How backdoor.nibu breaks into network 3

[Infinitarchitect]

We've seen several outbreaks of backdoor.nibu on our networked computers although we are running websense, firewalls, keeping windows patch levels up to date, but of course we run IE6.

I know all about what backdoor.nibu Trojan does to your machine once it gets infected but I'm trying to find something that actually tells about how exactly it gets into a system in the first place. I know it's through IE (or atleast I'm assuming this) but by which method? I'm thinking it's through activeX vulnerabilities even through we have IE6 locked down pretty tightly as far as it's builtin security settings. I've visited Symantec and other sites but none really actually go into detail about how these Trojans get into the systems. Any links or tips about this would be greatly appreciated!

 

[stuuked]

I will just post an article of this, basically someone is going to websites linked on phished email. And thats where it downloads and installs........article follows:

Phishers Raise The Bar

Phishers can now access banking websites that use an extra 'keylog-proof' security layer.

For several months phishers -- folk fooling you into giving up valuable passwords -- have used keylogging software which will capture passwords and user names as you type them into banking and other financially-oriented sites. But these aren't much use against websites that use extra layers of security that don't require the user to type anything, but instead click on something. At Britain's Barclays bank, for example, users are required to select from a list two letters matching a pre-selected secret word. Keyloggers aren't any use against this, since there's no keyboard clicking taking place and so no letters or numbers to capture.

Enter a key kind of phishing trojan, documented by the ever vigilant Daniel McNamara of Code Fish. While capturing keystrokes like other keylogging trojans, this one also captures screen shots (images of whatever is on the screen) and sends them along to a Russian email address. It captures a host of other goodies too, including whatever text the user happens to copy to the clipboard while they're accessing the banking website in question (A smart move: Users often copy their password to the clipboard and then paste it into the appropriate field.) The target in this case? Barclays bank.

As Daniel points out, it seems as if this trojan has already been spotted. Symantec and other anti-virus vendors have in the past week referred to it, or something like it, calling it, variously, Bloodhound.Exploit.6, W32/Dumaru.w.gen, Exploit-MhtRedir and Backdoor.Nibu.D. And Barclays may be referring to the scam when it warns its users that "Some customers have been receiving an email claiming to be from Barclays advising them to follow a link to what appear to be a Barclays web site, where they are prompted to enter their personal Online Banking details." (Although in fact the email in question doesn't do this: It disguises itself as a web hosting receipt, and makes no mention of Barclays or online banking. The victim is instead lured by curiosity to a link in the email which takes them to a website that downloads the trojan in question.)

But none of these messages indicate the seriousness of this escalation. Whether this phishing trojan is just a proof of concept or specific attack against Barclays, it should send some serious warning signals through both the anti-virus industry and the online banking world. Phishers are getting smarter, and getting smarter quick. As Daniel himself writes, "This is a huge step in the phisher trojan evolution...This well-designed trojan should make anyone who has complete faith in visual selection systems a little bit worried."

 

[Infinitarchitect]

Thanks thats what I was looking for! I appreciate it.

 

[sab4you]

You may want to check out this for your users

http://www.spywareguide.com/blockfile.php

Its a registry hack that sets the disabled bit to known spyware, trojans, etc installed by ActiveX

You can push this to your end users by a group policy. This registry hack is updated usually at least once a month.

 

[sab4you]

forgot to mention, the big bonus of doing this is you dont have to install/maintain any software for end users

 

[Infinitarchitect]

Triple thanks, that registry hack is what I needed.

 

[Infinitarchitect]

So are you guys saying that this phishing technique only works via emails sent to the user? Do the new Trojan Phishing techniques if used via a web broswer redirect the user to a "bad" replica website that then downloads the trojan to the user's PC? I just want to be clear based on the article I just read. Thanks.

 

[stuuked]

Well that would be the most simple way for someone to get you to that site containing the malware. but basically these files were downloaded unintentionaly (you hope)Important that you keep up on the windows updates and have the security settings high. Only way for those files to get to your computer would be if you accepted yes on download. Employees should be very aware of the phishing tactics. lets say site your clicking on says

http://www.something.com

but after clicking on it, your browser would show something completly different. Dead giveaway you have been targeted for an attack, close browser and report that particular url to the company that it is impersonating.

 

[Infinitarchitect]

We keep our security very updated, everytime a set of critical updates are issued by Microsoft we implement them on all networked PC's. We also make good use of Firewalls, Websense, and Active Directory group policies. IE is fairly secured as far as the builtin settings but it maybe could be tighted. Then again it's probably a little loose to allow our private network applications to run on it.