Last Updated: 2007-03-24 01:16:18 UTC
by John Bambenek (Version: 1)
Basically, what this malware did was insert itself between Internet Explorer and the socket used to send data. It then stole the data prior to encryption and sent it to your happy local Russian hacker. While (I believe) this is the first real slick attempt to steal SSL data by inserting a listener to take the data pre-encryption, the technique is not new. In fact, I wrote about this same tactic almost 2 and half years ago.
Encryption is meaningless if one of the endpoints of the communication is compromised. If you tunnel your transaction over SSL to a vendor who happily takes your data and sells it, the SSL won't help you. The same goes true for home PCs which according to any definition of security are completely untrustworthy. There are plenty of techniques to grab data before it is encrypted. The neanderthal way is to use a keylogger. Now there are other techniques in use.
Until we find a way to get consumer PCs secure, or better yet, find a way for private financial data to be transmitted through a PC without the untrusted PC being able to compromise it, no electronic financial transaction will be secure. If the home PC isn't secure, all the encryption in the world won't help.
UPDATE: ISC Reader Nick suggests "Man at the Endpoint" as a name for this kind of attack.
John Bambenek / bambenek (at) gmail.com
University of Illinois at Urbana-Champaign