Go to the Softpedia homepage


NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
Home / News / Security / Virus alerts

Virus alerts

Internet Explorer BHO Trojan

Transmits stolen data via ICMP packets

By Marius Oiaga, Technology News Editor

9th of August 2006, 10:06 GMT

Adjust text size:


Websense Security Labs has announced in a press release that the company has received and analyzed a new Trojan that implements innovative techniques to camouflage its actions. While the keylogger
generates traffic containing the information that it has recorded and stolen from a compromised machine, it disguises the data as Internet Control Message Protocol packets. Normally this protocol is reserved for the transmission of erroneous and control messages, router generated unavailability notifications or echo requests from ping utilities.

"Websense Security Labs has received a sample of a new phishing Trojan that delivers stolen information back to the attacker via ICMP packets. Upon infection of a victim's computer, the Trojan will install itself as an Internet Explorer Browser Helper Object (BHO). The BHO then waits for the user to post personal information to a monitored website. As this information is entered by the user, it is captured by the BHO and sent back to the attacker. The method of network transport used by the attacker makes this Trojan unique. Typically, keyloggers of this type will send the stolen information back to the attacker via email or HTTP POST, which can appear suspicious. Instead, this Trojan encodes the data with a simple XOR algorithm before placing it into the data section of an ICMP ping packet." explained the company.

The ICMP packets containing captured encoded sensitive data bypass administrators and egress filters, as the packet looks masquerade as legitimate traffic.

"In our example, we infected a workstation and entered account information into the SSL website of Deutsche Bank. The Trojan BHO captured the information and sent a ping to a malicious remote server. Below you can view the encoded contents of the ICMP data section as well as the actual contents after they were manually decoded," stated Websense.


Rating:
Fair (2.8/5) 7 vote(s) so far    

Read by 0 user(s) | Add comment | Link to this article
Subscribe to news | Print article | Send to friend

© Copyright 2001-2008 Softpedia
Contact:

 

 

SEARCH THE NEWS ARCHIVE :




Today's News | Yesterday's News | News Archive


MORE RELATED ARTICLES:


Sober-Z Dominates the First Half of 2006

Gattman - New Polymorphic Virus

Hackers Implement Open Source Techniques

Zidane's Head But Spreads Trojan

Malware Search Engine

Hacked Advertisment on MySpace Infected a Million Users

Common Malware Enumeration Undergoes Revamp

Suicidal Malware Rises New Threats

Multi Word Phrase Searches Are Most Common

User opinions:

No user comments yet.
Be the first to express your opinion using the form below!

Share your opinion:

Your Name:
Your Email Address:
(will not be used for commercial purposes)
Solve this to prove you're not a bot: =
Your review/opinion:

 






SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   ENTER NEWS SITE   |   ENGLISH BOARD   |   ROMANIAN FORUM
© 2001 - 2008 Softpedia. All rights reserved.
Softpedia™ and the Softpedia™ logo are registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use | Update your software | Archive