New Microsoft IE Malware

SANS ^ | 6-29-2004 | John Bambenek

[zeugma]

Handler's Diary June 29th 2004

Updated June 29th 2004 18:17 UTC

BHO scanning tool and New Scam Targets Bank Customers

------------------------------------------
Browser Helper Objects (BHO) scanning tool
------------------------------------------

BHODemon is a free tool that will list all Browser Helper Objects that are installed on a Windows system by scanning the registry and give you the ability to disable them. This will also list "good" BHOs as well, but nevertheless is a useful tool in detecting and disabling malicious software.

It is available at: http://www.definitivesolutions.com/bhodemon.htm

-------------------------------
New scam targets bank customers

-------------------------------

On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.

The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.

The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer.

A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.

When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.

A complete write-up of Tom's findings is available online at http://isc.sans.org/presentations/banking_malware.pdf

Please direct any questions about this issue to the Storm Center using our online contact form at http://isc.sans.org/contact.php

{Posted by Marcus H. Sachs, SANS Internet Storm Center Director}
----------------------------------------------------------------
Handler on Duty: John Bambenek, jbamb-at-pentex-net.com

[Musket]

I'm still pretty green on Windows, but I think if my Windows Update failed and caused problems, the first thing I would try would be to go back a few days or so and do a System Restore.

Anybody else have a suggestion?

[JLO]

I've had all the necessary checks/balances in place and always update everything. I still got recent problems. Haven't figured them out yet (see post of mine just a few minutes ago for particulars.) So, I do think people are aware and doing updates, etc. but, something new is always around to bite us in the A$$, seems to me.

[Ulysses]

new firefox user bump for later...

[Publius6961]

I wish I had suggestions. I rebuilt my system weekend before last and when problems cropped up less than a week later I attempted a series of restores, which did not "take", and the OS did not allow an "undo" of the restore.

Windows XP.
I now have a 30-pound doorstop.

[backhoe]

"I now have a 30-pound doorstop."

Ouch! Have you tried pulling the drive, jumpering as slave, and using a working machine to examine the drive & files? You might be able to get some of your data back.

A self-booting Linux CD like Knoppix can sometime help, too:

http://www.freerepublic.com/focus/f-news/1024002/posts
Knoppix Linux penetrates Windows security. I used it to rescue/recover from Windows crash

[JLO]

Hey thanks, but that was the first thing I did. And have tried numerous times, using different dates, for several months past. It really seems like TCP/IP connectivity doesn't respond to that fix. Thanks for the response though!

[JLO]

Hey FRiend, let me know if you get a fix, will ya, by Freepmail? I've got a similar doorstop with XP Pro, LOL!

[CyberCowboy777]

Firefox user bump.

I love my XP box for things like games and Windows apps, but Firefox and Thunderbird are a nice layer of protection.

Plus, I don't know what I ever did without tab browsing.

I am building a Fedora v2 laptop for general browsing and email at home.

[CyberCowboy777]

yep

bottom line is many apps are still reliant on windows and most businesses still run windows environments.

I look forward to the day when Microsoft has to build a more secure product because of market forces, but the current state of affairs with MS is proof positive that Linux has but a very small place in the PC world.

BTW - What are you taking specifically? A DNET program of some sort?

[CyberCowboy777]

Your on the right track, it is a connectivity issue.

What kind of connection do you use? dial-up?

[Dont Mention the War]

A complete write-up of Tom's findings is available online at http://isc.sans.org/presentations/banking_malware.pdf

Am I the only one for whom half of this PDF file (wherever he's quoting code) is a bunch of unreadable gunk?

[ninenot]

Are normal people actually doing all of this stuff? I kinda doubt it.

Some people don't change the oil in their cars, nor keep enough air in their tires. Some people don't paint the exterior wood on their houses.

Some people don't wash their hands before eating.

Some people spend a lot to REPLACE stuff that's in an early grave, too.

[VOA]

bump

[rintense]

I also use Thunderbird and Firefox.

[suzyq5558]

new user to the mozilla browser also. then i installed firefox and thunderbird. this was last week i had been having nothing but trouble with spyware on my machine. after closing IE for the last time i can report that i have been bug free!!! i have kinda made my mozilla my fave although i do like firefox and thunderbird ,so iam keeping them all. great products!

[Musket]

BTW - What are you taking specifically? A DNET program of some sort?

An 18 month course called "Network Security Systems" at a trade school here in Chicago. I'm about halfway through.

[Fiddlstix]

BTTT

[TomServo]

Anybody else have a suggestion?

I can't say this enough to anybody who'll listen. Image your machine(s).. Don't care what you use - Ghost, Drive Image, etc. You may need to purchase a CD burner or a second HD, but it's well worth it. I re-image at least once a week. Takes all of 20 minutes and !voila!, I'va got a clean install - all apps, settings, etc - just the way I left 'em.

[zeugma]

Well, I feel your pain. I've found that even here in the real world outside of school, that there are ways to avoid microsoft operating systems for the most part.

I'm in the process of looking for a new job myself at the moment, because the MS zealots are incrementally making my life more difficult day by day.

If it were up to me, companies that put critical infrastructure on microsoft operating systems would be held criminally liable for their actions. :-)

[Musket]

Image your machine(s)

Excellent advise.