Alerts

Gmail Hacking App Leaves you Locked on the Outside

Mozilla Developer Site Leaks 76,000 User Email Addresses
Live by the sword, die by the sword

During the last few months we’ve seen quite a lot of do-it-yourself hacking tools such as the Twitter Botnet Creator or the nifty iStealer password collector. Today’s specialty is an alleged Gmail application designed to “hack other users’ accounts” – an offer too good to refuse, especially if you’re a jealous lover or a control freak.

The application we’re going to dissect is a .NET executable (Visual Basic .NET) which seems to be strikingly similar to the previously mentioned pieces of malware. A closer look at the code reveals that all three creations share the same origin, namely the leaked source code of iStealer. Other similarities include the presence of a bootstrap utility and a stub file that actually contains the payload.

As users pop the utility open, they are prompted to enter their e-mail address and the associated password, which will be used by the application to send them the victims’ passwords. Once the process is complete, a click on the Build button creates an executable file that needs to be distributed to the victim. This custom binary is in fact the stub.exe file with the entered credentials saved in the new file’s overlay.

Gmail Hacker Builder

The Gmail Hacker Builder application

Google Custom Hacking Tool

The custom “hacking tool”

The custom Gmail creator is nothing but a phishing tool designed to lure users who’d like to find out their friends’ Gmail passwords into actually disclosing theirs. When run, the application will send the data entered in the outlined fields to the address specified in the Gmail Hacker Builder application. Since it can’t actually hack anything, the application will crash with an ambiguous error:

Gmail Hacker Tool error - Google Mail Phishing

This kind of pre-created “hacking tools” are blindly thrown on file-sharing hubs and torrent portals in the hope that some unwary victims will actually pick them and try to use them against their friends. These tools are even advertised through how-to hack movies posted on popular video sharing services, along with download links to the bombed binary.

BitDefender detects the threat as Trojan.Generic.3102024 and blocks the executable file before it is able to trick the users into disclosing their credentials. In order to stay safe, don’t forget the following ground rules:

  • Never accept and run so-called hacking tools via IM; the friend who’s sending them might set you up with a nice decoy.
  • Never download this kind of tools; they are useless and pose a huge security risk to your system. E-mail or IM service providers never save users’ passwords in plain text, but rely on various hashing algorithms (with or without “salting”) to ensure that the authentication is done one-way (no one can find out the password, even if they get the hash). Bottom line: these tools will NEVER work as advertised, but will surely snatch your account username and password, along with other damage they may inflict.
  • Never stop your antivirus if it prevents you from accessing a file. If you have any doubt about the alert being a false positive, submit it via the application’s support request system. It will be carefully inspected to see whether it is legit or not. Putting your shield to sleep may get your privacy blown.

Note: All trademarks or product names contained herein are registered trademarks of their owner companies.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.