Posted on 06/29/2004 2:07:10 PM PDT by zeugma
------------------------------------------
Browser Helper Objects (BHO) scanning tool
------------------------------------------BHODemon is a free tool that will list all Browser Helper Objects that are installed on a Windows system by scanning the registry and give you the ability to disable them. This will also list "good" BHOs as well, but nevertheless is a useful tool in detecting and disabling malicious software.
It is available at: http://www.definitivesolutions.com/bhodemon.htm
-------------------------------
New scam targets bank customers
-------------------------------
On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.
The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.
The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer.
A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.
When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.
A complete write-up of Tom's findings is available online at http://isc.sans.org/presentations/banking_malware.pdf
Please direct any questions about this issue to the Storm Center using our online contact form at http://isc.sans.org/contact.php
{Posted by Marcus H. Sachs, SANS Internet Storm Center Director}
----------------------------------------------------------------
Handler on Duty: John Bambenek, jbamb-at-pentex-net.com
I've got a couple in my class. I call 'em MS coolaid drinkers. They're so pigheaded. They won't even TALK about something else - let alone consider it an Operating System. I asked one of 'em the other day what he would do if his boss told him to install a Linux server. He said he would quit his job. Something wrong with those people.
Sure it's possible to avoid MS products and my hats off to you if you've found a way to do it.
I was firing up Suse Linux 9.1 Professional when My Motherboard crapped out, so that machine is sitting on the patio workbench while I think about what to do.
Installed in less than an hour complete with browser.....
I was impressed....
Got to figure out how to get Firefox installed on when the machine is running again!
It was going to be my main machine, AMD64 with a gig of fast memory, but it has just given me headaches .
Oh that is a great website.... we were talking about that the other day on a thread Shadowace started.
Got several of us to try Firefox..
Must be "bad computer Karma" month- the Mobo on my backup PC died about 3 weeks ago- power supply zapped it.
Oddly enough, I tried SUSE's 9.1 home version, but the bleeding thing wouldn't log on to the internet, or let me log in to the system at startup ( naturally, being the one who set it up, I was administrator ) so I finally RMA'd it back to them. Ironically, their LiveCD that boots off the CD worked fine, so I suspect a defective disc.
Anyway, I am a-setting here looking at those CD's I burned and wondering "how badly do I want to learn yet another OS?"
Let me ask you a dumb question- how do you do that? I've been using the old Netscape control-n to pop up another browser when I need it.
Well with Firefox, on the bookmarks, work your way thru the folders to the entry that you would normally just click on with the left button, use the right mouse button instead and you will get a list of options, my system shows nine such....
for me...the top three say open, open in new window, open in new tab.... so I normally use one of the two latter ones, so I would keep each new thread in its own window, and cut and paste , reply activity for that thread in that window but on a new tab.
Now when I want to close out the thread and my activity, the other tabs, just click on the big red X in the upper right corner and respond to the question box that firefox throws up asking if you want to close the window and all associated tabs......pretty neat.
I have looked at other browsers and I don't recognize that they have the capability quite like this.
RIGHTO!!!!!!
But you are some ways there, if you can run knoppix...
I am not a total novice since I had some training on AIX before I left Big Blue, but it didn't stick very well.
Appreciate it... as I slap my head and go "Duh!"
I keep forgetting that "advanced Windows" is right-click. There are days I miss the command line where you tell the damned thing what it's supposed to do. Of course, this is from a guy who was content with DOS 3.3 until around 1998...
Just go around clicking the right mouse button, all kinds of interesting options show up,.... works with the Free Republic,
post, search, my comments,....etc.
Son of a Gun! I just tried that- amazing. Maybe losing the command line wasn't much of a loss.
Yes, a dial-up. I called my ISP - no help there. Their suggestion was to reinstall Windows XP. Do you think that would do it? I don't have the disk, but the shop where I bought could come and reinstall. I just don't know if that would do it; and I haven't called them yet, due to some folks there knowing less than me, lol. Thanks for your response.
Try this first:
http://www.spychecker.com/program/winsockxpfix.html
Use the backup option to be safe when you run it.
Hey! This worked for awhile - at least I was able to navigate for 1/2 hour or so, instead of just 3-4 pages. But, alas, got the dreaded error - can't find server.
And, I should also tell you that when I downloaded the latest XP update, it destroyed ZoneAlarm. I've screen printed everything I've done recently, just don't think the local yokels could figure out the sequence of events or how to fix.
Just in case you haven't experienced the print screen key with Windows, check this out. It's called PrintKey 2000, by Alfred Bollinger - and I'd be lost without it. http://www.geocities/gigaman
Thanks for your help. I didn't ever check spychecker before, as I thought I was safe. I'm downloading ZoneAlarm again, now as we speak, since it's disappearance.
Thanks again for your response.
Better yet. Forget the mouse and Ctrl-N for new window, Ctrl-T for new tab. I hate using the mouse..
A tutorial on software needed and how to use it in a step by step approach to dealing with spyware
I have routers, norton, etc but the writers of malware keep coming up with new ways to attack.
As this article demostrates, you really should go to the tutorial link, I posted at #58.
Tracking cookies are another whole issue, am using Karen's Cookie Viewer for seeing what has been accumulated and removing some of the cookies.
I just switched from Norton to VCOM's System Suite for Trend's antivirus and a firewall much like Zone Alarm, guards both incoming and outgoing!
See this one
Get the traffic you need,
get customers to come to your web-site.!!!!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.