From: Ant on
"VanguardLH" wrote:

> Ant wrote:
>> "T.H" wrote:
>>> www nirsoft net
>>> offers an IE password utility. It does get some hits on both VirusTotal
>>> and Jotti. The hits seem to suggest a "risky" application.
>> It and other utilities from Nirsoft are frequently used by malware to
>> steal information.
> Any program that goes beyond the simplistic GUI provided by the OS could be
> classified as such.

Not really.

> Claiming these utilities are incorporated into malware

I've analysed many samples which contain them. They are packed into
resources or attached to the main exe, dropped as temp files and run
under the control of the malware.

> would also mean SysInternals,

Them too. At one time it was common to see fake AV/security programs
installing and using their BSOD screen saver. The normal EULA prompt,
which would alert the user, is bypassed when the malware sets the
appropriate registry key indicating it's been accepted.

> TweakUI, X-Teq, Resplendence, Rekenwonder,

I've not seen those packaged (probably too large or complex to install
without the user knowing) and Tweakui doesn't offer anything that the
malware can't easily do by setting registry values itself.

> or any other utility that digs into, modifies, or augments the OS
> is also employed by malware.

but I have seen some others.

> They all give you a deeper level of access, control,
> and monitoring than the simplistic GUI or included programs provided by the
> OS. Hell, even many DOS-mode commands would also qualify because they can
> be used by malware. Why did all my filetype associations disappear?
> Because some malware used the 'assoc' command or code extracted from therein
> to delete them. Even the system API for the OS would qualify since it
> obviously gets used by malware code.

Now your getting away from the point. The reason Nirsoft's utilities
are popular is that they are an easy way to avoid the trickiness of
getting passwords, etc. from protected storage. They're also very
small and can be run with parameters to avoid showing the GUI,
producing a text file containing the required info.

>> So if you found it on your PC but hadn't put it there, its presence would
>> be suspicious. That's why it gets flagged.
> That would apply to ANY software that covertly appeared on your host. You
> are saying that you wouldn't get suspicious if you found an FTP, telnet,
> messenger, e-mail, or word processing program suddenly appeared in which you
> never participated or authorized its installation?

Of course it would be suspicious but an AV is not so likely to flag
those 'regular' programs. The Nirsoft utilities used are ones that
recover passwords. I presume they get flagged for a combination of
- they're often dropped by malware
- easy access to sensitive information
- not something commonly found on the average user's PC.

From: T.H on
David H. Lipman wrote:
> From: "T.H" <t1nf01l.h4t(a)>
> | Perhaps slightly OT...
> | www nirsoft net
> | offers an IE password utility. It does get some hits on both VirusTotal
> | and Jotti. The hits seem to suggest a "risky" application. Certainly
> | that makes sense as it is intended to display hidden passwords in IE.
> | But I have had occasion to need an IE-only supported password I did not
> | write down.
> | Do any of you have any comments on this particular utility?
> | Thanks in advance.
> | T.H (same as other T.H posting from Windows PC - this one is an Ubuntu
> | PC - not intending to deceive anyone.) ;-))
> It is a risk tool but not malware in the traditional sense.
> It can be considered malware if used maliciously. However it can also be used
> legitimately
Thanks to all for the informative replies.

T.H (back on the Windows PC now...)