Proceedings of the 7th Australian Information Security Management Conference
Figure 2 - IE tampering tools (Adapted from Bayden Systems, 2004).
The malware can also tamper with the PUT parameter to access data in the body of the HTTP request that is not accessible from the browser’s address bar (Scambray et al., 2006). They may even attack the POST parameter, which is used to upload files to the server through an HTML page not via an FTP service (Fadia, 2006), while a customer is performing an online transaction, a form submission or an online shopping. Figure 2 illustrates how online transaction can be modified. The original price of the laptop was $1995. As soon as the submit order had been pressed, the Trojan extension captured the value with HTTP requests and modified the price of item to become $10. The value in the software contains a number of generated attack strings, such as SQL injection, buffer overflow, cross-site scripting, which can cause problems for web based applications (Bayden Systems, 2004).
Internet Explorer Trojan add-on example Examples of the add-on browser Trojans include Nuklus.a which collects a certificate from the system certificate storage (Ståhlberg, 2007). As Trojan, Nuklus.a is a browser malware application used for stealing online bank account details, mainly exploited in Internet Explorer (IE.exe). Once the Trojan is installed, it will inject the Trojan’s executable file ‘taskmang.exe’ (F-Secure Corporation, 2007) which contains the remote address command and the control interface. Therefore, the service system in the victim’s computer will be created as:
ServiceName = "Taskmng" DisplayName = "Windows Task Manager"
ImagePath = "%System32%\taskmang.exe" (F-Secure Corporation, 2007)
The Trojan also creates the registry key as an infection marker, the registry sub-key and a system service to run when Windows starts. The following are keys:
[HKEY CLASSES ROOT\MTBase\"(Default)" = "%System%\mt 32.dll"
HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\Taskmng (SecurityMob, 2007)
Once the attributes and the registry keys have been changed, the Trojan downloads additional components from a remote server using plug-ins and communicates with the control server using HTTP requests which consist of the dynamically loaded libraries (DLLs) files that are loaded by the Trojan using BHOs for IE and/or Firefox. The following table of DLL files includes basic malware plug-ins that may be installed on customers’ systems:
113| P a g e