Home page logo

pauldotcom logo PaulDotCom mailing list archives

Any Advice Trojan.BHO
From: johnemiller at gmail.com (johnemiller at gmail.com)
Date: Fri, 24 Apr 2009 21:39:15 +0000

Egress filtering ICMP would be a first step to preventing successful  
exploitation with the particular situation you described. There is rarely a  
good reason to allow internal users (especially non-technical users) to  
send ICMP to external address ranges. Allowing ICMP as well as other  
unnecessary services to exit a network provides channels for attackers to  
get data or connectivity through a firewall.

Additionally, depending on how the trojan gets installed, reducing user  
privs is a very important step in securing a Windows environment. I know  
that restricting users can be a major PITA, but allowing them to run with  
Administrative will ensure that the slightest vulnerability will leave them  
open to high-priv access to the domain.

John Miller - john at ethackal.com

On Apr 24, 2009 1:37pm, Shaun Curry <shauncurry1 at gmail.com> wrote:
Hello again everyone:

I have a client that recent was hacked. We learned of this when an email  
notification was sent from the bank stating that a "bill pay" had been  
sent, but the client didn't setup any bill pay. The money has been  
refunded and the bank is contacting the FBI to prosecute. I have learned  
that they were infected by trojan.bho which as I understand is a browser  
helper object that looks for SSL traffic and then keylogs user names and  
passwords. Once an SSL session is detected a ping is sent to the attacker  
alerting them that SSL is being used and the somehow it sends the  
keylogger info via ICMP. We have removed the BHO and they have reset all  

I am curious if there is anything else I can do to prevent this attack  
from happening again? I installed and instructed the user to use Firefox  
and not IE and updated all windows updates along with the antivirus. They  
are using Symantec Corporate Edition v. 10. Is there a better antivirus  
to use? They have a PIX for a firewall.... and thats about all I can  
think of right now...

Any ideas?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090424/f8d967aa/attachment.htm 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]