Pop-up program reads keystrokes, steals passwords-Stay away from Online Banking??

[mrbowler]

[Only registered and activated users can see links. Either login above or Register Now]

A malicious program that installs itself through a pop-up can read keystrokes and steal passwords when victims visit any of nearly 50 targeted banking sites, security researchers warned on Tuesday.

The targeted sites include major financial institutions, such as Citibank, Barclays Bank and Deutsche Bank, researcher Marcus Sachs said Tuesday.

"If (the program) recognizes that you are on one of those sites, it does keystroke logging," said Sachs, director of the Internet Storm Center, a site that monitors network threats. Even though all financial sites use encryption built into the browser to protect log-in data, the Trojan horse program can capture the information before it gets encrypted by the browser software. "The browser does not encrypt data between your keyboard and computer. It's encrypting it (when it goes) out onto the Web."

Sachs said the Trojan horse was first discovered on the computer of "an employee at a major dot-com." The victim apparently picked up the program from a malicious pop-up ad that used a flaw in Internet Explorer's helper server to install itself on the user's PC. In this case, because of the computer's security settings, the installation failed. Microsoft said IE users should raise the security settings to high until the company issues a patch.

Two other IE flaws, which Microsoft has yet to fix, were used recently in two other hacking schemes, one last week that turned some Web sites into points of digital infection, and another, earlier in the month, that installed a toolbar on victims' computers that triggered pop-ups. This most recent Trojan horse differs from the attack software used in last week's Web site compromises but could be paired with that technique to spread spyware.

Researchers at the Internet Storm Center studied the Trojan horse file, called "img1big.gif," which was provided by the dot-com. Working through the weekend, the security experts reverse-engineered the program and discovered that it targeted a long list of banks and attempted to steal the account information of those institutions' customers.

The program points to a recent trend in computer viruses and remote-access Trojan horse, or RAT, programs: Attackers are increasingly after money. In April, security experts warned that 'bot networks'--large networks of zombified home PCs--are a greater threat than high-profile worms such as Sasser and MSBlast, because they could be used to steal financial information or to send untraceable spam.

"In the past, the most common way to collect financial information was through fraud like the Nigerian e-mail scam," said Oliver Friedrichs, senior manager in antivirus company Symantec's security response center. Friedrichs said that in the past few months, Symantec analysts have studied threats similar to the current Trojan horse.

Because it carries a .gif file extension, the Trojan horse appears to be a graphic in a compressed format commonly found on the Internet. In reality, it's two programs: a browser helper file that surreptitiously captures usernames and passwords; and a "file dropper" that installs the keyword logger on the victim's computer.

The first file attempts to run itself by using an old Internet Explorer flaw, and the second file uses a feature of most major browsers, known as helper files, to intercept data, Sachs said.

"Before data goes through your browser, it can be processed by a helper file," he said. "What makes this one really clever is that (it takes) advantage of the ability in all browsers to use helper files and defeat the encryption."

Once the Trojan horse captures financial information, it encrypts the data by using a program hosted on an Internet server and sends the data back to the attackers, who appear to be in South America, Sachs said.

Security experts have stressed the vulnerability of Microsoft's Internet Explorer recently, following public warnings of vulnerabilities in the browser that could enable attackers to install malicious programs. Those flaws have not yet been fixed by Microsoft.

An attack that had used a vulnerability to turn some Web sites into points of digital infection was nipped in the bud Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached.

While the latest program is installed on Windows computers using a known vulnerability, the helper file hack exploits a feature, not a flaw, and could work with most major browsers, Sachs said.

"Sometimes, there's not much difference between a feature and a flaw," he said.

[dolphin9600]

Hope this isn't a stupid question and I am computer illiterate, lol, but how to I raise the security to high on my computer? I have windows xp.
Thanks!

Quote:

Originally Posted by mrbowler

[Only registered and activated users can see links. Either login above or Register Now]

A malicious program that installs itself through a pop-up can read keystrokes and steal passwords when victims visit any of nearly 50 targeted banking sites, security researchers warned on Tuesday.

The targeted sites include major financial institutions, such as Citibank, Barclays Bank and Deutsche Bank, researcher Marcus Sachs said Tuesday.

"If (the program) recognizes that you are on one of those sites, it does keystroke logging," said Sachs, director of the Internet Storm Center, a site that monitors network threats. Even though all financial sites use encryption built into the browser to protect log-in data, the Trojan horse program can capture the information before it gets encrypted by the browser software. "The browser does not encrypt data between your keyboard and computer. It's encrypting it (when it goes) out onto the Web."

Sachs said the Trojan horse was first discovered on the computer of "an employee at a major dot-com." The victim apparently picked up the program from a malicious pop-up ad that used a flaw in Internet Explorer's helper server to install itself on the user's PC. In this case, because of the computer's security settings, the installation failed. Microsoft said IE users should raise the security settings to high until the company issues a patch.

Two other IE flaws, which Microsoft has yet to fix, were used recently in two other hacking schemes, one last week that turned some Web sites into points of digital infection, and another, earlier in the month, that installed a toolbar on victims' computers that triggered pop-ups. This most recent Trojan horse differs from the attack software used in last week's Web site compromises but could be paired with that technique to spread spyware.

Researchers at the Internet Storm Center studied the Trojan horse file, called "img1big.gif," which was provided by the dot-com. Working through the weekend, the security experts reverse-engineered the program and discovered that it targeted a long list of banks and attempted to steal the account information of those institutions' customers.

The program points to a recent trend in computer viruses and remote-access Trojan horse, or RAT, programs: Attackers are increasingly after money. In April, security experts warned that 'bot networks'--large networks of zombified home PCs--are a greater threat than high-profile worms such as Sasser and MSBlast, because they could be used to steal financial information or to send untraceable spam.

"In the past, the most common way to collect financial information was through fraud like the Nigerian e-mail scam," said Oliver Friedrichs, senior manager in antivirus company Symantec's security response center. Friedrichs said that in the past few months, Symantec analysts have studied threats similar to the current Trojan horse.

Because it carries a .gif file extension, the Trojan horse appears to be a graphic in a compressed format commonly found on the Internet. In reality, it's two programs: a browser helper file that surreptitiously captures usernames and passwords; and a "file dropper" that installs the keyword logger on the victim's computer.

The first file attempts to run itself by using an old Internet Explorer flaw, and the second file uses a feature of most major browsers, known as helper files, to intercept data, Sachs said.

"Before data goes through your browser, it can be processed by a helper file," he said. "What makes this one really clever is that (it takes) advantage of the ability in all browsers to use helper files and defeat the encryption."

Once the Trojan horse captures financial information, it encrypts the data by using a program hosted on an Internet server and sends the data back to the attackers, who appear to be in South America, Sachs said.

Security experts have stressed the vulnerability of Microsoft's Internet Explorer recently, following public warnings of vulnerabilities in the browser that could enable attackers to install malicious programs. Those flaws have not yet been fixed by Microsoft.

An attack that had used a vulnerability to turn some Web sites into points of digital infection was nipped in the bud Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached.

While the latest program is installed on Windows computers using a known vulnerability, the helper file hack exploits a feature, not a flaw, and could work with most major browsers, Sachs said.

"Sometimes, there's not much difference between a feature and a flaw," he said.

[mayfly]

make sure you are going to microsoft and keeping up on your updates!

[dolphin9600]

I updated a critical update earlier this morning...thanks!

[mrbowler]

Not sure what Browser you are using: But Microsoft had this article

[Only registered and activated users can see links. Either login above or Register Now]

Be sure to read those links on the bottom of page

[dolphin9600]

Thanks mrbowler, that is what I was looking for! You guys are a great help!
Thanks again!
Katie

[mrbowler]

Microsoft Releases Security Update

[Only registered and activated users can see links. Either login above or Register Now]

NEW YORK - Microsoft Corp. issued an interim security update Friday to protect users of its nearly ubiquitous Internet Explorer browsers from a new technique for spreading viruses.


The update does not entirely fix the flaw that makes the spread possible, but it changes settings in Windows operating systems to disable hackers' ability to deliver malicious code with it.


The security measure came in response to last week's discovery of a computer virus designed to steal valuable information like passwords. Though its outbreak was mild, security experts said the technique for spreading it was novel and could be used to send spam or launch broad attacks to cripple the Internet.


Hackers had converted hundreds and possibly thousands of Web sites into virus transmitters by first hiding malicious code using a vulnerability with Microsoft's software for operating Web sites. A fix for it had been issued in April but was not universally applied.


Two other flaws in Microsoft products allowed hackers to direct Internet Explorer browsers to automatically run the virus when visiting an infected site.


Though one of those flaws remains unfixed, Friday's setting changes thwart any attack by prohibiting a Web application from writing files — such as the virus code — onto users' computers.


The U.S. Computer Emergency Readiness Team urged computer users to install the update, saying it would greatly increase protection. But the advisory warned other types of attack remain possible.


Stephen Toulouse, a security program manager at Microsoft, said the company still was working on a comprehensive patch to fix vulnerabilities with Internet Explorer, but the settings change should protect users from the immediate threat.


The software update covers Windows XP (news - web sites), Windows Server 2003 and Windows 2000 (news - web sites), and Microsoft was working on ones for older systems.


The update will also be included with a major Windows XP upgrade, called Service Pack 2, later this summer. Toulouse said the Service Pack will include additional protections.


After installing Friday's update, users should be able to lower their security settings from the "high" one initially recommended as a stopgap, he said.


Russ Cooper, a senior researcher at TruSecure Corp., welcomed Friday's update, but said it should have come sooner than a week.


"It would have taken a couple of hours to put it together as a package, and (the testing) process can take a day or two," Cooper said.


But Toulouse said that given the broad user base for Windows and Internet Explorer, even a problem affecting less than 1 percent of users potentially hurts millions of customers.


He said the settings could potentially affect legitimate applications used internally by Web developers and corporate networks, and special instructions were available to address those cases.


The update will be automatically installed if computers are set to receive it. It is also available at [Only registered and activated users can see links. Either login above or Register Now].