BHO FAQ, Survival Time, and auth/ident activity
Update (July 2nd 4 pm JU)
We are just following a thread on a public discussion group
that indicates that the Windows configuration patch released
today may not be sufficient. More later.
Update (July 2nd 10 am, JU)
Microsoft may release a patch/configuration change for the recent
Internet Explorer update. Please check Microsoft Update. This
fix is already available via the Microsoft Download Center.
http://www.microsoft.com/presspass/press/2004/jul04/07-02configchange.asp
Update: brief .org outage
Several sources reported an outage of the .org name servers earlier
this evening (around 9pm EST, 1am UTC). The issue appears to be
resolved now. No further information is available at this time.
(JU)
BHO FAQ
There have been many questions coming in about Browser Helper Objects.
Firstly, we would like to reiterate that BHO?s are not all necessarily bad. ?BHOs are a valid and useful feature to allow third party software to extend the browser. In cases we have observed, the problem is not the fact that the browser provides for BHOs, but the fact that it was possible to download and install the BHO without the users knowledge. Actual bugs in MSIE can be used to download and install the BHOs without user consent.? (Johannes Ullrich)
Q: Are BHO?s detectable by AV scanners?
A: ?Browser Helper Objects can be detected by AV scanners, if the AV scanner's signature file includes a signature for the particular BHO. Given that some of these BHO's are distributed to only a small group of victims, it is possible that your particular AV software will not detect it. A better choice is to periodically review your BHOs using the BHO-Daemon tool (available at http://www.definitivesolutions.com. ) Windows XP SP2, which should be released soon, will include such a tool.? (JH) Also The BHO investigated in Tom Liston's recent report was given to AV vendors prior to the report's release. Currently it is being called "Trojan.Spy.Small.AA", "PWS.Banker.C.Trojan", "PWS-WebMoney.gen", and "bankhook.a".
Q: Is IE the only browser at risk?
A: ?While 'BHO' is a concept unique to IE, other browsers provide similar mechanisms to allow third party software to be integrated into the browser. At this point, we have only observed BHO's written specifically for MSIE.? (JH)
?Mozilla based variants have "extensions", and all other browsers have a means to extend their functionality.
The issue under IE is that BHOs can be silently installed and there is no good way within IE to see what BHOs are on your machine.? (Tom Liston)
Q: Is XP the only target?
A: Reports indicate that XP is the only target of the recent example, but BHO?s are supported on earlier versions of windows (see Donald Smith?s RegEdits below.)
Handler Donald Smith has provided some handy registry locations:
On win98 there is a registration key for BHOs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser
Helper Objects
On Windows XP is a key that can be used to disable them:
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\AdvancedOptions\Browse\USEHBO
Survival Time
Dshield.org is now tracking a number known as ?Survival Time.? It is the computed ?average time between firewall hits as reported by [their] submitters, for an average target.? There was some debate on the handlers list on if this calculated time was too short. I set up a little experiment with a sensor on a cable modem provider and found after 15 minutes mydoom and bagel had probed the IP, and sasser had hit at 20 minutes.
AUTH/IDENT Probes
The sensor also picked up quite a few probes to TCP/113 the auth/ident service port. There is a rise in scanning sources reported on Dshield, and a few reports have come in to the handler?s list. I was able to capture the traffic and it was in the form of ?1026 , 25.? Where the first number was a 4-digit number while the 25 was fixed. A quick read of RFC1413 indicates that these are ident requests from a server in response to a connection from my sensor?s IP (source port being the 4-digit number) to their port 25 (SMTP.) Since my sensor didn?t send out any connections, it appears that these SMTP connections are spoofed.
------------
Kevin Liston
We are just following a thread on a public discussion group
that indicates that the Windows configuration patch released
today may not be sufficient. More later.
Update (July 2nd 10 am, JU)
Microsoft may release a patch/configuration change for the recent
Internet Explorer update. Please check Microsoft Update. This
fix is already available via the Microsoft Download Center.
http://www.microsoft.com/presspass/press/2004/jul04/07-02configchange.asp
Update: brief .org outage
Several sources reported an outage of the .org name servers earlier
this evening (around 9pm EST, 1am UTC). The issue appears to be
resolved now. No further information is available at this time.
(JU)
BHO FAQ
There have been many questions coming in about Browser Helper Objects.
Firstly, we would like to reiterate that BHO?s are not all necessarily bad. ?BHOs are a valid and useful feature to allow third party software to extend the browser. In cases we have observed, the problem is not the fact that the browser provides for BHOs, but the fact that it was possible to download and install the BHO without the users knowledge. Actual bugs in MSIE can be used to download and install the BHOs without user consent.? (Johannes Ullrich)
Q: Are BHO?s detectable by AV scanners?
A: ?Browser Helper Objects can be detected by AV scanners, if the AV scanner's signature file includes a signature for the particular BHO. Given that some of these BHO's are distributed to only a small group of victims, it is possible that your particular AV software will not detect it. A better choice is to periodically review your BHOs using the BHO-Daemon tool (available at http://www.definitivesolutions.com. ) Windows XP SP2, which should be released soon, will include such a tool.? (JH) Also The BHO investigated in Tom Liston's recent report was given to AV vendors prior to the report's release. Currently it is being called "Trojan.Spy.Small.AA", "PWS.Banker.C.Trojan", "PWS-WebMoney.gen", and "bankhook.a".
Q: Is IE the only browser at risk?
A: ?While 'BHO' is a concept unique to IE, other browsers provide similar mechanisms to allow third party software to be integrated into the browser. At this point, we have only observed BHO's written specifically for MSIE.? (JH)
?Mozilla based variants have "extensions", and all other browsers have a means to extend their functionality.
The issue under IE is that BHOs can be silently installed and there is no good way within IE to see what BHOs are on your machine.? (Tom Liston)
Q: Is XP the only target?
A: Reports indicate that XP is the only target of the recent example, but BHO?s are supported on earlier versions of windows (see Donald Smith?s RegEdits below.)
Handler Donald Smith has provided some handy registry locations:
On win98 there is a registration key for BHOs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser
Helper Objects
On Windows XP is a key that can be used to disable them:
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\AdvancedOptions\Browse\USEHBO
Survival Time
Dshield.org is now tracking a number known as ?Survival Time.? It is the computed ?average time between firewall hits as reported by [their] submitters, for an average target.? There was some debate on the handlers list on if this calculated time was too short. I set up a little experiment with a sensor on a cable modem provider and found after 15 minutes mydoom and bagel had probed the IP, and sasser had hit at 20 minutes.
AUTH/IDENT Probes
The sensor also picked up quite a few probes to TCP/113 the auth/ident service port. There is a rise in scanning sources reported on Dshield, and a few reports have come in to the handler?s list. I was able to capture the traffic and it was in the form of ?1026 , 25.? Where the first number was a 4-digit number while the 25 was fixed. A quick read of RFC1413 indicates that these are ident requests from a server in response to a connection from my sensor?s IP (source port being the 4-digit number) to their port 25 (SMTP.) Since my sensor didn?t send out any connections, it appears that these SMTP connections are spoofed.
------------
Kevin Liston
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago