This morning I got an alert from Websense Security Labs (I am on their mailing list) about a Trojan that steals user information from specific webpages. This information is then passed through an XOR algorithm and sent to the attacker’s server. It achieves this by installing its self as an Internet Explorer Browser Help Object (BHO).
They even have screen shots of the actual encoded and decoded traffic, read more here: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=570
I would just like to add that the attackers have approached the problem of filtered traffic with a ingenious, simple and yet effective XOR function that allows what previously was sensitive information, and was blocked, to be not readable and passed as normal packet information.
Lessons learned: For the people still using Internet Explorer and who do not check their BHO list for malicious software I advise either to download Windows Defender or to change to a proper Web browser (e.g. Firefox, Opera, etc). Other options exist but I will not get into them now.
Websense Security Labs – http://www.websense.com
Websense Security Labs Alert – http://www.websense.com/securitylabs/alerts/alert.php?AlertID=570
Windows Defender – http://www.microsoft.com/athome/security/spyware/software/default.mspx
Firefox – http://www.mozilla.com/firefox/
Opera – http://www.opera.com/