Cybercriminals: Always one step ahead

commentary In June 2003, the financial sector was jolted by a worm called Bugbear.b, which preyed on more than 1,300 banks around the world.
Written by Fran Foo, Contributor
commentary In June 2003, the financial sector was jolted by a worm called Bugbear.b, which preyed on more than 1,300 banks around the world. Australia's big four -- ANZ, Commonwealth, National and Westpac -- were part of the hit list.

Bugbear.b was a multi-faceted mass-mailing worm. It could log keystrokes, plant backdoors and had the ability to disable anti-virus programs. The worm exploited a year-old flaw in Microsoft's Internet Explorer browser.

One year later, nothing much has changed. Malicious code writers continue to prey on Internet Explorer's lingering vulnerabilities to create weapons of mass deceit ... so news of a Trojan that steals personal banking data came as no surprise.

The malicious software targeted leading financial institutions worldwide and the discovery was made by Tom Liston of the Internet Storm Center, a site that monitors network threats.

By exploiting flaws in Internet Explorer, the malicious program is downloaded unbeknownst to the user. It then installs itself as a browser helper object (BHO) and becomes part of Internet Explorer, Liston said.

A BHO is a dynamic link library (DLL) that allows software developers to customise Internet Explorer. "When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session," he added.

This particular BHO watches for HTTPS access to domain names containing 50 financial-related strings including Australia's Citibank, St George Bank, Bendigo Bank, HSBC, Suncorp Metway, as well as the four banks on Bugbear's radar.

When a user logs onto any one of those Web sites, the BHO captures the user identification and password. The data is then encrypted to bypass intrusion detection software and is sent to the alleged crackers before it gets encrypted by the browser. Did I mention this problem was unique to Internet Explorer?

To tell if a system has been compromised, Liston recommends Definitive Solutions' BHODemon -- a free scanning tool that detects all BHOs installed on a Windows machine.

Since the security threat was made public, more than 65,000 copies of BHODemon have been downloaded, company spokesperson Larry Leonard told ZDNet Australia.

BHODemon is a useful product but it plays a small part in the overall security landscape. Liston said the new Trojan represents a huge threat to the online financial industry. "As the proliferation of ad/spyware shows, installing executable software on user's machines is far too easy.

"The approach of using a BHO makes this method of stealing identity information all the more insidious," he said.

Today, more than 60 percent of Australian Internet users access online financial services regularly. This far outweighs transactions conducted at bank branches.

The affected banks and other commercial concerns must immediately assess the root cause of these security problems before it further erodes consumer confidence in online banking. Historical evidence points to one recurring problem ... perhaps it's time to explore other options?

Editorial standards