Pop-Up Program Snatches Banking Passwords
Among the sites targeted by the attack are some owned by Citibank, Deutsche Bank and Barclays Bank.
The attack is rather complex and appears to use a known flaw in Internet Explorer (IE) to drop a Trojan horse program on vulnerable machines. The Trojan is delivered through a malicious pop-up ad that loads a file called "img1big.gif" onto the machine. The file is in fact a compressed Win32 executable that contains the Trojan and a DLL.
The DLL is installed on the PC as a BHO (Browser Helper Object), a type of DLL that normally is used to let developers control IE in certain circumstances.
When IE runs on a machine infected with the malicious BHO, the file monitors IEs activities for any HTTPS sessions with URLs that have any of a large number of banking-related strings in them.
Once IE establishes an outgoing HTTPS connectionwhich is secured using SSL encryptionto one of these URLs, the BHO collects all of the outbound POST or GET data before it is encrypted, according to an analysis of the attack done by researchers at The SANS Institutes Internet Storm Center. The attack affects IE 4.x and later.
The BHO then starts a separate session that encrypts the captured data and sends it to a script running on a remote Web server. The stolen information will often include users user IDs and passwords, which are often the first things entered after starting a secure session with an online banking site.
"I believe that this particular type of malware represents a huge threat to the online financial industry," wrote researcher Tom Liston, who did the analysis of the attack for SANS. "As the proliferation of ad/spyware shows, installing executable software on users machines is far too easy. The approach of using the BHO makes this method of stealing identity information all the more insidious."
The ISC staff first got word of the new attack from a user who found the malicious file on one of his companys machines. The file had not installed and run correctly on the PC because the user had some restrictions on his account.
Liston spent a couple of days analyzing the attack and discovered that it takes advantage of an old vulnerability that lies in the way IE handles CHM (compiled HTML help) files.