The latest phishing attack, analyzed by the SANS Institute, builds upon existing IE exploits to install software that records keystrokes on the machines of unsuspecting Internet users. The keylogger is coded as a Browser Helper Object (BHO), an add-on technology introduced by Microsoft to allow programmers to customize Internet Explorer. Browser helpers are DLL components that load with Internet Explorer and share the browser's access and permissions. "In short, a BHO works as a spy we send to infiltrate the browser's land," Microsoft writes in its description.
That's proven to be just the ticket for hackers, who have coded some of the most innovative and insidious uses of BHO technology, initially in the form of spyware and browser hijackers. Keylogging trojans can now be added to the growing list of BHO malware.
The close integration with Internet Explorer allows browser helpers to go undetected by many antivirus programs. Microsoft acknowledges that "specialized software and deep technical knowledge" are needed to find and remove many brower add-ons. Symantec classifies BHOs as an expanded threat not covered by Norton AntiVirus. BHODemon is a free program specifically designed to detect and remove BHOs, which can be challenging to uninstall. Just this week, the popular CWShredder BHO removal tool was discontinued, with its author saying the malware was morphing too quickly for him to keep up.
Microsoft's upcoming Windows XP Service Pack 2 includes an add-on management tool for Internet Explorer that promises to improve the BHO mess. The tool "shows the presence of some add-ons that were previously not shown and could be very difficult to detect." SP2 is due sometime in the third quarter, which begins this week.
The use of a BHO is one of several new wrinkles found in the latest phishing malware, which starts life as a compressed program disguised as a .gif file, which is then renamed and unpacked with an existing exploit utilizing pop-up windows. It ultimately installs its keylogger trojan, which scans for https sessions connecting to URLs of popular banks (including Citibank, WestPac, Barcklays and HSBC) and then intercepts outbound data from IE before it is encrypted using the Secure Sockets Layer (SSL) protocol.