Enterprise Software

Download.Ject can cause Internet Explorer to expose secure transactions

A feature in Internet Explorer can allow attackers to hijack secure financial transactions from unsuspecting users.

If security is a major concern for your organization, check out TechRepublic's IT Security Survival Guide. This book and CD provide the information you need to keep your organization's IT systems safe from contemporary network threats and to protect systems and data.

New attacks that have surfaced attempt to compromise Microsoft Internet Explorer in order to steal financial account usernames and passwords. Attackers are exploiting unpatched flaws in IE to steal vital information via a keystroke logger.

Details

A series of threats that began with Download.Ject, but didn't stop with that malware, are plaguing users of online financial sites. The attacks are intended to steal user account access information through the use of a keystroke logger. The logger will completely bypass the "locked" security designation for which users have long been trained to watch.

Electricnews.net has reported that at least 50 financial institutions' sites have been affected by these attacks. When information has been recorded on the infected computer, the data is transmitted to a server located in Eastern Europe (initial reports placed it in Estonia).

These attacks come from third-party pop-up adware servers that plant a keystroke logger on systems when users visit any of the affected financial sites using Internet Explorer. Pop-up blockers initially appear to provide protection against this attack, as does the use of a Web browser other than IE.

At the root of this threat is something that most users (and some administrators) have never heard of—BHOs (Browser Helper Objects). These are just DLL browser extensions that can be downloaded and installed in the background without the end user's knowledge.

Some BHOs are entirely benign, such as the W3C-approved P3P privacy protection utility, which is already installed on 17,000+ Web sites (including Microsoft, IBM, and AT&T). BHOs are intended to let developers modify and control the way a browser works, which is fine as long as you know it's being installed and approve its use. Unfortunately, a BHO can perform almost any action without passing information to the user and is therefore a goldmine for malware writers, if they can just get the executable into a user's computer.

The recent attack, analyzed by the Internet Storm Center, involved a fake graphics file, img1big.gif, which resolves into two Win32 executables, one of which will be a randomly named (xxxx.dll) BHO in the directory c:\Windows\System32\.

This BHO will watch for secure (HTTPS) access to a list of specific financial-related URLs, including Citibank.com, Barclays.co.uk, and others. When the HTTPS connection initiates, the BHO captures keystrokes before they are encrypted by SSL and immediately transmits the file to www.refestltd.com/cgi-bin/yes.pl. Registration information for vesadvertising.com (which is linked to this attack) is bogus. A 10-page analysis of this new threat is available here.

Of course, business users typically should not be accessing their bank accounts at work, and few corporate accounting departments are routinely logging on to secure banking sites. The major importance of this series of BHO attacks for administrators is that businesses must be aware that their secure Web sites may be similarly compromised and could potentially disclose customer data, and that other attacks of a similar nature are likely.

For example, capturing a client's logon information might let malware creators spoof the client's identity and order vast quantities of supplies or whatever you sell, redirecting delivery to their chosen location and billing it to your hapless client. Simple steps such as locking down delivery addresses so shipments can't be redirected might help in some instances.


A new Internet Explorer?

Sources have reported that Microsoft has now decided to completely rewrite Internet Explorer, but this could take up to a year.


Applicability

All versions of Internet Explorer, beginning with IE 4.x, are vulnerable to this specific series of attacks. Any browser that permits BHOs or similar extensions can be vulnerable. The initial attacks have all targeted the popular Internet Explorer, but there doesn't appear to be any reason why similar attacks couldn't be launched against minor browsers such as Mozilla or Opera.

Risk level—critical

Microsoft eventually upgraded the threat level to critical after some prodding from online security forums.

Mitigating factors

Pop-up ad blockers are becoming standard on many business systems, and these appear to prevent the initial attack by blocking the spyware keystroke logger from being downloaded in the background.

Using Netscape, Safari, Opera, or Mozilla browsers instead of Internet Explorer seems to provide complete protection against the initial attacks. However, the existence of extensions that can be installed in systems running those browsers means they may also become targets of similar phishing attacks.

Fix

Microsoft has recommended a set of configuration changes to Windows in order to help mitigate Download.Ject attacks. There is no patch available for the software itself, with the significant exception that systems with Windows XP Service Pack 2 Release Candidate 2 (probably the final version before XP SP2 ships) are protected.

Anyone can acquire the same protection without taking the risk of applying a beta version of SP2; simply make the same security setting changes that will automatically be created by XP SP2. This is the usual practice of disabling Active scripting and ActiveX controls in the Internet Zone (see CERT/CC Malicious Web Scripts FAQ) and securing the Local Machine Zone (see Microsoft Knowledge Base Article 833633).

For this security threat, there won't really be a "patch" in the normal sense of the term, because the major vulnerability in this case is in the ability to download BHOs in the background, which is a software feature rather than a vulnerability in the code.

Final word

Before anti-Microsoft fanatics pounce on this issue in the discussion to this article, I feel it's only fair to point out once again that many security experts (including myself) feel that the alternative browsers are clearly safer than IE, but that's mostly because they have so few users and are, therefore, not as big of a target.

Not making yourself a target is a great way to avoid trouble, but complacency can become a real danger in this situation. Simply switching to an alternative browser won't free you from risks. Other browsers must also be maintained, patched, and properly configured. As SANS Internet Storm Center discussions point out, Mozilla and other browsers also contain BHOs or other extensions that might make them vulnerable to similar attacks.


Also watch for…

The new draft of NIST Special Publication 800-68, "Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist," aims to help government IT experts secure Windows XP, but it's also completely applicable to corporate network administrators managing Windows XP. Besides general suggestions about installation, patching, and backup policies, the Zip file also contains templates and information about securing Microsoft Office applications, firewalls, Web browsers , and spyware detection/removal.

Wading through the 149-page PDF file, I note that this is a very comprehensive set of guidelines that includes specific advice for securing Microsoft Office 2003, OpenOffice, IE 6, Navigator, Firefox, Outlook, Eudora, Mozilla, Thunderbird, ZoneAlarm, BlackICE, Norton and Sygate personal firewalls, Ad-Aware, Spybot, as well as Symantec, McAfee, and Sophos AV software. Appendix B even includes information on Windows XP SP2 RC2, and when the comment period is over in August, the final version will probably cover the final code for XP SP2.

A lot of users will want to skip over the first 50 or so pages and go directly to Section 5.1 to get a look at the Windows XP security templates. These templates go well beyond those that ship with XP and are based on recommendations by Microsoft, the U.S. Defense Intelligence Security Agency, and the U.S. National Security Agency.


Editor's Picks

Free Newsletters, In your Inbox