of 2004 were $2.3 billion, up from $1.6 billion in the year-ago period.
Jason Krebs, head of online ad sales for The New York Times' Web site, said that the online newspaper continues to sell pop-unders as one of many options because they're effective for advertisers. He added that he has no problem with blocking technologies from Google and others.
"You cannot stop technologies. What we do is we adapt to the changing technologies (and advertising environment) and continue to operate the business successfully," Krebs said.
It doesn't matter. IE has flaws that allow programs to be installed without your knowledge.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.