During the last few months weâ€™ve seen quite a lot of do-it-yourself hacking tools such as the Twitter Botnet Creator or the nifty iStealer password collector. Todayâ€™s specialty is an alleged Gmail application designed to â€œhack other usersâ€™ accountsâ€ â€“ an offer too good to refuse, especially if youâ€™re a jealous lover or a control freak.
The application weâ€™re going to dissect is a .NET executable (Visual Basic .NET) which seems to be strikingly similar to the previously mentioned pieces of malware. A closer look at the code reveals that all three creations share the same origin, namely the leaked source code of iStealer. Other similarities include the presence of a bootstrap utility and a stub file that actually contains the payload.
As users pop the utility open, they are prompted to enter their e-mail address and the associated password, which will be used by the application to send them the victimsâ€™ passwords. Once the process is complete, a click on the Build button creates an executable file that needs to be distributed to the victim. This custom binary is in fact the stub.exe file with the entered credentials saved in the new fileâ€™s overlay.
The Gmail Hacker Builder application
The custom â€œhacking toolâ€
The custom Gmail creator is nothing but a phishing tool designed to lure users whoâ€™d like to find out their friendsâ€™ Gmail passwords into actually disclosing theirs. When run, the application will send the data entered in the outlined fields to the address specified in the Gmail Hacker Builder application. Since it canâ€™t actually hack anything, the application will crash with an ambiguous error:
This kind of pre-created â€œhacking toolsâ€ are blindly thrown on file-sharing hubs and torrent portals in the hope that some unwary victims will actually pick them and try to use them against their friends. These tools are even advertised through how-to hack movies posted on popular video sharing services, along with download links to the bombed binary.
BitDefender detects the threat as Trojan.Generic.3102024 and blocks the executable file before it is able to trick the users into disclosing their credentials. In order to stay safe, donâ€™t forget the following ground rules:
- Never accept and run so-called hacking tools via IM; the friend whoâ€™s sending them might set you up with a nice decoy.
- Never download this kind of tools; they are useless and pose a huge security risk to your system. E-mail or IM service providers never save usersâ€™ passwords in plain text, but rely on various hashing algorithms (with or without â€œsaltingâ€) to ensure that the authentication is done one-way (no one can find out the password, even if they get the hash). Bottom line: these tools will NEVER work as advertised, but will surely snatch your account username and password, along with other damage they may inflict.
- Never stop your antivirus if it prevents you from accessing a file. If you have any doubt about the alert being a false positive, submit it via the applicationâ€™s support request system. It will be carefully inspected to see whether it is legit or not. Putting your shield to sleep may get your privacy blown.
Note: All trademarks or product names contained herein are registered trademarks of their owner companies.