Question about Nirsoft Utility - IEPV (IE Password Viewer)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


Perhaps slightly OT...

www nirsoft net

offers an IE password utility.  It does get some hits on both VirusTotal
and Jotti.  The hits seem to suggest a "risky" application.  Certainly
that makes sense as it is intended to display hidden passwords in IE.
But I have had occasion to need an IE-only supported password I did not
write down.

Do any of you have any comments on this particular utility?

Thanks in advance.

T.H (same as other T.H posting from Windows PC - this one is an Ubuntu
PC - not intending to deceive anyone.) ;-))

Re: Question about Nirsoft Utility - IEPV (IE Password Viewer)



"T.H" wrote:

Quoted text here. Click to load it

It and other utilities from Nirsoft are frequently used by malware to
steal information. So if you found it on your PC but hadn't put it
there, its presence would be suspicious. That's why it gets flagged.

The Nirsoft programs are ok and not dangerous.

(BTW, there's no alt.comp.spyware group so I removed it)



Re: Question about Nirsoft Utility - IEPV (IE Password Viewer)



Ant wrote:

Quoted text here. Click to load it

Any program that goes beyond the simplistic GUI provided by the OS could be
classified as such.  Claiming these utilities are incorporated into malware
would also mean SysInternals, TweakUI, X-Teq, Resplendence, Rekenwonder, or
any other utility that digs into, modifies, or augments the OS is also
employed by malware.  They all give you a deeper level of access, control,
and monitoring than the simplistic GUI or included programs provided by the
OS.  Hell, even many DOS-mode commands would also qualify because they can
be used by malware.  Why did all my filetype associations disappear?
Because some malware used the 'assoc' command or code extracted from therein
to delete them.  Even the system API for the OS would qualify since it
obviously gets used by malware code.

Quoted text here. Click to load it

That would apply to ANY software that covertly appeared on your host.  You
are saying that you wouldn't get suspicious if you found an FTP, telnet,
messenger, e-mail, or word processing program suddenly appeared in which you
never participated or authorized its installation?

Quoted text here. Click to load it

With that I agree.

Re: Question about Nirsoft Utility - IEPV (IE Password Viewer)



"VanguardLH" wrote:

Quoted text here. Click to load it

Not really.


I've analysed many samples which contain them. They are packed into
resources or attached to the main exe, dropped as temp files and run
under the control of the malware.

Quoted text here. Click to load it

Them too. At one time it was common to see fake AV/security programs
installing and using their BSOD screen saver. The normal EULA prompt,
which would alert the user, is bypassed when the malware sets the
appropriate registry key indicating it's been accepted.

Quoted text here. Click to load it

I've not seen those packaged (probably too large or complex to install
without the user knowing) and Tweakui doesn't offer anything that the
malware can't easily do by setting registry values itself.

Quoted text here. Click to load it

but I have seen some others.

Quoted text here. Click to load it

Now your getting away from the point. The reason Nirsoft's utilities
are popular is that they are an easy way to avoid the trickiness of
getting passwords, etc. from protected storage. They're also very
small and can be run with parameters to avoid showing the GUI,
producing a text file containing the required info.

Quoted text here. Click to load it

Of course it would be suspicious but an AV is not so likely to flag
those 'regular' programs. The Nirsoft utilities used are ones that
recover passwords. I presume they get flagged for a combination of
reasons:
- they're often dropped by malware
- easy access to sensitive information
- not something commonly found on the average user's PC.



Re: Question about Nirsoft Utility - IEPV (IE Password Viewer)



T.H wrote:

Quoted text here. Click to load it

Anti-virus programs that alert on Nirsoft are stuck with a decision that was
made a decade ago that hacker tools are bad and must be alerted upon
although they show up on the host through standard installers or by simple
extraction or copying that the *user* chose to put on their host.  Hacker
tools are often denoted by anti-virus programs as "bad" despite garnering a
reputation over a decade of providing useful tools to the user.  It also
seems quite arbitrary as to what AV programs class as hacker tools.  I
haven't yet seen any of SysInternals get alerted upon (even before Microsoft
acquired the tool set) although it involves digging into the OS as deep or
deeper than Nirsoft.

This category of apps is often called PUPs (Probably Unwanted Programs) yet
every one that I've seen them alert on my hosts has been one that I
deliberately installed.  The PUP is there because I *want* it there.  You
could configure your AV program to eliminate it checking for PUPs or you
could get its alert and then have it add the wanted program to its exclusion
list.

You could always just go look for yourself at what are the Nirsoft utilities
(nirsoft.net) to judge for yourself.  They have produced a respectable
collection of useful utilities but remain stigmatized with the old hacker
persona proliferated in movies and in television.

Are you saying that you never installed the Nirsoft utility and it just
appeared without your authorization?

Re: Question about Nirsoft Utility - IEPV (IE Password Viewer)




| Perhaps slightly OT...

| www nirsoft net

| offers an IE password utility.  It does get some hits on both VirusTotal
| and Jotti.  The hits seem to suggest a "risky" application.  Certainly
| that makes sense as it is intended to display hidden passwords in IE.
| But I have had occasion to need an IE-only supported password I did not
| write down.

| Do any of you have any comments on this particular utility?

| Thanks in advance.

| T.H (same as other T.H posting from Windows PC - this one is an Ubuntu
| PC - not intending to deceive anyone.) ;-))

It is a risk tool but not malware in the traditional sense.

It can be considered malware if used maliciously.  However it can also be used
legitimately

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp




Re: Question about Nirsoft Utility - IEPV (IE Password Viewer)



David H. Lipman wrote:
Quoted text here. Click to load it
Thanks to all for the informative replies.

T.H  (back on the Windows PC now...)

Site Timeline