This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Check Program For Password Stealer

0

Recently i've installed one program for VK.com, which required authorization with login and password. Antivirus doesn't cry about anything and i don't know how to check this program. I've only get an idea to intercept internet-traffic and check if it doesn't send my password somewhere... But i don't understand how to do it with WareShark, who can helps me?

asked 22 Aug '17, 11:29

DedImpotent's gravatar image

DedImpotent
6113
accept rate: 0%


2 Answers:

0

answered 22 Aug '17, 11:48

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

0

If some software on your machine is stealing your account credentials (logins and passwords), the last thing its author wants is that you notice that. So if it sends that information somewhere else, all such information is encrypted. It would require a very stupid malware author to send stolen credentials using plaintext. Another possibility is to not send the credentials anywhere at all and misuse them directly on your PC - the malware would, instead of uploading the stolen passwords, download instructions what to do. This allows to render useless additional security measures like access lists, linking together user credentials with source IP address of the login request.

The last point is that I cannot see any relationship between an application requiring use of username and password and an application stealing credentials you use for other services. Unless you use the very same login and password for several different services, the fact that you knowingly enter them to one application does not make them usable for access to any other service. So the applications stealing passwords, mentioned above, are rather keyloggers, secretly collecting the credentials you enter when requested by other appllications and web browsers.

Did the installation of the application ask you for the credentials you use to log in to your PC, or does the already installed application ask for the credentials at each start? If the former, it most likely indicates that your operating system, not the installer itself, wants you to re-confirm the intention to install the application by entering the credentials once again.

answered 22 Aug '17, 12:34

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

In folder with .exe file of this program there is a .txt file, in witch i must write my pass and login, then via program i must get token and authorization will pass successfully. Program asks me for credential not while installation, but asks it for the further program execution after start it. The essence of this program, i think, is sending information from .txt file somewhere after start program. But if sent information encrypted or it doesn't send directly via program using some request so then what else can the program do with my credentialll? There wasn't any instrution downloaded on my PC and viruses weren't detected by "Virustotal" and local antivirus.

(23 Aug '17, 04:12) DedImpotent

Дед, the login and password which the program wants you to put to the text file is the login and password which you use to log in to the operating system or they are specific ones for that program? If for the operating system, it is definitely suspicious. If for the web service associated with the program (vk.com), it is unusual but only dangerous the other way round, i.e. if some other program would access this text file and steal the login and password to your vk.com account.

As for the antivirus results, don't overestimate them. Some viruses remain unnoticed for years although they're widespread. The antiviruses can easily recognize signatures (characteristic patterns) of already known viruses, but their capabilities to detect malware by analysing the code of executable files are limited, especially if the code is intentionally obfuscated.

(23 Aug '17, 12:42) sindy

I didn't said you anything about my windows password, what are you talking about in general? I try to convey to you that the program need my pass and login to log in to my VK account to control automaticly sending messages. But i don't sure that the program isn't malware and i don't know how to check it, cause antivirus isn't detected any viruses.

(24 Aug '17, 01:17) DedImpotent

Well, as you talk about stealing the credentials, it seemed unlikely to me that something would steal credentials it needs for its own operation, so I was trying to understand it better.

If the declared purpose of the application is to monitor events on your VK.com account, it is logical that it must know the credentials so that it could get access to the account. If the application is offered by VK.com themselves, they have no reason to steal your credentials as they do know them anyway. If it is offered by a 3rd party, it may still be honest, or it may steal the credentials.

As the author is lazy enough to ask you to store your credentials in a plaintext file instead of using a pop-up window on start and ask you for them, if his intention is to collect credentials, the application may be sending them immediately after startup.

So your only (narrow) chance to find out using Wireshark would be to log in to your VK.com account from your browser, change your password and log out. Then you would close your browser and e-mail client and disable all Windows updates and application updates in order to minimize the amount of internet traffic to look through. Then you would start capturing using Wireshark, edit the application's file containing the credentials with your new password, and start the application and leave it running for a while before stopping the capture. If Wireshark shows you only a single TCP session to one of VK.com's IP addresses and no traffic to any other address except your local one and the DNS server, you may assume that the application does not send your credentials for VK.com anywhere else.

But still - I could imagine the application to log in to VK.com first under one of author's own identities, send a VK message containing your credentials to another author's own identity, and then log out and log in once again as you and start doing its declared job, all this within a single TLS-encrypted TCP session so unnoticeable without decrypting the session capture.

So the sad truth is that the only way to be 100% sure is to analyse the code of the application. Neither monitoring network traffic nor relying on antiviruses can give you a 100% reliable answer.

(24 Aug '17, 05:01) sindy

Yes, i know that my credentials are may be sent straight to the author in his vk using the same TCP request. It's the second reason why i decided to ask a question here. Asking about this, i means that i want know how to learn what's exactly sent to him, using this Incomprehensible set of symbols in information of request and if there is something suspicious in crypted package, i wanna know, how to decrypt it. I have code of this program, but i don't know syntax of C# and C# at all.

(24 Aug '17, 05:30) DedImpotent

The very purpose of encryption is that no one could decrypt it. Some browsers (Firefox, Chrome) can store session keys if configured that way, allowing to decrypt the capture of the session if the key exchange doesn't use Diffie-Hellman, but the application is not a browser so you can be sure you'll get no access to the session key.

So if VK.com eventually uses DH, you may use a man-in-the middle attack, running a proxy on your machine which tampers with the DH negotiation and gives you the plaintext (I don't remember the exact name but uncle Google should help you fast). If they don't, you may ask their tech support to investigate - they can see what the application does at the server side. So if it logs in to some other account first, they can tell you. But I don't know their license agreement, maybe you are not supposed to use 3rd party applications with the account.

(24 Aug '17, 05:42) sindy
showing 5 of 6 show 1 more comments