Jump to content

Exploit found with China Bank ICBC


hako

Recommended Posts

Today, I installed the banking software from ICBC (Industrial & Commercial Bank of China), on Windows 7 64bit. They gave me a USB key, and I downloaded the software from their website. A number of extra add-ons for IE and Firefox were also installed. The Firefox version complained that it would only work for FF 10 to 21 (actual is 35).

Both, IE11 and Firefox, triggered an exploit alarm with MBAE 1.05.1.1016, and blocked the sign-in to the bank account.

Attached are MBAE's logs.

 

Is this a known false positive? What can I do to access my account?

 

Thanks for any hint.

Hako

MBAE_log_150209.zip

Link to post
Share on other sites

Neither Firefox nor Chrome (in recent versions) can be used for this bank, only IE.

 

SubmitControl_64.dll is part of the bank's software, used for sign-in.

If I turn off MBAE, the sign-in works.

I'll ask the bank tomorrow.

 

Can I exclude this banking program somehow, so that other protections are still working?

If there is such a possibility, how to do it?

 

Hako

Link to post
Share on other sites

  • Staff

Hi Hako.

 

MBAE does not look at the software or URLs, it simply monitors the behavior of the browser by hooking certain APIs. Therefore you can't really exclude it. It is likely that your bank's software is doing something to try to protect its login that is firing off some exploit detection technique. If you only use IE for your bank and use other browsers (Firefox or Chrome) for your regular browsing, you could unshield IE from MBAE to prevent the conflict.

Link to post
Share on other sites

Not really good news.
1. The bank said, MBAE is too thorough, should be turned off for their internet banking to work.

2. Excluding IE means to open all gates.

In China, most internet services, banking  and payment softwares are using activex, and thus rely on IE. Others I tried are working with MBAE, only ICBC not.

Would be nice to keep the protection in IE, only opening for specific add-ons, like ICBC's SubmitControl.dll.

Link to post
Share on other sites

  • Staff

It sounds as if unfortunately your bank is forcing you to use a less secure online banking method. I get that they've invested time and money developing their ActiveX, but by definition that is a bad idea security-wise and will not protect you from exploits (if anything more ActiveX adds more exposure to exploits).

 

What I suggest then is that you create a VM that you use exclusively for banking with this ActiveX and you don't use that VM/Browser combination for anything else.

 

It might also be a good idea to tell your bank that they are not doing you any favors by forcing you to use IE (by far the least secure of all browsers) with an additional ActiveX.

Link to post
Share on other sites

I have an alternate idea which is mostly just a wild guess but it worth trying. It is well documented that ActiveX Controls written with ATL 7.1 or older are incompatible with DEP (Data execution prevention) memory protection technique. If this is indeed the case I have a solution that may work. Follow the following steps exactly, otherwise you may experience other conflicts. This guideline assumes that MBAE protection is currently enabled:

1. Since you already have recent version of Firefox, install Fire IE from here:

https://addons.mozilla.org/en-us/firefox/addon/fire-ie/

When you are prompted to restart Firefox, don't click Restart Now, just close it instead. This is required to avoid conflict described here:

https://forums.malwarebytes.org/index.php?/topic/163449-solved-fire-ie-plugin-for-firefox/

2. Stop MBAE protection then start Firefox again;

3. In address bar type about:config and proceed on the warning page;

4. in search bar type npfireie32 and change dom.ipc.plugins.enabled.npfireie32.dll value to true (double click it) then close Firefox again;

5. Turn MBAE protection back on;

6. Start Firefox again;

7. Locate Fire IE icon (it should be next to the address bar), right click on it and select Fire IE options;

8. Switch to IE Options tab and change IE Compatibility Mode to IE 11 Edge Mode then restart Firefox;

9. Try the banking website. The author of Fire IE keeps track of Chinese websites requiring ActiveX so it may switch automatically. If it works you are done. If it doesn't repeat steps 7-9 but with IE 11  Forced Edge Mode instead. If you still get alerts you are left with pbust solution.

 

 

 

 

Link to post
Share on other sites

Thank you! Seems some people try these banking sites with Firefox.

 

Fire-IE detects the ICBC website and switches to compatibility mode.

Unfortunately, with MBAE active, the Fire-IE plug-in crashes when opening the sign-in page, regardless of setting IE11 edge or  forced edge mode. MBAE blocks it and the plug-in crashes. With MBAE stopped, sign-in works as with IE11.

So. it seems, the banking software really does some special tricks triggering MBAE's blocking.

 

Hako

Link to post
Share on other sites

You may also try the IE7 Standards Mode with OOPP enabled and disabled. If you don't know what OOPP is, review steps 3 and 4 from my preview post. In there I enabled OOPP. To disable it just change that property back to false.

This idea comes in the context of latest findings regarding

https://forums.malwarebytes.org/index.php?/topic/163449-solved-fire-ie-plugin-for-firefox/

Link to post
Share on other sites

I tried a number of combinations:

- in any case the sign-in page triggers MBAE's blocking.

- turning on 64bit OOPP will, regardless of ie compatibility setting, trigger MBAE's blocking already at the banks home page www.icbc.com.cn, but only at first time, reloading brings up the page.

- setting to ie7 will crash Firefox (plugin container and FF, not only Fire-IE plugin) when MBAE triggers.

Seems no way.

 

You can try using http://www.icbc.com.cn/ICBC/sy/default.htm, click on <Personal Banking>.

Hako

Link to post
Share on other sites

It is unfortunate, but it appears there is no way to get that ActiveX and MBAE to work together. I tried a virtual machine running Windows XP and tried all 6 settings combinations with OOPP on or off and all 3 compatibility modes available. With OOPP enabled only the plugin crashes, without OOPP it takes down Firefox with it. A virtual machine without MBAE is the only way to go.

Link to post
Share on other sites

All right since I am also checking this here is what I found:
Direct ActiveX install : https://mybank.icbc.com.cn/icbc/enperbank/index.jsp (this is the page that fires the exploit alert).

I managed to reproduce this on Windows XP x86. There it happens immediately without fai if:

-you try to install the ActiveX;

-you have the ActiveX previously installed and you visit the page that tries to run it (same page as Direct ActiveX install). The alert is fired before the pop-up prompt to run ActiveX even get to show up or probably at the same time.

On Windows 7 x64 and Windows 10 TP r9926 x86 I get 3 UAC prompts in succession and regardless of what I do no alert is fired. I guess this ActiveX doesn't work with newer versions of Windows or you have to tweak IE ActiveX settings to get it to install.

ActiveX manual downloads:

32-bit: http://www.icbc.com.cn/icbc/html/download/dkq/icbc_netbank_client_controls.exe

64-bit: http://www.icbc.com.cn/icbc/html/download/dkq/icbc_netbank_client_controls_64.exe

All downlods: http://www.icbc.com.cn/icbc/e-banking/downloadsoftware/downloadsoftware/

ActiveX-es are located in Software for Personal Internet Banking - Client-end Functional Software.

Link to post
Share on other sites

Well, it took some time, but it is running fine now, with both, IE and Firefox (w Fire-IE).

By manually install the control activex "icbc_netbank_client_controls.exe" (32bit, the 64bit version does not work), it seems the SubmitControl.dll (originally dated 2014.11.11) was replaced by an older version (dated 2013.12.12) which does not trigger MBAE's alert.

I set Fire-IE to ie11 edge and enabled both OOPP, 32bit and 64bit.

 

Maybe, there was really an exploit in the auto-downloaded activex...

Link to post
Share on other sites

Steps by step reproducing. This assumes MBAE is installed and pfotection enabled.

A. End-user perspective

1. Visit http://www.icbc.com.cn/ICBC/sy/default.htm and click Personal banking or visit https://mybank.icbc.com.cn/icbc/enperbank/index.jsp directly;

2. If prompted to install language pack you can either proceed or skip it, it doesn't affect the outcome;

3. Allow ActiveX installation;

4. Shortly after this IE crashes and an exploit alert is displayed. IE may crash repeately afterwards until it gives up eventually.

B. Geek perspective, aiming to manually download and install the ActiveX

1. Login as admin

2. Manual download the ActiveX: https://mybank.icbc.com.cn/icbc/newperbank/AxSafeControls.cab (this was sniffed using Fiddler);

3. Create a batch script on same folder as the cabinet downloaded earlier with this code:

expand -F:* AxSafeControls.cab c:\windows\system32 Regsvr32 /s c:\windows\system32\InputControl.dllRegsvr32 /s c:\windows\system32\SubmitControl.dll

This code assumes the host is a 32-bit Windows.

4.Run the batch script;

5. Visit http://www.icbc.com.cn/ICBC/sy/default.htm and click Personal banking or visit https://mybank.icbc.com.cn/icbc/enperbank/index.jsp directly;

6. If prompted to install language pack you can either proceed or skip it, it doesn't affect the outcome;

7. Allow ActiveX execution;

8. Shortly after this IE crashes and an exploit alert is displayed. IE may crash repeately afterwards until it gives up eventually.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.