Posted on: Wednesday, June 30, 2004

Web virus able to steal bank account information

Advertiser News Services

Computer security experts warned yesterday of another new threat targeting Internet Explorer browser users: a virus that can steal the password and account information of people who bank online.

It is the second such discovery in a week.

The federal government's cyberdefense experts, along with other computer gurus, are urging users to consider a switch away from Internet Explorer.

Users can pick up the latest bug, which doesn't yet have a name, from pop-up ads that secretly download software capable of capturing their keystrokes. The pop-ups originate from Web sites that receive their ads from certain online ad services, which apparently had themselves been hacked to spread the malicious code.

Experts said users can protect themselves from the bug by using a non-Microsoft Corp. browser or by employing software to block pop-ups. Internet Explorer users are immune if they download and install a patch that was released in April. Internet Explorer users are also being advised to set the security setting for their browser to "high," a level that makes it more difficult to interact with some Web sites.

Software on computers that pick up the bug will record the keystrokes of users who visit any one of 50 targeted financial Web sites, security experts said. The bug apparently attempts to send the stolen information to a Web site based in Estonia.

The bug is not widespread — the first instance was reported Friday by the Internet Storm Center, an early warning system established by an organization for computer security professionals called the SANS Institute. A director for the center said only a few additional instances of the bug had been discovered as of yesterday afternoon.

The bug appears to be unrelated to an Internet attack on Friday in which users could pick up malicious, keylogging software merely by visiting infected Web sites. That attack also targeted users of financial services sites.

"I believe that this particular type of malware represents a huge threat to the online financial industry," wrote Tom Liston, a computer security expert who analyzed the latest exploit in a Storm Center report released yesterday.

"This is a wake-up call for us to advise users to switch to an alternative browser," said Johannes Ulrich of SANS. "With Internet Explorer, you're playing Russian Roulette and hoping the sites you visit aren't compromised."

A spokesman for Microsoft directed reporters to a Microsoft statement that said, "Customers using Internet Explorer should be sure that they have installed the latest security updates by visiting Windows Update at http://windowsupdate.microsoft.com."

While banks and online commerce sites use encrypted connections between a user's computer and the company's computer, this new strain of software records a user's keystrokes from outside the encrypted connection on a user's computer. In other words, Internet-savvy users who look for the padlock on the bottom corner of Internet Explorer when they make transactions could still be vulnerable to theft if their computer is infected with this program.

But some computer experts said that the nature of the threat means that future versions might also be more easily contained than traditional viruses, which push and multiply themselves aggressively across networks.

"There are a number of significant vulnerabilities in technologies" relating to the Internet Explorer, according to US-CERT (U.S. Computer Emergency Readiness Team), based in Pittsburgh. "It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites."

None of the other most prominent browsers, Opera, Mozilla.org, or Netscape, are vulnerable to the flaw. Nor are computers running Linux or the Macintosh operating system.

Ulrich and other experts say the new round of malware deliberately assumes a less aggressive profile. It doesn't spread a quickly as traditional computer viruses, and is more focused on stealing or making money for its authors. That creates a whole new round of problems for PC security companies, who spot new forms of malware by surveying hundreds of thousands of PCs. "If you steal a thousand bucks from a thousand people," he said, "you'll probably stay beneath the radar."

This also explains why economically motivated malware authors are trying to make their software more persistent on individual PCs, but less widespread. According to Sam Curry, a Computer Associates security executive, "It doesn't need to hit millions of people to be profitable. If they can get a goose that lays golden eggs, they don't want to kill the goose, they only want to steal the eggs."

The Washington Post and Newsday contributed to this report.