Password Stealing Browser Hijacker DiscoveredMarch 8, 2008 – 3:21 PM
The Internet Storm Center has announced a very scary discovery. They have found a browser hijacker, installed as a Browser Helper Object (BHO), that will monitor what are supposed to be secure, encrypted browsing sessions and steal passwords. These passwords then are forwarded to a web based script at www.refestltd.com. It appears that this site now has been deleted.
The hijacker is loaded from a web page as if it were a .gif image file. The file is not really an image. It is a compressed trojan dropper that installs a .dll file as a BHO. How the trojan is executed is unknown. The most likely explanation is that the page calling the file exploits some flaw in Microsoft Internet Explorer.
If any more information is discovered about this new hijacker I’ll be sure to mention it here.