My pc had a nasty invader on Monday morning, an infection which I'm told is called "man in the browser".
I've used the search function, and it hasn't been mentionned before. Googling it suggests that it has been around for about a year in increasingly sophisticated forms. Various web-discussions suggest that it can evade many security programmes. It beat my MS firewall with AVG free.

It is a very clever little invader. It does virtually nothing to your experience of your pc. BUT, when you go to some sites that it is pre-programmed to look for, it makes some very subtle changes to what you see on the screen. The version on my pc modified Banking websites when using IE 8 and IE 7. It didn't work on my Firefox, but Googling reveals that it often hits FF before IE.
The url of the banking web-sites remains exactly the same as the real web-sites.
Thus, unless you know what the web-site should look like, it is difficult to detect. I asked (electronically) both natwest and abbey on Monday, if they had recently changed the look of their web-site, and neither have replied yet. I rang them both, and natwest knew what I was talking about, but abbey - renamed saltimbocca, I was told, didn't know what I was talking about

Since then, (OK, very late) Upnp unticked, and multiple uses of avg, malwarebytes, superanti-spyware, spybot and ccleaner seem to have stopped the invader having an impact. However, I guess it is still there, somewhere, so the pc will probably go off to the man who set it up for a good disc-scrubbing.

Thanks for the heads up....Abbey is now Santander, for the record.:)

.......but Saltimbocca sounds better.

Ancient Observer,

As you describe it, that can only work by hijacking either the DNS entries in the network settings of the OS (to point all DNS queries to a false DNS server), or by writing to the hosts file.

It can direct the correct URL to a spoof website by resolving the URL to a new IP address by either of the mechanisms above. Once on the spoof site it can direct an incorrect SSL URL to a site for which it does have a genuine certificate.

What it will not be able to do is spoof the SSL certificate of the correct website.

So vigilance is required at all times!

SD

SD
Thanks. A bit beyond my know how, I'm afraid. Anything else I should be doing to check out the pc?
The google advice was to go look for it in various places, but it would appear that in its early versions it did not disguise itself too well, (using phrases such as "man in the browser", but now, of course, it no longer makes itself visible.
I wish I'd followed the advice on this site some time ago about upnp and admin!!!

Just out of interest, do you have that Rapport software that the banks are pushing installed?

The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities such as Browser helper Objects, Extensions and User scripts etc., and is therefore virtually undetectable to virus scanning software.[2]

In an example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification. An example of a MitB threat is Silentbanker.[3]

Part of the frustration with a man in the browser attack is that the bug is very hard to detect and even harder to remove from the system. Unlike many other forms on intrusive viruses, a man in the browser invader operates between the browser security protocols and the input of the user. This means that standard security measures normally will not even reveal the presence of the man in the browser virus.


PDF download about dealing with it: http://download.entrust.com/resources/download.cfm/24002/WP_MITB_March2010.pdf/?start

Thanks. An interesting read. That just confirms that I'll have the hard disk scrubbed and start again!

green granite,

Thanks for that - it is nastier and cleverer than I realised.

SD

Do any readers of 'The Register'or similar newsletters know of any developments in AV products to detect what appears to be a sort of BHO? Will 'TeaTimer' or a similar product stop it changing the registry?

Edit: Reigister=Register:ugh:

Frostbite
No Rapport as there have been some negative reviews of it.
However, Natwest are pushing hard for their profits on legs (banks don't regard us as customers) to instal Rapport. I haven't.

SoCal - your sangune approach is reassuring, but others think differently

Regarding Anti-virus, from gg's linked pdf:

Malware is changing so rapidly that client software is having trouble keeping up; signature-based detection models are increasingly ineffective and other models are still improving

does anyone know which OS this threat attacks? Is it wild in the Unix world? PC world? Mac world?

I don't fully understand what this threat is capable of doing but I suspect that it cannot hijack funds that you are paying to previously set-up destinations. In my on-line banking I am generally paying bills to accounts that have been paid to before, the account details are already set up at the bank, I just select whose bill I want to pay and set the cash amount. Is this activity safe from MITB threat?

I have been playing with Ubuntu (a strain of Unix) which can be "installed" on a memory stick or run from a CD. It boots up and runs happily, from a memory stick, on my laptop PC and it includes a FF browser. One thing it cannot do is access or save files on the Windoze hard drive in the machine. Is this a good protection from the sort of trojan that MITB needs?

If it is a way of protecting oneself from this attack I would recommend it to anyone, it is a free download. You just need a PC with a CD rom drive to get it up and running.

Rans6....

Further depressing news is that according to 'Dark Reading' (Sep 09), Zeus is very successful at eluding detection even with up-to-date AV. They quote 44% of Zeus-infected machines running no or out-of-date AV but the other 56% fully up to speed. Their opening paragraph:

The most pervasive banking Trojan evades detection by antivirus software most of the time, according to new research.

It would appear that the Mac is equally vulnerable, don't know about Linux.

Deep joy!

I use Win Patrol, a free watchdog which keeps tabs on hosts file changes, amongst other things. The 'Immunize' function of Spybot Search & Destroy (free app) helps to fortify the browsers against nasties. Spybot also has a scan function.