Another Bad IE Expolit

[bigdave]

Here's another one!

--------------------------------
New scam targets bank customers
--------------------------------

On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.

The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.

The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer.

A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.

When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.

A complete write-up of Tom's findings is available online at http://isc.sans.org/presentations/banking_malware.pdf

Please direct any questions about this issue to the Storm Center using our online contact form at http://isc.sans.org/contact.php


Might want to think about using an alternative....

[Brangwyn]

Quote:

Might want to think about using an alternative....

Might want to keep thinking ....
Phishing style exploits in Firefox http://www.securityfocus.com/bid/10532 another half dozen Mozilla related issues listed there too.

I've given up caring about browser exploits to be honest, I use the browser that I find works the best for me (though check for updates often).

[bigdave]

I love the word Obfuscation !

[awen]

Yep, I tried FireFox .9 for a few days, but had too many problems so I am back to IE... exploits or not, it works for me. Besides, for every fix, they will find another hole.

The only truly secure browser is one that lacks all functionality. So then what's the point?

[keidsjedo]

Quote:

The only truly secure browser is one that lacks all functionality. So then what's the point?

Well, frankly, I think lynx is quite functional.

[Silverbug]

Quote:

The first portion of the file (and what actually runs if the file extension is changed and the program is launched)

how would the file be renamed? i mean would the user have to do it, or can it be done some other way?

[dpyers]

Quote:

Originally Posted by bigdave

I love the word Obfuscation !

My screen saver advises me to "Eschew Obfuscation"

[dwhite]

How did the file get onto their computer in the first place? If it was cached from simply viewing a web page, then its a very definite concern if it is able to be executed. Sounds like this one is crippled though until someone or something comes along and changes the extension. That of course would require another executable. Anyone downloading executables by email or any method without verrifying its origin and trust relationship should be executed IMO.

And there is a nifty little program I've used for a long time and that I can vouch for called BHO Cop. It shows you what is running as a BHO and allows you to disable individual ones and see some other info such as path info and registry value.