In a previous post, I introduced a Twitter bot called dumpmon which monitors paste sites for account dumps, configuration files, and other information. Since then, I’ve been monitoring the information that is detected. I mention dumpmon because I have started to run across quite a few pastes like this that appear to be credential logs from malware on infected computers. How easy can it be for malware to pull these passwords off of binary option strategy 2015 computers?
But how do they get there? To save space, I’m omitting the code that creates the Save Password bar. We create an encrypted string out of our password. I’ve snipped it out, but below the “sql::Statement” line, a SQL query is performed to store the encrypted data in the Login Data file. This means that the password is likely to only be recovered by a user with the same logon credential that encrypted the data.
This is no problem, since malware is usually executed within the context of a user. Fortunately for us, Python has a great library for making Windows API calls called pywin32. And, by running the code, we see we are successful! The only data that is protected is the password field, and that’s only in the context of the current user. Up until IE10, Internet Explorer’s password manager used essentially the same technology as Chrome’s, but with some interesting twists. For the sake of completeness, we’ll briefly discuss where passwords are stored in IE7-IE9, then we’ll discuss the change made in IE10.
In previous versions of Internet Explorer, passwords were stored in two different places, depending on the type of password. Passwords submitted to websites such as Facebook, Gmail, etc. For the sake of this post, we’ll discuss credentials from form-based authentication, since these are what an average attacker will likely target. The difference here is that additional entropy is provided to the function. This is beneficial because when a user visits a website IE can quickly determine if credentials are stored for it by hashing the URL, and then using that hash to decrypt the credentials.