Windows Secrets Newsletter • Issue 30 • 2004-05-20 • Circulation: over 400,000

By Brian Livingston

The top story of the May 6 issue of Brian’s Buzz on Windows revealed that hackers had found a way to hijack the address bar of Internet Explorer, Netscape, and possibly other browsers. This exploit makes it appear that you are visiting one site — such as your online bank — whereas you are actually visiting a bogus site that just happens to look exactly like your online bank.

This technique is used to enhance the diabolical effectiveness of “phishing.” In the typical phishing attack, millions of e-mail messages are sent out by credit-card thieves. These messages tell the recipients that they need to re-enter their passwords or other personal information in order to “verify” their account at their bank, PayPal, eBay, or whatever.

The e-mail message contains the identical logo and overall appearance as your financial institution’s legitimate messages. If you click the link in the message, the Web site that opens in your browser looks good, too. But the site, in fact, is a “throw-away” page. It will be abandoned as soon as the thieves have collected thousands of credit-card numbers, passwords, or other information from innocent Web users.

Because the phishing e-mails and Web pages look exactly like those of legitimate companies, up to 5% of the recipients of these e-mails actually enter the data that’s requested, according to figures I quoted last issue from the Anti-Phishing Working Group.

My article on this subject generated far more comment than the average newsletter does. My readers are extremely offended (as am I) by the exploitation of naïve users that phishing represents. The recent exploit, which grabs browsers’ address bars to make the trick harder to detect, is seen to make phishing an even bigger threat to Internet users than it was originally.

What’s worse, my readers have discovered additional exploits that haven’t yet been reported in major media. The comment below describes a new kind of Internet worm that hijacks the Hosts file, a Windows resource that can be subverted to re-direct any site you may type into an Internet browser.

Hackers use Hosts file to seize your browser

Reader Ed Perrone was the first to outline to me his experiences with a hacker exploit that takes over the Hosts file. This is a standard Windows file (it has no extension) that finds a requested remote computer — on the Internet or on a local network — as an alternative to using a domain name server (DNS). More info

Perrone found to his horror that his Hosts file had been quietly corrupted in an attempt to phish for his password at a site called E-gold. This is an e-commerce service that, according to a Wired.com article, is a legitimate way for individuals to send each other payments in shares of gold bullion.

Please read this important cautionary tale:

• “The article on hijacking the address bar really caught my interest, because I was the near-victim of such a thing just a couple of months ago. However, my experience was slightly different: The hijacker somehow altered my Hosts file to redirect requests for www.e-gold.com to a fake e-gold site at his own IP address.
  
  “I never fall for the normal kinds of phishing e-mails. But this scam was so smoothly executed that I actually had my password typed into the password box at the fake site. All that was left was to click ‘Log in.’ But a few things made me uncomfortable enough to contact e-gold first, and I was glad I did!
  
  “The ‘clues’ I noticed were several. First of all, I was getting numerous ‘page not found’ errors while clicking around the fake site. Some pages were there, some weren’t. That seemed strange for a professionally run site.
  
  “The fake site actually did have an SSL certificate — but I got an IE warning that the name on the certificate did not match the name of the site. Another red flag. And, when logging into e-gold, your account number is automatically filled in for you, via a cookie. When I attempted to log into the fake site, I had to fill in the account number myself.
  
  “All very subtle ‘weirdness,’ however. And only because I am very paranoid and very aware of scams did I hesitate — and only then, at the very last second. I’m convinced that most ‘normal’ users would have just clicked right through. ‘Oh, e-gold is having a bit of a problem today—’
  
  “I am still not sure how the culprits could have edited my Hosts file. I had received an e-mail earlier that day, apparently from someone at a gold-related message board I belong to, warning of a ‘financial problem’ with e-gold and containing a link to a ‘news article’ on the subject. I was curious, so I clicked the link. The ‘article’ did not seem convincing, so I wrote it off as a crank e-mail, deleted the mail, and forgot all about the Web site. A few hours later, however, when attempting to log into my e-gold account, the weirdness began.
  
  “So, unfortunately, I was not able to examine any code or see exactly how altering my Hosts file was accomplished. But I am convinced that it was this particular e-mail/Web site that did it.
  
  “E-gold customer support told me immediately that it sounded like I was accessing a fake site, and that I should check my Hosts file — and sure enough, as soon as I looked, there it was.
  
  “This exploit scared the dickens out of me — because it appears to me that, if the Hosts file is altered without one’s knowledge, then even the most secure system and most paranoid person is susceptible to this. The address bar shows ‘http://www.e-gold.com,’ but you are actually accessing ’255.255.255.255′ [some anonymous hacker site obscured by the dotted-decimal format].
  
  “Are there any virus- or integrity-checkers that guard the Hosts file? I think not.
  
  “My solution was to make my Hosts file read-only. I also now have a shortcut on my desktop and check the Hosts file every time I am going to a financial site (PayPal, e-gold, etc.). But are normal users going to do this? Have you ever heard of an exploit of this type?
  
  “I apologize for the long-windedness of this letter; but like I said, this one scares me. Because they can hijack the address bar without any of the shenanigans you describe.”
  

The malware that hijacked reader Perrone’s Hosts file is probably a phishing enabler known as Worm_Dumaru.ai (or a variant), according to a bulletin by Trend Micro, a respected antivirus company. The rogue program sends the information it captures back to a remote .ru (Russia) server.

Trend Micro discovered the worm, and detection became available, only 13 days ago on May 7, the bulletin says. Other antivirus companies also now detect and guard against it, sometimes describing it under other names.

The worm re-writes the Hosts file, according to Trend Micro, in part to prevent the infected user’s computer from accessing major antivirus sites, including those of Symantec, F-Secure, Kaspersky, Sophos, and many others. This would prevent the user’s PC from downloading antivirus updates that would detect and remove the worm.

The bulletin provides technical details about the worm’s operations and instructs users on how to clean the Hosts file manually, if necessary. More info

Unfortunately, marking the Hosts file as read-only is not an effective way to prevent this file from being hijacked by malware. Yes, this might prevent the current version of the worm from writing to the file. But it’s not difficult to develop a worm that can remove the read-only flag, change the Hosts file, then mark the file as read-only again so you wouldn’t notice that the status had ever changed.

A better form of protection is to use a major antivirus program and configure it to update its antivirus signatures automatically and as frequently as possible.

Of course, the best protection of all would be for Microsoft to ensure that no Web site you visit can change the contents of the Hosts file or any other file on your PC without your knowledge and consent. I’ll evaluate security changes such as this as they emerge from the Redmond software giant.

Can you re-position the address bar for safety?

Reader Brian Brener writes specifically about the fact that hackers can display an address bar that replaces the legitimate one in your browser:

• “A solution to this issue is fairly simple, I believe. IE has a little known option to move the address bar. It can be dragged like any other IE toolbar. I always drag it permanently to the top line — which has File, Edit, View, Favorites, Tools, Help — and place it to the right in the empty space. This saves me a line and increases window size, but may help this issue by not being where the phishers expect.”
  

In IE 6, you can drag your address bar and other toolbars around, as long as the View, Toolbars, Lock Toolbars selection is off in the main menu.

I don’t believe this effectively prevents hackers from taking control of the address bar, however. The same View menu in IE enables you to turn off your address bar entirely, if you wish. An Internet virus, if it was skillfully programmed, could probably turn off your legitimate address bar and turn on its own address bar — in the same location the old one had occupied. Again, updating your antivirus programs is a better form of protection.

Today’s simple exploits will keep getting slicker

Brandon Carpenter writes that one of the flaws I wrote about in the current generation of phishing software won’t remain a flaw for long:

• “In your May 6 e-mail newsletter, you mentioned the following as a weakness in the ‘phishing’ address-bar replacement scam:
  
  
  • Default color scheme only. At this writing, the phishing code uses browser-detection techniques to display an address bar that’s appropriate for IE, Netscape, and so forth. But the fake address bar uses only the default Windows colors. If you’ve configured Windows to use a different color scheme, the fake address bar will look, well, fake.
  
  
  “With most modern browsers supporting cascading style sheets (CSS), this weakness is easily overcome. Today’s most popular browsers, including IE and Mozilla, allow you to use CSS to specify system colors and fonts for just about any HTML element. I’ve used these techniques, in HTML Applications (HTA) and Web pages, to create simple applications that match the current system UI choices.
  
  “With Mozilla, imitating the address bar becomes more difficult when a theme other than one of the defaults is applied. Mozilla also has built-in pop-up blocking. Mozilla rocks.”
  

It’s unfortunately true that phishing exploits will just become more and more sophisticated, because real money is involved here. This is why it’s crucial for antivirus companies and Microsoft developers to distribute new tools to give users stronger protection against these kinds of attacks.

I’m sending readers Perrone, Brener, and Carpenter gift certificates for a book, CD, or DVD of their choice for sending me comments that I printed. To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.