PaulDotCom mailing list archives

Any Advice Trojan.BHO

From: johan at johans.dk (Johan Peder Møller)
Date: Fri, 24 Apr 2009 22:37:56 +0200

Hi Shaun

It's very difficult to defend against this type of attack. But at some point
they have accepted to install the BHO. So user awareness is crucial for
defense. It also helps to lock down the environment.

It is possible in cases where ICMP is used to spot the data leaving the
network using IDS/IPS. Normaly ICMP packets contains specific data, even if
the trojan encrypts the data, it will be possible to spot data not
conforming to the std pings. Be warned that not all trojans of this kind
uses ICMP, but they also use SSL and other protocols, and it can be
difficult to spot the attempt to exfiltrate data from the network.

rgds
Johan

On Fri, Apr 24, 2009 at 8:37 PM, Shaun Curry <shauncurry1 at gmail.com> wrote:

Hello again everyone:

I have a client that recent was hacked.  We learned of this when an email
notification was sent from the bank stating that a "bill pay" had been sent,
but the client didn't setup any bill pay.  The money has been refunded and
the bank is contacting the FBI to prosecute.  I have learned that they were
infected by trojan.bho which as I understand is a browser helper object that
looks for SSL traffic and then keylogs user names and passwords.  Once an
SSL session is detected a ping is sent to the attacker alerting them that
SSL is being used and the somehow it sends the keylogger info via ICMP. We
have removed the BHO and they have reset all passwords.

I am curious if there is anything else I can do to prevent this attack from
happening again?  I installed and instructed the user to use Firefox and not
IE and updated all windows updates along with the antivirus.  They are using
Symantec Corporate Edition v. 10.  Is there a better antivirus to use?  They
have a PIX for a firewall....  and thats about all I can think of right
now...

Any ideas?

thanx
-Shaun

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090424/7dbeed38/attachment.htm

Current thread:

Any Advice Trojan.BHO Shaun Curry (Apr 24)
- Any Advice Trojan.BHO Kennith Asher (Apr 24)
- Any Advice Trojan.BHO Mad Marv (Apr 24)
  - Any Advice Trojan.BHO Brian H (Apr 24)
- Any Advice Trojan.BHO Johan Peder Møller (Apr 24)
- Any Advice Trojan.BHO johnemiller at gmail.com (Apr 24)