A series of threats that began with Download.Ject, but didn’t stop with that malware, are plaguing users of online financial sites. The attacks are intended to steal user account access information through the use of a keystroke logger. The logger will completely bypass the “locked” security designation for which users have long been trained to watch.
As earlier reported by ZDNet Australia, at least 50 financial institutions’ sites have been affected by these attacks -- including all major banks in Australia. When information has been recorded on the infected computer, the data is transmitted to a server located in Eastern Europe (initial reports placed it in Estonia).
These attacks come from third-party pop-up adware servers that plant a keystroke logger on systems when users visit any of the affected financial sites using Internet Explorer. Pop-up blockers initially appear to provide protection against this attack, as does the use of a Web browser other than IE.
At the root of this threat is something that most users (and some administrators) have never heard of -- BHOs (Browser Helper Objects). These are just DLL browser extensions that can be downloaded and installed in the background without the end user's knowledge.
Some BHOs are entirely benign, such as the W3C-approved P3P privacy protection utility, which is already installed on 17,000+ Web sites (including Microsoft, IBM, and AT&T). BHOs are intended to let developers modify and control the way a browser works, which is fine as long as you know it’s being installed and approve its use. Unfortunately, a BHO can perform almost any action without passing information to the user and is therefore a goldmine for malware writers, if they can just get the executable into a user’s computer.
The recent attack, analysed by the Internet Storm Center, involved a fake graphics file, img1big.gif, which resolves into two Win32 executables, one of which will be a randomly named (xxxx.dll) BHO in the directory c:\Windows\System32\.
This BHO will watch for secure (HTTPS) access to a list of specific financial-related URLs, including those for Citibank, ANZ, National, St George, Barclays and others. When the HTTPS connection initiates, the BHO captures keystrokes before they are encrypted by SSL and immediately transmits the file to www.refestltd.com/cgi-bin/yes.pl. Registration information for vesadvertising.com (which is linked to this attack) is bogus. A 10-page analysis of this new threat is available here.
Of course, business users typically should not be accessing their bank accounts at work, and few corporate accounting departments are routinely logging on to secure banking sites. The major importance of this series of BHO attacks for administrators is that businesses must be aware that their secure Web sites may be similarly compromised and could potentially disclose customer data, and that other attacks of a similar nature are likely.
For example, capturing a client’s logon information might let malware creators spoof the client's identity and order vast quantities of supplies or whatever you sell, redirecting delivery to their chosen location and billing it to your hapless client. Simple steps such as locking down delivery addresses so shipments can’t be redirected might help in some instances.
Applicability
All versions of Internet Explorer, beginning with IE 4.x, are vulnerable to this specific series of attacks. Any browser that permits BHOs or similar extensions can be vulnerable. The initial attacks have all targeted the popular Internet Explorer, but there doesn’t appear to be any reason why similar attacks couldn’t be launched against minor browsers such as Mozilla or Opera.
Risk level -- critical
Microsoft eventually upgraded the threat level to critical after some prodding from online security forums.
Mitigating factors
Pop-up ad blockers are becoming standard on many business systems, and these appear to prevent the initial attack by blocking the spyware keystroke logger from being downloaded in the background.
Using Netscape, Safari, Opera, or Mozilla browsers instead of Internet Explorer seems to provide complete protection against the initial attacks. However, the existence of extensions that can be installed in systems running those browsers means they may also become targets of similar phishing attacks.
Microsoft has recommended a set of configuration changes to Windows in order to help mitigate Download.Ject attacks. There is no patch available for the software itself, with the significant exception that systems with Windows XP Service Pack 2 Release Candidate 2 (probably the final version before XP SP2 ships) are protected.
Anyone can acquire the same protection without taking the risk of applying a beta version of SP2; simply make the same security setting changes that will automatically be created by XP SP2. This is the usual practice of disabling Active scripting and ActiveX controls in the Internet Zone (see CERT/CC Malicious Web Scripts FAQ) and securing the Local Machine Zone (see Microsoft Knowledge Base Article 833633).
For this security threat, there won't really be a “patch” in the normal sense of the term, because the major vulnerability in this case is in the ability to download BHOs in the background, which is a software feature rather than a vulnerability in the code.
Before anti-Microsoft fanatics pounce on this issue in the discussion to this article, I feel it's only fair to point out once again that many security experts (including myself) feel that the alternative browsers are clearly safer than IE, but that’s mostly because they have so few users and are, therefore, not as big of a target.
Not making yourself a target is a great way to avoid trouble, but complacency can become a real danger in this situation. Simply switching to an alternative browser won't free you from risks. Other browsers must also be maintained, patched, and properly configured. As SANS Internet Storm Center discussions point out, Mozilla and other browsers also contain BHOs or other extensions that might make them vulnerable to similar attacks.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2004 TechRepublic, Inc.
Ya know this wouldn't be an issue in the first place if only microsoft remove the dam Activex , then you will find that 90% of all problems would disappear . i have that dam program disable like for more than 3 years ever since an article came out about how dangerous this little script can be , causing havoc on ones system . This is a ongoing issue that goes back too the IE4 days , wake and smell the roses , if ya want all that floating graphic's and extra , then take it on the cheek and stop whinging.
P.S do a google on the insecure Active predating to IE4 and ya see a list on them .