Type or paste a DOI name into the text box. In a previous post, Binary option strategy 2013 introduced a Twitter bot called dumpmon which monitors paste sites for account dumps, configuration files, and other information. Since then, I’ve been monitoring the information that is detected.
I mention dumpmon because I have started to run across quite a few pastes like this that appear to be credential logs from malware on infected computers. How easy can it be for malware to pull these passwords off of infected computers? But how do they get there? To save space, I’m omitting the code that creates the Save Password bar. We create an encrypted string out of our password. I’ve snipped it out, but below the “sql::Statement” line, a SQL query is performed to store the encrypted data in the Login Data file.
This means that the password is likely to only be recovered by a user with the same logon credential that encrypted the data. This is no problem, since malware is usually executed within the context of a user. Fortunately for us, Python has a great library for making Windows API calls called pywin32. And, by running the code, we see we are successful! The only data that is protected is the password field, and that’s only in the context of the current user. Up until IE10, Internet Explorer’s password manager used essentially the same technology as Chrome’s, but with some interesting twists. For the sake of completeness, we’ll briefly discuss where passwords are stored in IE7-IE9, then we’ll discuss the change made in IE10.