New Trojan Steals Banking Information
The carrier of the threat, "img1big.gif," poses as an image file, according to center, Bethesda, Md. The file is not an image at all, but a file-dropper Trojan composed of a pair of Win32 executable programs compressed together using the Open Source executable compressor UPX.
The trojan installs a Browser Helper Object (BHO) on Internet Explorer version 4.X and higher. One of the two sets of code performs the initial install, the other performs the BHO install. Once the BHO is up, it looks for secure access to the URLs of several dozen banking and financial sites around the globe and "grabs any outbound POST/GET data from within IE before it is encrypted by SSL," according to Storm Center handler John Bambenek.
The outbound data--including user names and passwords--is sent over an HTTP connection created by the Trojan to the address http://www.refestltd.com/cgi-bin/yes.pl.
The center recommends free software called BHODemon from Definitive Solutions to help administrators identify BHOs installed on Windows systems.
BHODemon is a free tool that lists all Browser Helper Objects installed on a Windows system by scanning the registry, and it gives users the ability to disable them, Bambenek said.
Center director Marcus Sachs also warned this week that high-end multiplayer network gaming activities and new forms of PC user deception known as cognitive hacking present a growing danger to Internet security.
Sachs said that while firewalls and updated AV tools and patches provide adequate security against malicious code that could enter during a gaming session, it's the gamers themselves who could be tempted to disable firewalls and system resources in order to improve gaming performance.
Interactive gaming across a company network may strike most as a major policy no-no, but it happens in many smaller firms and some larger ones, typically after the close of the business day.
David Pattillo, a former producer at Metropolitan DVD, a Manhattan-based DVD company which mastered DVDs for films such as Traffic, said after-hours multiplayer gaming was common among Metropolitan's employees.
Tom Derosier, co-owner of the CPU Guys, Hanson, Mass., said he's seen instances where viruses were allowed to enter a network after employees disabled firewalls in order to give themselves a competitive edge in downloading the real-time playing fields shared by other contestants in the game.
"Most game makers are good about locking the game down so when the computer game loads it authenticates to make sure the right amount of data is there for each player, so everyone is playing in the same 'real time.' But if you want a one up, you can shut down as many resources as you can on the PC, and you're that much more ahead," Derosier said.
Earlier this month, Microsoft issued updates for Windows XP and Server 2003 that addressed vulnerabilities in an operating system component called IDirectPlay4, used during multi-player network games. The impact of the vulnerability could lead to denial of service attacks, according to Windows bulletin MS04-016, which can be found here.