Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

BHO, Browsers and related / Port 3705 / ISCAlert Portuguese version

Published: 2004-06-30
Last Updated: 2004-06-30 22:19:12 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Today an user sent a question about the BHO
(Browser 'Helper' Object) and other browsers than IE. Tom
Liston, one of our ISC Handlers, answered:
"...this could be an issue for any of the major browsers.
While BHOs *are* specific to IE, Mozilla based variants
have "extensions", and all other browsers have a means to
extend their functionality.



The issue under IE is that BHOs can be silently installed
and there is no good way within IE to see what BHOs are on
your machine.



But *any* trojaned extension to *any* browser's
functionality could do the same thing that this malware
does. It then becomes a question of how difficult it is to
get it installed on the target machine..."



Still on the IE issues, we received a report about "a new
exploit targeting at users of Internet Explorer". According
the user, the trojan tries to overwrite the telnet.exe
executable. The file was submitted and we found out that it
is already detectable by AV as the
win32/TrojanDownloader.Harnig.Q trojan.



Another report asks about MAC exposure in the online
banking threat from yesterday's diary. As far as we know,
the binary will only run in Windows.

Banking Spyware Snort Sigs

About yesterday´s diary "New scam targets bank customers", Matt
Jonkman just pointed us to the Snort Signatures for the
Banking Spyware that are posted at bleedingsnort.com:



#Thanks James Ashton

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE
Yesadvertising Banking Spyware RETRIEVE";
uricontent:"/img1big.gif"; nocase;
reference:url,isc.sans.org/presentations/banking_malware.pdf
; sid:2000336; rev:1;)


alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE
Yesadvertising Banking Spyware INFORMATION SUBMIT";
uricontent:"/cgi-bin/yes.pl"; nocase;
reference:url,isc.sans.org/presentations/banking_malware.pdf
; sid:2000337; rev:1; )


Reference:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/MALWARE_Yesadvertising_Banking_Spyware



Port 3705

If you feel that you had enough of the IE<->BHO stuff, here
is something different. We observed an interesting graphic
about port 3705, but dont have much information about this
port. If do you have more info, please let us know.

Portuguese ISCAlert

Are you in portuguese language country?!
Download now the ISCAlert portuguese version!
http://www.labreatechnologies.com/ISCAlert_Portuguese.zip


------------------------------------------------------------

Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)
Keywords:
0 comment(s)
Diary Archives