Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-07-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

BHO FAQ, Survival Time, and auth/ident activity

Published: 2004-07-01
Last Updated: 2004-07-02 20:56:42 UTC
by Kevin Liston (Version: 1)
0 comment(s)
Update (July 2nd 4 pm JU)

We are just following a thread on a public discussion group
that indicates that the Windows configuration patch released
today may not be sufficient. More later.

Update (July 2nd 10 am, JU)

Microsoft may release a patch/configuration change for the recent
Internet Explorer update. Please check Microsoft Update. This
fix is already available via the Microsoft Download Center.

http://www.microsoft.com/presspass/press/2004/jul04/07-02configchange.asp
Update: brief .org outage

Several sources reported an outage of the .org name servers earlier
this evening (around 9pm EST, 1am UTC). The issue appears to be
resolved now. No further information is available at this time.

(JU)
BHO FAQ

There have been many questions coming in about Browser Helper Objects.
Firstly, we would like to reiterate that BHO?s are not all necessarily bad. ?BHOs are a valid and useful feature to allow third party software to extend the browser. In cases we have observed, the problem is not the fact that the browser provides for BHOs, but the fact that it was possible to download and install the BHO without the users knowledge. Actual bugs in MSIE can be used to download and install the BHOs without user consent.? (Johannes Ullrich)

Q: Are BHO?s detectable by AV scanners?

A: ?Browser Helper Objects can be detected by AV scanners, if the AV scanner's signature file includes a signature for the particular BHO. Given that some of these BHO's are distributed to only a small group of victims, it is possible that your particular AV software will not detect it. A better choice is to periodically review your BHOs using the BHO-Daemon tool (available at http://www.definitivesolutions.com. ) Windows XP SP2, which should be released soon, will include such a tool.? (JH) Also The BHO investigated in Tom Liston's recent report was given to AV vendors prior to the report's release. Currently it is being called "Trojan.Spy.Small.AA", "PWS.Banker.C.Trojan", "PWS-WebMoney.gen", and "bankhook.a".

Q: Is IE the only browser at risk?

A: ?While 'BHO' is a concept unique to IE, other browsers provide similar mechanisms to allow third party software to be integrated into the browser. At this point, we have only observed BHO's written specifically for MSIE.? (JH)
?Mozilla based variants have "extensions", and all other browsers have a means to extend their functionality.

The issue under IE is that BHOs can be silently installed and there is no good way within IE to see what BHOs are on your machine.? (Tom Liston)

Q: Is XP the only target?

A: Reports indicate that XP is the only target of the recent example, but BHO?s are supported on earlier versions of windows (see Donald Smith?s RegEdits below.)

Handler Donald Smith has provided some handy registry locations:

On win98 there is a registration key for BHOs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser
Helper Objects

On Windows XP is a key that can be used to disable them:

My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Internet

Explorer\AdvancedOptions\Browse\USEHBO
Survival Time

Dshield.org is now tracking a number known as ?Survival Time.? It is the computed ?average time between firewall hits as reported by [their] submitters, for an average target.? There was some debate on the handlers list on if this calculated time was too short. I set up a little experiment with a sensor on a cable modem provider and found after 15 minutes mydoom and bagel had probed the IP, and sasser had hit at 20 minutes.
AUTH/IDENT Probes

The sensor also picked up quite a few probes to TCP/113 the auth/ident service port. There is a rise in scanning sources reported on Dshield, and a few reports have come in to the handler?s list. I was able to capture the traffic and it was in the form of ?1026 , 25.? Where the first number was a 4-digit number while the 25 was fixed. A quick read of RFC1413 indicates that these are ident requests from a server in response to a connection from my sensor?s IP (source port being the 4-digit number) to their port 25 (SMTP.) Since my sensor didn?t send out any connections, it appears that these SMTP connections are spoofed.

------------

Kevin Liston
Keywords:
0 comment(s)
Diary Archives