Posted on 06/29/2004 2:07:10 PM PDT by zeugma
------------------------------------------
Browser Helper Objects (BHO) scanning tool
------------------------------------------BHODemon is a free tool that will list all Browser Helper Objects that are installed on a Windows system by scanning the registry and give you the ability to disable them. This will also list "good" BHOs as well, but nevertheless is a useful tool in detecting and disabling malicious software.
It is available at: http://www.definitivesolutions.com/bhodemon.htm
-------------------------------
New scam targets bank customers
-------------------------------
On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.
The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.
The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer.
A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.
When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.
A complete write-up of Tom's findings is available online at http://isc.sans.org/presentations/banking_malware.pdf
Please direct any questions about this issue to the Storm Center using our online contact form at http://isc.sans.org/contact.php
{Posted by Marcus H. Sachs, SANS Internet Storm Center Director}
----------------------------------------------------------------
Handler on Duty: John Bambenek, jbamb-at-pentex-net.com
I stole the following from someone. Can't remember who. Thanks to whoever you are!
FREE PC PROTECTION:
(Not an exhaustive list. Your results may vary. Void where prohibited. For entertainment purposes only. No wagering, please. Whattayawantfernuthin'.)
(Thanks, but "Buy a Mac" doesn't qualify as "FREE PC protection")
read later
Just read this on CNET. Very serious, although if you keep up with the MS patches you will be OK. These pop-ups are the one you see on Drudge all the time that emulates a Windows Pop-up window and says you have computer problems.
I suggest you install all MS patches ASAP.
thank you!
Not so sure about that this time.
From CNET second to last paragraph.
While the latest program is installed on Windows computers using a known vulnerability, the helper file hack exploits a feature, not a flaw, and could work with most major browsers, Sachs said.
Thankfully, I don't have any cash, thus I-net money transactions are irrelevant at least at this time.
But with ZoneAlarm, Norton, and the Win firewall up (and all patches to-date installed,) GRC gives me good marks and there are no bugs on this box.
Find wood, knock hard and often...
Ever try running MS's Windows update? That piece of crap looks for ways not to run on your machine. XP, anyways, and MS's help is of no help at all.
I get better info from sites not affiliated with MS.
I've got pretty much the same setup going--check Windows Updates regulary, auto update the Norton Antivirus, run Spybot Search and Destroy regulary, run Ad-Aware regulary, running Zone Alarm always, and have NAT at the Linksys router. And now using Mozilla Firefox browser. I too get high marks from GRC. But that's an awful lot of stuff to keep up with. Are normal people actually doing all of this stuff? I kinda doubt it.
..While I suggest a better alternative, due to this CERT advisory.
These people should be shot in the street and left for the rats to pick their bones.
Avoid online game sites--when others use my computer to play games is when I get spyware. At all costs DO NOT download Kazza. My daughter did this and I spent nearly 8 hours removing nearly 500 pieces of spyware and malware from her less than one month old computer.
I just started using firefox. When I run a browser check it says that my browser is Netscape and the liscense is Mozilla/firefox. Does this mean that I need to update my Netscape and Firefox? sorry just a little confused how the two interrelate.
An alternative is Kaza Lite. It doesn't load the spyware nor the popups and it has a "speed up" feature to download from several people at a time. Works great and no headeaches.
So, are you saying that the real fix is to install Linux and Mozilla? I would agree that this would be a much better solution to staying with microsoft windows.
Tell us what you really,?i> think IronJack. I'd have to agree, but personally, would like to see fire somehow thrown into the mix. I can't think of a worse way to die.
That's where I'm headed... Firefox already on both home machines, and 3 MandrakeLinux CD's that I burned yesterday sit before me waiting to be installed.
I wasted days trying to get rid of a new hijacker and I'm tired of doing Microsoft's cleanups for them.
BTW, here's the best forum I found so far:
...and irony of ironies, I found it via a porn site that hates this garbage as much as I do.
Well sure, Linux or Mac would be the safest way to go, but I'm going to school for networking and it's pretty much all Windows - with a little bit of Linux. I've got Mandrake on the other half of this XP machine and I'd love to use it all the time but I have to get real cozy with Windows and all the crap that comes with it. That's the way of the real world.: (
Ever try running MS's Windows update? That piece of crap looks for ways not to run on your machine.
====
I hear ya! That's when the start of my recent problems began, on my last update that didn't finish (XP Pro). Either that, or as someone suggested here earlier, going to a linked photo may be a big problem. Don't know, haven't figured out my problem yet, even after trying to use the IE troubleshooter. I can't connect for more than 3-4 pages, then IE quits "can't find server". Even Netscape (my preference) is affected.
I tried all steps here also at http://support.microsoft.com/default.aspx?scid=kb;en-us;314067&Product=winxp
No avail, think I'll have to call the local weenie to help me out pretty soon, lol.
So, how do you update XP? (Please answer private, so's to be sure I see it.)
PS, in case anyone wonders, I have to log on to my employer's server to get here.
indexing bump
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.