Power User: Web security gets even

John McCormick

It's bad when almost every e-mail user gets bombarded by a virus, as happened last month courtesy of previously unexploited search engine vulnerabilities.

It's worse when malware arrives via features intentionally built into software. Microsoft Word macros come to mind, as do cookies. Most people have never even heard of an attack vector that malware developers are now using to plant everything from pop-up adware to keystroke loggers.

I'm referring to BHOs, or browser helper objects. Much like Java and ActiveX, they were designed to enhance the Web experience but now are being turned against users.

A BHO is a relatively tiny program that loads and runs when you start Internet Explorer. It might be benign, even necessary. For example, some people proposed that the P3P, Platform for Privacy Preferences, be delivered as a BHO.

A BHO can perform the same actions as other programs, including but not limited to copying, altering or transmitting files. So, how do you discover which BHOs are legitimately on your system'utilities you didn't realize you were agreeing to have or that you just don't recall?

Even more important, how do you discover secretly planted BHOs? Your browser doesn't warn when they are being installed, and few people have time to snoop through the Microsoft Windows Registry every few hours.

Enter BHOdemon, a free utility downloadable from www.definitivesolutions.com. It gets at least partial endorsement from the Internet Storm Center operated by SANS Institute of Bethesda, Md.

The tiny BHOdemon scans your registry and lists all the BHOs it finds. It also continues to monitor attempts to install new BHOs, and you can see their sources. Because BHOs, like cookies, are essential to proper operation of some Web sites, the utility automatically marks many known BHOs as benign'leaving you to check any unknown code or simply delete it if not associated with a site you trust.

Although I do a lot of security consulting work, I don't often cover security topics in this column. However, in the wake of revelations that some government servers are being used for spam attacks [GCN, July 26, Page 30], I want to bring up a serious new development in the practice of phishing'trolling for personal information about online bank accounts, credit cards and so on.

Phishers send e-mail represented as from legitimate organizations, asking you to 'confirm' personal data such as passwords. More sophisticated attacks direct you to click on a link to a phisher site designed exactly like a legitimate site.

Now, thanks to a serious cross-site scripting vulnerability known as XSS, attackers are injecting their own Java code directly into victim sites. That's not the same as spoofing a legitimate site to ask for confidential information. The hacked site operates normally as far as users can tell, and the injected code isn't apparent to the site manager.

The problem, of course, is that unknown to the users and the legitimate site, the Java code is sharing users' sensitive information with the cracker.

John McCormick is a free-lance writer and computer consultant. E-mail him at powerusr@yahoo.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above