Pop-Up Program Snatches Banking Passwords

The attack uses an old vulnerability in Internet Explorer to drop a Trojan horse on vulnerable machines, where the program then captures financial information, encrypts the data and returns it to attackers.

Customers who use a number of the top online banking sites are at risk of falling prey to a new Web-based attack that snatches user IDs and passwords for these sites.

Among the sites targeted by the attack are some owned by Citibank, Deutsche Bank and Barclays Bank.

The attack is rather complex and appears to use a known flaw in Internet Explorer (IE) to drop a Trojan horse program on vulnerable machines. The Trojan is delivered through a malicious pop-up ad that loads a file called "img1big.gif" onto the machine. The file is in fact a compressed Win32 executable that contains the Trojan and a DLL.

The DLL is installed on the PC as a BHO (Browser Helper Object), a type of DLL that normally is used to let developers control IE in certain circumstances.

When IE runs on a machine infected with the malicious BHO, the file monitors IEs activities for any HTTPS sessions with URLs that have any of a large number of banking-related strings in them.

/zimages/4/28571.gifClick here to read about malicious code that has been affecting some Windows machines.

Once IE establishes an outgoing HTTPS connection—which is secured using SSL encryption—to one of these URLs, the BHO collects all of the outbound POST or GET data before it is encrypted, according to an analysis of the attack done by researchers at The SANS Institutes Internet Storm Center. The attack affects IE 4.x and later.

/zimages/4/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

The BHO then starts a separate session that encrypts the captured data and sends it to a script running on a remote Web server. The stolen information will often include users user IDs and passwords, which are often the first things entered after starting a secure session with an online banking site.

"I believe that this particular type of malware represents a huge threat to the online financial industry," wrote researcher Tom Liston, who did the analysis of the attack for SANS. "As the proliferation of ad/spyware shows, installing executable software on users machines is far too easy. The approach of using the BHO makes this method of stealing identity information all the more insidious."

/zimages/4/28571.gifLinux & Open Source Editor Steven Vaughan-Nichols says using IE is too big of a risk these days. Click here for his column.

The ISC staff first got word of the new attack from a user who found the malicious file on one of his companys machines. The file had not installed and run correctly on the PC because the user had some restrictions on his account.

Liston spent a couple of days analyzing the attack and discovered that it takes advantage of an old vulnerability that lies in the way IE handles CHM (compiled HTML help) files.

/zimages/4/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.


Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page