[vox] Yet another reason to avoid Internet Explorer
Bill Kendrick
nbs at sonic.net
Tue Jun 29 14:34:53 PDT 2004
New scam targets bank customers
http://isc.incidents.org/diary.php?date=2004-06-29
The victim of the attack found that a file called "img1big.gif" had
been loaded onto their machine. Because of the account restrictions on
the person running the machine, it had failed to install properly,
which was why it had come to their attention.
...
The second half of the file consists of a Win32 DLL that is
installed by the file dropper under WindowsXP as a randomly named .dll
file under C:\WINDOWS\System32\. This DLL is installed as a "Browser
Helper Object" (BHO) under Internet Explorer.
A "Browser Helper Object" is a DLL that allows developers to customize
and control Internet Explorer. When IE 4.x and higher starts, it reads
the registry to locate installed BHO's and then loads them into the
memory space for IE. Created BHO's then have access to all the events
and properties of that browsing session.
Here comes the important part:
This particular BHO watches for HTTPS (secure) access to URLs of
several dozen banking and financial sites in multiple countries.
When an outbound HTTPS connection is made to such a URL, the BHO
then grabs any outbound POST/GET data from within IE before it is
encrypted by SSL. When it captures data, it creates an outbound HTTP
connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the
captured data to the script found at that location.
So there you have it. IE simply hands off your banking info to this wacky
'BHO' DLL, which then passes it off to the Bad Guys.
Nice. :^P
In related news, Firefox 0.9.1 was recently released:
http://www.mozilla.org/products/firefox/
-bill!
More information about the vox
mailing list