|
|
|
Pop-Up Program Snatches Banking Passwords
By: Dennis Fisher
2004-06-29
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
The attack uses an old vulnerability in Internet Explorer to drop a Trojan horse on vulnerable machines, where the program then captures financial information, encrypts the data and returns it to attackers.Customers who use a number of the top online banking sites are at risk of falling prey to a new Web-based attack that snatches user IDs and passwords for these sites.
Among the sites targeted by the attack are some owned by Citibank, Deutsche Bank and Barclays Bank.
The attack is rather complex and appears to use a known flaw in Internet Explorer (IE) to drop a Trojan horse program on vulnerable machines. The Trojan is delivered through a malicious pop-up ad that loads a file called "img1big.gif" onto the machine. The file is in fact a compressed Win32 executable that contains the Trojan and a DLL.
The DLL is installed on the PC as a BHO (Browser Helper Object), a type of DLL that normally is used to let developers control IE in certain circumstances.
When IE runs on a machine infected with the malicious BHO, the file monitors IEs activities for any HTTPS sessions with URLs that have any of a large number of banking-related strings in them.
 Click here to read about malicious code that has been affecting some Windows machines.
Once IE establishes an outgoing HTTPS connection—which is secured using SSL encryption—to one of these URLs, the BHO collects all of the outbound POST or GET data before it is encrypted, according to an analysis of the attack done by researchers at The SANS Institutes Internet Storm Center. The attack affects IE 4.x and later.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
The BHO then starts a separate session that encrypts the captured data and sends it to a script running on a remote Web server. The stolen information will often include users user IDs and passwords, which are often the first things entered after starting a secure session with an online banking site.
"I believe that this particular type of malware represents a huge threat to the online financial industry," wrote researcher Tom Liston, who did the analysis of the attack for SANS. "As the proliferation of ad/spyware shows, installing executable software on users machines is far too easy. The approach of using the BHO makes this method of stealing identity information all the more insidious."
Linux & Open Source Editor Steven Vaughan-Nichols says using IE is too big of a risk these days. Click here for his column.
The ISC staff first got word of the new attack from a user who found the malicious file on one of his companys machines. The file had not installed and run correctly on the PC because the user had some restrictions on his account.
Liston spent a couple of days analyzing the attack and discovered that it takes advantage of an old vulnerability that lies in the way IE handles CHM (compiled HTML help) files.
Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.
Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page
|
|
�������xV#9(XAӆiy�\�Sx�0]T}W:-٤3s2Ӏ~[%3�Iy%ٻU`�
"B�zCgg폒D.�}hcr�g�%3I�<7o���a0iTE[��oHFN�Z�@p�~-sl7r�����zG;#|�&rw
A:|AL���dB$hhGoT�S_FܨW��`&`1Z!qF٤XC/G5t�Cܢ�%yHCuѺ�8!IQ�w,sX'ay#�$L �g*�76m,uT%h��Oш1"|xwoe�;WPQ~�jX�Mߵ!�Xq�4��"�X'/�[v�b�B�#"F��τwG�H<匝8Gd`j䈤�Z [
;dTZ����CcPp,ǃT*�TkQ3#}jZO|ݖ|#Xult̀Q���3Eu��&q#!$fR�8�=/�y�y�]@vl(r�_7@7ƞ3dY pQԒ(8ac�&�}�
��@�Rt[dQ#�ʲ>,��he�w��a5\>jR/VK�tP߉*�����:�eڳG�2-�ݝh[B(�ݫu�?
?t�h;XCr���M9둫[yptq ��is,oɷD_"0QYT4D>��Pcb�j�jw{W`%rM7JzQ߹�ᖃAQSVT]ju#-bv=ӧ0�F_8rrn�N�sKiw[:9?iΐ}3�fPUM�~ 3h2ؕΊgxo�_:nNo_9nW.9ܐIəyN�t8��ڟl3Hk*�lo!qj{ d�Pp8LwZ| w�?vNz[d�@���dx"˧S��0o-Yn]H.)łލT,>JAfa��si����R2!r*� 2@/��a7V ���YK��o`��2� S��K3;�n�ZK=0�[#RFp&�\� Д��a��g8gMa�b&DJH7�jJi_K
XRʅ�U��>hI"A[f�}O��%ތ��EUsŹ>Dwެ.�Uմ[�%�ށ㣳VuJםn�?]�LqHXx7Y`A�-E`\\�77�j 6�wOV)CR^ʁ�@8ʍ�0�2B��m�]ԇtϬY0`���;}J[)�icv"5�}t>ljAG��:ڴb�\@7&&�h`C=҉�&MЀϰQ{�ڭ�Rg�v�/>��R���sJ}�D�5�h��-D�C0I3c)м`y��`27_�#]-�H��ˋ�F0���P�}�� �2/?C��' >)d��X.Gs
6GT[MK��x�G3�R�|+sZ(�w^`S��y"
9 E�EK�y3@� $h������ ���99�
�łI~ޑ�vZ.%r��P.o=!ԑtጝZ.?Kh3aGe�-n^
$�d6g2IMi'0V-&D7r"e�.G wKᅖ&ZlY*)uM;S& 4LX̱��xfZC҄%�Lla`0Ґ()�s��{����!n;At�랒9:�\�f3,�35g{00�q}cY �k9tݴyJ�ͩiÂqb���9_Aa"І�L˄|&�6=gktX uu�K�tıa|�d:Nk'pn7?x@L\n�GpIN3_iy9g~9厬m4�@>|�zS.z:
%�r%�
5kb�$T`CfL
�DL)^HIRЙj!@�9z٧l�)�3-ʭ$֒e]'�/ 7�ry_[�օV�P}�@x�� dlK���k�+t(:��АT
um��ùbX�G��J�GGb&^fѢA҆}T}F�,�|sö���oU�wӟ�LYZ�sX)Z5R{5>k掭,0!.(2n( 蟇�,�lVCax=�Zz'�As,t]OD�\|; `�ӣ(a!��w1
N)�>Aװ�Dؚ�ZS�{gm1J�hx#e\�8��,[b)0{s�gбSabia=k-�;US]HQ6nZ- �V��a>Ӝh2�F��ÑiHuߴ�IFʫeu�&-KJY)jLycl
�ԑq,�Yr�i�L*gXM�>QȺ='QOK-KӞ�@�#�@:"��gѠV�c�D8r__(
cG�˿^uw3zac�`+zpg�I��оhʰe�h8`Zzq�$kD(�O m{H�%Tb9�l�s
�Kq3`9S"象mB|�@�+'&'l�E;8�*6Xi�l=�["c�3۽>�"k0υ$
L3� ӦRV*"5 V ��qM×8nH�o3ߪ郦wtP)3fMDVжU0��H�.qLspIe!��We7UEcO�R�zQrZ#7:�ju[}$�JsO�$NoTRXUJB�Q�C:E��/ZCv���ش�/<6W��[��4w�K�3[}R/CSf<^xŗ�%�K��G@lXC�=;Yj��sVb(�I�'cg?f'
tDG�uRTR==G4}3݀�qXwy*a3�̇'S�$�Ri%�m\?'D.�k���S@JڣZ'G�ɒ\�'
*�Z<]QO3A��J� �j�\d?��C҇ps{(,QXk 11�^�֏ZM���(0�h_�pǭ;DU]uv�'@�O�]IKys>�:W=yپtw|0q;nNkw� �3o{Q�~Vv�w\j\+-0M��Iֿ�IN`·S}|w�a\[d�L\��{N]q�́Ľy nK7�mv:'8�-o�d~�!Ѱq\
8͛+%IsïE%%:עփ u;�R�9!hǫ<'�Mxy)q��o2�)g~H��6�}�ik:�Z_KuÙ��N/|%��\kI\5v8Aϐa6�F}m7�kΊ#S�ºU�XȬE`CPH|PZ:? (J]�@�$X�)��XAU:ݽh~du�؋N'" m ���
,Щ
c~�HF�rI'zRG�>eIə�/PIS�):�}Qrwۿ£n_4}+ y.}y>}4~WK0fAd*WVr[k'?>!��/���.4t㿜Y$�a�0xc�|i�AZ|l��9�R;DZ3pu*N�x�S!O�0;Fp�b�")%�&M(�I[`de
ݒ:p<5�RJ锐']�C8�z>RB'T5˓$/IYO)Eqjhd�꒐~�~SLNbC]F+Ro�{ݼڜ4<1ަmƙWxvImc%j�;Ζˬ�F��̗4.נ�zE8��V�#�vx~�t`}QגZ4ҫoeW!9�
?�9G�s`�e5�>¸*传��J�t+AUbםm�3m�D�95u�v�;2Q
=�d�F�P+��_YL.t0�>_mGoYM2��T1��>^Y��]s>�ͥ}vi8����PV#w9k9,9T�1t�U`_Dr1NyH,ʼnCg6v1CN;#͋^4>A
�̯�>w���I�t^��_�vhߋ|T意G�
9�+3rs+nn�"&3�
Cwnoœ/%/vؽ¾"�8�-��0�Nt,4P$�U
Z�/�U�$]ue%�]F�vZxA2�M�#}Ӻ��Jf�z�Ӽ4hAhf�l�3�O7�~c�c�~P/
�{~#Ϥa�
]ek�
�w}�[,geKW%r/J\�-"Pn'(Z^8�|ӫ��g�@�@�{�.~�
Fu�U��mO={n1G6@0F}�Բ؍y{9~��2� Of�x�f�3\A��P`G
�ƔI�+�y#ĠH)ܛc4rEs ��_56+�Z;a6r*|^"�Zyfa ��~1 ߈;6bE�#Ƴt_-Sz�pf:y� T�S M�k!1�%&'̼VxL �����Oƥ8G/J86[b4-^/t0a8C~y+lF!Y9sPZ��Lt4�3��;dk^,Mr
0�5y�7��ڒk=0&�O2�R~59ԗшtjڰ{N"Cr|J-U�9{_1mR)(xٱ!#
mo�q]�o^�k>R���`@ AA��~tQTJBI쫤
Rq9,(TTLk.U� S!�xs3e�P� z):x
�eHqfl,Ä$�L i�R�p�X1Tr�h[�XWNR�b��}wJ4%Sb؞�G[WY~ dph�eRRUI%oe|^�ԦGeO$`��3>̗4RU��Dl}9Xj���0U�F �z�X~)z5"GO؞]ҦR|uԝOu@`8c4ϭM��nZ�Ϲ}Z*kr
aÜ��� �fT�+'G{���7eҫa��LM}-Bz�osNPJ5k`�6 a�6A��gW RH�$W_+/3uO��^nn(*}�n�hG���<:H8RX`ȋ,)FI�p̱�"|�j LZ�=ޗdʫE���gIޥth�_��0~�uY8GKx]��]
{tώ,��T$`�Mݔ�_pz`3�iqpO&3ҵ5C?��ݒ�ZMh��Hmܒ�1iy���f�ۭou|�ggR�uB#8VkFxd_$�|Z.X_̴1\H-Gvt�6
�Ǹ-x�Уp0G]CN�/$\(F�
i��{~>pL3)�хm{m
�D{-��}�8�t֕.��� �>p�fJQ^p�'Lװ B³���AHD@c;Z�ᔗ$$spJ�r{m�+J\Xq&@""u;Ka-5?J( �Ւj�tCC����}&<@'l�P�6#@;D��Yd�kK�W_}z$;z=X�髹uETt\j�.UQ+k8.�!}r9'X7=*VwhuS~u=,�J6:_�R_1֧��C�3f�~隩'd�T$}H��PB$=�SkCy}M)uͱݱ%~֓JeP��^*,(|�k�`�!ulqb#Bp(jz�ʷ6{lI[h
�DՏ�aԇ
Σ*�>+}pQ.]��Q�
aUĻCX/�2`fǎry$uwwww7�ބJj�&qȚa�ݒÎر�E�k� @bzӖ HCȧ �W6sEH~mσ5]7>y��|�az@��oDgf1��K�!|{�yߣnoףMK~y�.0�}�`]9�.N�0_?ܪB� _8aع=:ZO8aG6g_2�u{Ys'�FSh���r�`�W���"�?ڰx]{̄&K%FZlkJ?Vްa2t"6�y\�kgh~hO]?Tlh:}ܛ
Ѫ/Y�*P3Z ΜR_v@iۀb:X:(sd2�&�iӀb咠=�_H�X
X��3�l2Y'=�G˫�]ErNZ~~GܳׄVY\F_Q'-xh
K:quK8�Do-<�_�]yҿM���wmMj�Q(K=6[ݽ?0��X�dtyi]$5�M+h:��ߤ�m_m� B<+
Ԉ+?x�"ZvmYS.eX -]XpSg(z(�c�~u�P2{� ��5ѕV$����gS&y<* ,g�#R
�nVp���.�t�� |�Mw�YGG槟�^K{�»��W��l�Cʗy�0�X�'D�Ct��cb�%1Y#z��0h�ce\�51�g[��1nw6'��F���`�8Wھ�`܀/"*ZWqi4Y:�7F�+� {�>QiH�p':[IclVP}_ntg/
:äID)FB\fS
d��fa����u&M�ϟ��⒉O~�RJa'zhN]�t;��NI00OXo�d\(�
$�bB4��*nH m>�Hy[�v��tPQ�]kF9-0z���r~�Y&�^��waDB(lsh�F^HA��w7@eu~�r,z�?D�}�8[GDr��쵣䀲�e,PAbb�F�yA y!�F�;�Kb+I7Q�$Iß:(-ćV��AX��oDUj�9��"�'"�KI�H�*]A|�~8�,
41=���^T_Z6`;T���\sj4�1E!�>�r���c%5|FS*�jE<=G/ {uZxyL<^_AF���3
i���"�r\I{ �G]#1%r��M�x4�O�|Y.w?�ǿ)fF<�+@�O^L8d;�bB=��ں�q� yK-y�-�J4s�5�'6�X}W�yr�jLx�XE�8a��ݱx'r%=�y �@k�lM/5
���)3$[]Z �9x`8�;4��lz�VV৮�Zn���#MO�;ZӔV+`{�d��%�e/nᩎ�AXri遅I��\�qg:Rg�~V**tϚqq;�
kHLpGz2J\d9_K>HP.$6�_wo&>�4
d0�l��˖C_`̷�nᮥ��}�,�Sц�])<1;�xo/e5&�I{u
�>dўә�E!��vl"m]%IwTwof|HIF>#Ծ7=F��gT\sn?H\�Oʒ�L�i��YqՄl�.04%n�'��蜜n>M'>�E.5L�^J k_߈C*�q�q{Zp7TQ��bMh%!MF(hd�t15x��#^�SH�)/� L5&�H!4�w3\��P�|�\C�v�p+XyjJ~N'ȚXO/8AnIiq�Ő> �&=^�z�C�0.��EeRW�;�FOw_
�6f^F'ZQ1IG�>}>x�g#b2z�ވ�x7�#i=~kW7�el�Nh$�NKm15AH]�E#
`�H(��m+C}AZV颇� �O>n}c� 'l�I�EeE.�dW���
-=Iāgšu/lɧ>1cP��r9G;Ѻ檫�(E<ƈn_eÀ�3�{�nIED#Thb��GB#&/7.nrj&[%�&9a� k(ExH�ogRX̘_RSJ9L MꚂ}�!2,���j9qE^(OaYhVԿ�X��0M蕴B��^���4r##vGC>T)>FO|�LBz،\{�ݾ1B�9ܐ&9iHq}kwqs��_QBss}պi_X�a/慾DQ);K�5U�š�\�Q_]dqx�ixID_0=4��u8qgQ]rzo})ക�'π>g�y��>;:ooڧ�_;�?ϴ2�v�vsGv3?A��"�%G1>ˌ_�,@�^�}.3s %e�^�^f'UF>Bnjs?�##�/3a|2
*C~`2Ư�w2d�N~�kQ�&nFnF{��>�ׇ����3�1~�{mF�$)c�f5qv%s_��gK�"~�)+�PWg��*
g�:�Zeu�+?3_�u3��VF&oir]!,.5P��Zk+/Y[Sݴ�qմ -��{}h}0�*"y%6(�(nP%]}MJ�4tk 7b[y�BYQI{R}tE�̏I>t�pմ] &JRo-cENi��kr(%sdIOc_96�b�a)c0?4(^P�xZ@&j\eѣf(+�@J'��5 |
�XV+q3��lcm|i>k�Һj^[,ўM�EACe�GӠS7�Us
!Qa}H�"7�<�RώsG%PK7�=o�7\d
�;c8j_�
�$
sg�RҴZjZVr�v俓�$2��q2t���fDdU��[��Ur
0�X����^*(d@#غ7
{%�}C�j��=q͐G�a���1Vo(�B�&\C�Hc�ztlK!BΫX��ڼx�`XT���
ގe�@|�L�ov�(u`�2b'uqTlr@.g3/�p?jc2iR�
�_^Ėٵv"2Yhp䃿
гq��� ?n
3D�ԛɣ�o
4@{4�Xlڔ@*wL#�[�o�t^]F.u7����\șP=}��\xx �˺Uwj�:՞/{f�w:aKƈ��DM�KIn�s//gɱz.yCOz r(u{Ċ�0mx0�/R^�!��N�6�/$
/tA0#{��!f;Lx ��Ɨ ?r$��x(8�"�"H�"s�{F�|%ԄZ�sJ\dB2L�'K��FcϱiB�/�`7̈ {+,2Dն:k2=jQwh}tפX3���ÃM�"m,�h�PWO`�z��ƣ�,h�:BQF&�V�v,='�ID/j���˦UMfP�{j9.KPRJ��V�r.
?�ѭfwU��eV� D$l㷖�_C ����Xh=$N�>�:[S1U9ւ�_6gз�/[MzKV9�S&M��¶m��)Hqi
ХyHzH,�Ǻ�7�AQ^�|D�,;�kl`v����0N'6}Nu+H' �"O �j;;3m6�TeK.QYCm+#8��N�}y?ۢ�uK�ӟpm�.�gwH�VC|�خ;��q^g�t#>Ƌ�rd{Ko�>fkJ:!A]��9-_��!0^�p,\f dzl�g��(Fђ[0���?Fuo�Y �%6x-[� '"���<��Zic,�KEp*e;1KLP`3ӈv"lZx2t�ȱȎ�b}�j6/�͜'ԋO0xeӕhWq;�X?Y 瑎m-)+$~Il=fe{,-W�r 1e~8Ş�i#x|��@ ]ۊnðSC+�K�ea$Viv�d>�^)ZF�,c<��[)�q~6`�<Щ0D\aս�)E=b�농\��Ѩ�pS�VD'����s-��y-"�yX�@cb3JڙBα�ya1 ���+��o=Љe6��G�{0^m,eLW�YX&�7đV�//O (;FÎI,G`aȖW�~9'жX�3�3}"@a)5BLN7;~ӣ�f<3%hB�6AmAb�?�ڱLca$Ӣq9q93E~6c]=8H�Vlw;��jW6Ȁ/|>[z0�H�Yptγ�H~!<,/�Zpɩ2?�})If}+S?�|c^4??vޘ#�{P�A)|ݫC�&�`]e,Eu`���//N༿u�Z,�r�=i0�!�b}E%@5Xk�yy3�v!?6@�A�TA?�4\BK�3��S2�)NN|�cC�ij2y(`w>Kl�UEQ;,9x7�JV �jJ}gdZ@�Dp'j�0Z?Y>�te*|ތ<| J$A�T�ާcD*;晬>5-_b�Z
u[`
Vđ��Mh)_unZ{rӹ ����Ə�J}�*� *kěp�+�O>WsNz�`l;$\c_�=ɴ�`f
HT=l�"�ŧ+fŻ
0�K:9X���e4hn;0�B��M�$���
�,~�Q8=�?H�l� Of.rY)DK6�{:E�/?7��_/ B`��\vQs�bvp௰2L|5@۳zyk�"W-[\8.@B�~�%B �1xU3Y[P8�_O�%n/hY�lYX`CMa�m_%��L#�x;wF#V%�W��RF��[�. y�OP)jͻM
F�rB�⭥8f Ω@�e.*Y��#�^,wcxYsK�6�MR&ilBe�3'�,xY.D]�qF�_�"yVw4Hm}翿59ny;˃��6*I�O�%�p�o&�<�MR���§�Vlʤ{�B$�G��x;wKJʫt.�
_.6&.G!��|uք�4T�ɜ�jk;ߐJw�Y.s|�����xV�M�zy�bHFT{�T�qՊUr�ޕpX+DjF�Lfp:v8m�Mja.uD!N,ǧ��Lc숡�xq T&ޡkK.�qeO|CV��
ǀ-}}hp
�:W=yپt(h1t%4y\0W=m:�J|"��r+qmw"sѹ9L;U�'|:��(ӹ9mA0�OXi} �j?&z�?
5X$l4G~ *<%xR��ZE&i d,!
p3�!ɁR�1nh��0+.C|}܆mJÁBo?�VnD'!&�-�mS��էr"3u�%VM��N#�?�͆[l?EG�WXx�/xh�XYx�=��
|
Network Security & Hardware 
