BHODemon Banking scam. Online banking compromised
From: Jason (jcsousa_at_gmail.com)
Date: 06/30/04
- Next message: LuckyStrike: "Re: AutoComplete Setting not responding to "Clear PasswordS""
- Previous message: Mike Bishop: "IE-6 SP 1, how do I get rid of AOL version"
- Messages sorted by: [ date ] [ thread ]
Date: 30 Jun 2004 11:29:35 -0700
For those who have had problems with online banking using BHO Demon
under IE. It is suspected that this program is used to log your
account number and password before it is encrypted. Read this
information from SANS.
Handlers Diary June 29th 2004
Updated June 29th 2004 23:33 UTC (Handler: John Bambenek)
BHO scanning tool and New Scam Targets Bank Customers
------------------------------------------
Browser Helper Objects (BHO) scanning tool
------------------------------------------
BHODemon is a free tool that will list all Browser Helper Objects that
are installed on a Windows system by scanning the registry and give
you the ability to disable them. This will also list "good" BHOs as
well, but nevertheless is a useful tool in detecting and disabling
malicious software.
It is available at: http://www.definitivesolutions.com/bhodemon.htm
--------------------------------
New scam targets bank customers
--------------------------------
On June 24th, a visitor to the SANS Internet Storm Center reported
that his company was "...in the middle of a very disturbing ... issue
regarding the adware/spyware/IE exploit genre..." He requested help
analyzing an "encrypted or compressed" file that had been downloaded
to a machine at their site. Tom Liston, one of our volunteer handlers,
spent the weekend analyzing this issue. His findings are summarized
here.
The victim of the attack found that a file called "img1big.gif" had
been loaded onto their machine. Because of the account restrictions on
the person running the machine, it had failed to install properly,
which was why it had come to their attention. It is this file that
they forwarded to the SANS Internet Storm Center for analysis.
The file is not a graphic file at all. It is actually a 27648 byte
Win32 executable that has been compressed using the Open Source
executable compressor UPX. This file decompresses to an 81920 byte
file which contains two Win32 executables bound together. The first
portion of the file (and what actually runs if the file extension is
changed and the program is launched) is a "file dropper" Trojan,
designed to install any executable concatenated to its body. The
second half of the file consists of a Win32 DLL that is installed by
the file dropper under WindowsXP as a randomly named .dll file under
C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper
Object" (BHO) under Internet Explorer.
A "Browser Helper Object" is a DLL that allows developers to customize
and control Internet Explorer. When IE 4.x and higher starts, it reads
the registry to locate installed BHO's and then loads them into the
memory space for IE. Created BHO's then have access to all the events
and properties of that browsing session. This particular BHO watches
for HTTPS (secure) access to URLs of several dozen banking and
financial sites in multiple countries.
When an outbound HTTPS connection is made to such a URL, the BHO then
grabs any outbound POST/GET data from within IE before it is encrypted
by SSL. When it captures data, it creates an outbound HTTP connection
to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data
to the script found at that location.
A complete write-up of Tom's findings is available online at
http://isc.sans.org/presentations/banking_malware.pdf
Please direct any questions about this issue to the Storm Center using
our online contact form at http://isc.sans.org/contact.php
---------------------------
Yesterday's Mailbag on ADSs
---------------------------
A member of the GCWN board has written an honors paper for his
certification on ADSs. The paper is located at
http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.pdf
{Posted by Marcus H. Sachs, SANS Internet Storm Center Director}
----------------------------------------------------------------
Handler on Duty: John Bambenek, jbamb-at-pentex-net.com
Interested in meeting handlers in person? Discuss this diary over a
beer? Visit us at SANSFIRE, the Internet Storm Center Conferences.
Monterey, CA, July 6-11th. @Night talks picked by the ISC and the best
security training you can get.
- Next message: LuckyStrike: "Re: AutoComplete Setting not responding to "Clear PasswordS""
- Previous message: Mike Bishop: "IE-6 SP 1, how do I get rid of AOL version"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
