The online banking controls of China Merchants Bank have security risks!

Source: solidot

I was surprised to solve this problem. Maybe you said the problem was not serious. I often used the account of China Merchants Bank to transfer funds and allocate funds before reading this article ......, Let me know ~~

"Install a driver similar to a Trojan to directly access the underlying hardware. Change the name of the driver and hide the DLL. When the Remote Desktop login is not prompted, disable the service and immediately restart the service. The above function is not a rogue plug-in or Trojan, but a control of the online banking of China Merchants Bank. In addition, this control is still not digitally signed after several complaints! "

Specific content from: http://blog.delphij.net/archives/001649.html

If you use the China Merchants Bank Professional Edition, you will find that a file named sbmc32.dll has been introduced in the recent online banking upgrade of China Merchants Bank, which causes the installation on 64-bit Windows system to fail. What is this file?

The answer is winio, a software from internals.com. What is its role? According to the author, "this library allows direct I/O port and physical memory access under Windows 9x/NT/2000 and XP. version 2.0 provides faster I/O port access, better memory mapping support and can be used from non-administrative accounts under Windows NT/2000 and XP. ". Simply put, by opening a backdoor for Windows, you can monitor every action of your computer even if you have no administrator privilege.

Unfortunately, the technical staff of China Merchants Bank obviously did not understand the possible consequences of this program. We can find an interesting phenomenon by comparing the MD5 of the corresponding file:

[Delphij @ tarsier] ~> MD5 sbmc32 .*
MD5 (sbmc32.dll) = 0e5e0e1da4febe20ef529d7a2a2969d7
MD5 (sbmc32.sys) = 7e5a7cf19504af7ddaf4fa36261940d1
MD5 (sbmc32.vxd) = 7a5af5dd62c4bc97c1654790e8d2f307

On the other hand:

[Delphij @ tarsier] ~> MD5 [WW] in *
MD5 (winio. dll) = 6d113aa35a8c79b236751e4ccf2b7751
MD5 (winio. sys) = 7e5a7cf19504af7ddaf4fa36261940d1
MD5 (winio. VxD) = 7a5af5dd62c4bc97c1654790e8d2f307

What problems does this mean? Two binary files from the Internet are directly used without modification. We can infer that some people who introduce these files do not know how to compile one. vxD and. SYS file, which only writes the MFC program, just as the LiveUpdate program is called the "MFC basic class application.

Such unprofessional practices are shocking.

People who have studied operating system design principles at the university should be clear about why operating systems need to isolate programs and hardware-for obvious security considerations, the operating system cannot verify that the program accessing the hardware is malicious or malicious. How can I prevent malicious programs from using the capabilities provided by this driver to control users' keyboard input and monitor users' every action when installing such a driver?

On the other hand, as a bank, although we can trust the software issued by the bank, we can package the binary version of such a third-party software directly into our own software package, isn't this a very professional practice, even by re-compiling such an action?

It is hard to believe that these practices are carried out under the "for user security considerations" claimed by China Merchants Bank, because these behaviors have violated many of the most basic security knowledge. I don't know what benefits does this approach bring to user security, or what security risks will it bring to them?

You know, winio is a basic tool for many Trojans and keyboard record programs, even though it is not malicious. You can find many results by searching winio and Trojan.

Is this protecting users' security and interests ?!

I hope that China Merchants Bank can immediately correct this issue and take practical measures to avoid the recurrence of similar situations.

The following is an uninstall script provided by a senior windows developer. It is used to clear the installation program of China Merchants Bank on 64-bit windows, china Merchants Bank's installation program does not know how to install drivers and services on 64-bit windows ):

Reg Delete HKLM/system/CurrentControlSet/services/winio/F
Regsvr32/u/S % SystemRoot %/syswow64/cmbpb40.ocx
Del % SystemRoot %/syswow64/cmb_pb_liveupdate.exe
Del % SystemRoot %/syswow64/cmbpb40.exe
Del % SystemRoot %/syswow64/cmbpb40.ocx
Del % SystemRoot %/syswow64/cmbpbhelp. CHM
Del % SystemRoot %/syswow64/cmbpbuninstall.exe
Del % SystemRoot %/syswow64/httpcomm. dll
Del % SystemRoot %/syswow64/sbmc32.dll
Del % SystemRoot %/syswow64/sbmc32.sys
Del % SystemRoot %/syswow64/sbmc32.vxd

Warning the above script will modify the registry and service configuration, which is not intended for non-professionals.

China Merchants Bank has received a telephone complaint.

Chapter 2 ~

China Merchants Bank 5.1.3.8 is unavailable

Continue with yesterday's topic. Today, a Chinese Merchants Bank employee called me and suggested that I upgrade to the latest version. We will inform you of the following information:

O as they did before, this version still has no digital signature. After calling the customer service, I barely implemented the version.
O as in earlier versions, this version still cannot run on Windows 2003 of amd64.
O to hide your ears, winio. dll in this version is changed to CMB/pb40/sysdata/cmb8783.dat in the user directory.
The driver name is certclient. dat.

There is also an interesting file with the following content:

[Win32_version]
Nowversion = 4.0.0.0
Lowestversion = 4.0.0.0
M & w ekey xcsp_superpwd = 88888888
M & w ekey xcsp_userpwd = 11111111
Safesign CSP version 1.0_superpwd = 88888888
Safesign CSP version 1.0_userpwd = 11111111
_ Superpwd = 11111111
_ Userpwd = 11111111

Conclusion:
O people who do these things are still trying to treat users as idiots.
O but at the same time, they still forget the most basic security knowledge-security cannot be built on the foundation that others do not know.
O even so, they did not forget to include something that should not be released in the released software.
O what's more, as a financial institution, the Executable documents that will fulfill such an important task are still not digitally signed after I complain three times or five times, this behavior is enough to shame the financial institution.

I would like to remind China Merchants Bank again not to go farther and farther on the wrong road. Correct the problem, instead of fooling users, and do not treat users as idiots.