If security is a major concern for your organization, check out TechRepublic’s IT Security Survival Guide. This book and CD provide the information you need to keep your organization’s IT systems safe from contemporary network threats and to protect systems and data.

New attacks that have surfaced attempt to compromise Microsoft Internet
Explorer in order to steal financial account usernames and passwords. Attackers are exploiting unpatched flaws in IE to steal vital
information via a keystroke logger.

Details

A series of threats that began with Download.Ject, but didn’t stop with that malware, are plaguing users
of online financial sites. The attacks are intended to steal user account
access information through the use of a keystroke logger. The logger will
completely bypass the “locked” security designation for which users have long
been trained to watch.

Electricnews.net has reported that at least 50 financial
institutions’ sites have been affected by these attacks. When information has
been recorded on the infected computer, the data is transmitted to a server
located in Eastern Europe (initial reports placed it in Estonia).

These attacks come from third-party pop-up adware servers
that plant a keystroke logger on systems when users visit any of the affected
financial sites using Internet Explorer. Pop-up blockers initially appear to
provide protection against this attack, as does the use of a Web browser other
than IE.

At the root of this threat is something that most users (and
some administrators) have never heard of—BHOs (Browser Helper Objects). These
are just DLL browser extensions that can be downloaded and installed in the
background without the end user’s knowledge.

Some BHOs are entirely benign, such as the W3C-approved P3P privacy protection utility, which is already installed on
17,000+ Web sites (including Microsoft, IBM, and AT&T). BHOs are intended
to let developers modify and control the way a browser works, which is fine as
long as you know it’s being installed and approve its use. Unfortunately, a BHO
can perform almost any action without passing information to the user and is
therefore a goldmine for malware writers, if they can just get the executable
into a user’s computer.

The recent attack, analyzed
by the Internet Storm Center
, involved a fake graphics file, img1big.gif,
which resolves into two Win32 executables, one of which will be a randomly
named (xxxx.dll) BHO in the directory c:\Windows\System32\.

This BHO will watch for secure (HTTPS) access to a list of
specific financial-related URLs, including Citibank.com, Barclays.co.uk, and
others. When the HTTPS connection initiates, the BHO captures keystrokes before
they are encrypted by SSL and immediately transmits the file to www.refestltd.com/cgi-bin/yes.pl.
Registration information for vesadvertising.com (which is linked to this
attack) is bogus. A 10-page analysis of this new threat is available here.

Of course, business users typically should not be accessing
their bank accounts at work, and few corporate accounting departments are
routinely logging on to secure banking sites. The major importance of this
series of BHO attacks for administrators is that businesses must be aware that
their secure Web sites may be similarly compromised and could potentially
disclose customer data, and that other attacks of a similar nature are likely.

For example, capturing a client’s logon information might
let malware creators spoof the client’s identity and order vast quantities of
supplies or whatever you sell, redirecting delivery to their chosen location
and billing it to your hapless client. Simple steps such as locking down
delivery addresses so shipments can’t be redirected might help in some
instances.


A new Internet Explorer?

Sources have reported that Microsoft has now decided to
completely rewrite Internet Explorer, but this could take up to a year.


Applicability

All versions of Internet Explorer, beginning with IE 4.x,
are vulnerable to this specific series of attacks. Any browser that permits BHOs
or similar extensions can be vulnerable. The initial attacks have all targeted the
popular Internet Explorer, but there doesn’t appear to be any reason why
similar attacks couldn’t be launched against minor browsers such as Mozilla or Opera.

Risk level—critical

Microsoft eventually upgraded the threat level to critical
after some prodding from online security forums.

Mitigating factors

Pop-up ad blockers are becoming standard on many business
systems, and these appear to prevent the initial attack by blocking the
spyware keystroke logger from being downloaded in the
background.

Using Netscape, Safari, Opera, or Mozilla browsers instead
of Internet Explorer seems to provide complete protection against the initial
attacks. However, the existence of extensions that can be installed in systems
running those browsers means they may also become targets of similar phishing
attacks.

Fix

Microsoft has recommended a set of configuration changes to Windows in order to help mitigate
Download.Ject attacks. There is no patch available for the software itself,
with the significant exception that systems with Windows XP Service Pack 2
Release Candidate 2 (probably the final version before XP SP2 ships) are
protected.

Anyone can acquire the same protection without taking the
risk of applying a beta version of SP2; simply make the same security setting
changes that will automatically be created by XP SP2. This is the usual
practice of disabling Active scripting and ActiveX controls in the Internet
Zone (see CERT/CC Malicious Web Scripts FAQ) and securing the Local
Machine Zone (see Microsoft Knowledge Base Article 833633).

For this security threat, there won’t really be a “patch” in
the normal sense of the term, because the major vulnerability in this case is
in the ability to download BHOs in the background, which is a software feature
rather than a vulnerability in the code.

Final word

Before anti-Microsoft fanatics pounce on this issue in the
discussion to this article, I feel it’s only fair to point out once again that
many security experts (including myself) feel that the alternative browsers are
clearly safer than IE, but that’s mostly because they have so few users and
are, therefore, not as big of a target.

Not making yourself a target is a great way to avoid
trouble, but complacency can become a real danger in this situation. Simply
switching to an alternative browser won’t free you from risks. Other browsers
must also be maintained, patched, and properly configured. As SANS Internet
Storm Center discussions point out, Mozilla and other browsers also contain
BHOs or other extensions that might make them vulnerable to similar attacks.


Also watch for…

The new draft of NIST Special
Publication 800-68
, “Guidance for Securing Microsoft Windows XP
Systems for IT Professionals: A NIST Security Configuration Checklist,”
aims to help government IT experts secure Windows XP, but it’s also completely
applicable to corporate network administrators managing Windows XP. Besides
general suggestions about installation, patching, and backup policies, the Zip
file
also contains templates and information about securing Microsoft
Office applications, firewalls, Web browsers , and spyware detection/removal.

Wading through the 149-page PDF file, I note that this is a
very comprehensive set of guidelines that includes specific advice for securing
Microsoft Office 2003, OpenOffice, IE 6, Navigator, Firefox, Outlook, Eudora,
Mozilla, Thunderbird, ZoneAlarm, BlackICE, Norton and Sygate personal
firewalls, Ad-Aware, Spybot, as well as Symantec, McAfee, and Sophos AV
software. Appendix B even includes information on Windows XP SP2 RC2, and when
the comment period is over in August, the final version will probably cover the
final code for XP SP2.

A lot of users will want to skip over the first 50 or so
pages and go directly to Section 5.1 to get a look at the Windows XP security
templates. These templates go well beyond those that ship with XP and are based
on recommendations by Microsoft, the U.S. Defense Intelligence Security Agency,
and the U.S. National Security Agency.