The end of the world? No... just the next day.
Some Russian Hacker Thinks I've Got Money
Published on February 22, 2008 By Lotherius In Instant Messaging

My GMail password was stolen earlier today.

Spent a bit of time trying to discern what happened, very little evidence. A couple of key points to note though about it which point me into a likely direction (and one program I won't ever be using again).

Any "risky" software I've run lately (very little) I submitted executables to some online virus-scanners that check for virii/trojans using 30 or more different security programs and any suspects I could come up with came up clean.

Here's the evidence:
1) My ICQ account got bumped first. I relogged, and a few minutes later got told I was logged in from another location. I ignored this *because* ICQ is now merged with AOL, and AIM has always had "ghost" problems if you change IPs, where it thinks your old IP is still logged in and sends you errors that you're logged into multiple locations. Since ICQ=AOL on the backend now, I figured that was the issue, since I'd been plugging/unplugging my modem just a few minutes earlier. More on this.

2) About an hour later, I lost connection to my Google Talk connection. I went to firefox and loaded the homepage, iGoogle was still loading, but when I tried to go to GMail, I got an invalid password error! Ruh Roh!

3) I post the first message here, and i start changing passwords.

4) I got a call from a friend a few minutes later with the Russian extortion "money for gmail" bit.

5) I check the ICQ account. Can no longer login at all - this password has now been changed. So I know both were hacked on the same day, obviously the same exploit.

6) I visit my Yahoo account and change the password. I don't know if it had been accessed at that point. I used the On-Screen Keyboard for the new password just in case there's a keylogger on my PC.

7) I checked eBay and PayPal..... still have access to these. Okay.... if it was a trojan, I'd figure they'd grab these as fast as possible. I change the passwords anyway.

8) Send info to Google. I don't remember who invited me, though, and that's a key part of the info they want if they are to talk to you about recovering your account.

9) Begin to investigate further how this happened. Several possible security holes:


First thought: Trojan. I've only run one suspicious file lately, a keygen. Always risky, yes. It got past Nod32 Virus checking, but I decided to run it past SpyBot and AdAware. Clean. So I submitted it to VirusTotal.com for scanning, reports as suspicious, but further investigation shows that what it finds is that the file is UPX packed - a very common method for making files smaller and in no way a security risk. The file is clean.

Other open trojan/virus. However, I'm running a fully patched Vista with Defender and Nod32 AV. Also the SpyBotscan is clear, and a McCaffee online scan is clean. It is possible there's a new one out, but I don't see any evidence of one (and I'm good at this kind of thing). I have a very good grip on processes that run on my system, and there were no unexpected processes running, not even under services (you use Process Explorer to see this).


IE/Firefox Exploit. Possible, but not likely. I'm running fully patched IE7, and Firefox 2.0.0.12. The only known exploit in this version of Firefox is a directory traversal, which I have READ can only access things in other extensions. My source could be wrong, and this is a big concern. I <em>did</em> use IE7 for a few hours this morning just to see how it performs these days (I was impressed), and installed an addon called IE7Pro. The addon comes highly rated by reputable sites, I'd be surprised if it was a Russian Trojan.


I had to call RoadRunner tech support yesterday due to some cable modem problems. As usual, they won't give tech support if you have a router attached, and they can see on the other end what the modem is hooked to. So I had to connect my computer directly to the modem, no router. Of course, that then meant NO FIREWALL. And I forgot to plug my router back in for over 12 hours, thus the changing around of modem stuff this morning that threw me off on the ICQ account reconnects. So any potential remote exploits were wide open to the world for 12 hours. Is Vista so vulnerable it'll be hacked in 12 hours or less without a hardware firewall? Maybe not - see the next bit.


I realized that not only was my GMail password stolen, but my ICQ password as well. What did these two have in common that my eBay and PayPal accounts (not stolen) don't? They are BOTH STORED IN PIDGIN for my IM LOGINS. Pidgin is an open-source Instant Messaging client that is very popular on Linux. There's also a Mac version called Adium, and it has a decent following on Windows. It stores passwords for your IM accounts, thus had my GMail password for the Google Talk account, and my ICQ password. Especially interesting is that I never use my ICQ account - I set it up in Pidgin nearly a year ago and forgot about it. I probably haven't entered that password on an actual webpage since the 1990s, since I have no reason to go to ICQ's webpage. So no ICQ password in IE or Firefox cookies. It ONLY exists in Pidgin's stored passwords. This means <strong>the stolen passwords came from Pidgin</strong>. Now that could have been via a trojan that scraped the Pidgin INI file... But if a trojan is already on my system, why wouldn't it go for my Firefox or IE stored passwords, where it would find PayPal and eBay? And it couldn't be a keylogger, since I haven't typed the ICQ password for nearly a year.
So that leaves a hole in Pidgin itself, or one of the plugins. The only Pidgin plugins I have are the plugins recommended on Pidgin's site sometime last year. No they weren't updated - they have no autoupdate mechanism for plugins, and I rarely used them. Pidgin itself was current until just today, I got an update notification while I was trying to figure this all out. If one of Pidgin's listening services (it has several) were vulnerable, then by having my router disconnected (thanks RR TECH SUPPORT!), it was left open to the outside world for 12 hours, during which time a scan would have found it, thus discovery of an exploitable system was possible.


At this point, I'd lay 75% odds that it was a hole in Pidgin. Of course, knowing the open-source community the way I do, if it is an unreported vulnerability or one that's considered low-key (as in only pidgin data is vulnerable, not a full system exploit... but enough to grab GMail and ICQ passwords), then chances are they will never admit the hole existed unless someone posts it. Unlike MS if someone posts it, they would of course fix it. Except I can't take the chance that my new accounts will be hacked too, so I reinstalled Windows. I'm not debugging their software for them, not when it is my private information at stake. Chances are no victims of this are even aware of how the info got out. The general assumption by the whole world is it is A) Weak password, Fishing attempt, C) Trojan. If it was just my GMail, I'd say it could've been C, probably not A but minor possibility. Definitely not B, I'm way too careful. But my ICQ too? That rules out A and B completely, as the odds of both my GMail and ICQ being brute forced on the same day are nill, and I haven't typed my ICQ password in over a year, so it couldn't even have been accidentally fished. And a Trojan - why go for the Pidgin config file?? Most systems won't even be running Pidgin.

I could be wrong about the source of the leak... which is why despite all the security software I could get my hands on telling me the system was clean I still wiped the drive.

The fact that I no longer have that particular gmail account doesn't pain me much. I have domains I use for most of my email now (also just changed the password on those, domain theft is common but I don't have any identifying info for them on my GMail). Unfortunately, having emails all the way back to 2005 readable by an extortionist in Russia isn't quite a minor deal. I believed the whole bit that it was safer on their server than my PC, so I had all my mails forwarded to Google since 2006. This means that any amount of potentially damaging info - such as all my serial numbers to Stardock products, and my Stardock password, are now in Russian hands. Websites that send passwords via email (bad bad practice) are all compromised. Lots of personal information is available. I have local copies of all my GMail up through about two weeks ago, so I can sift through to see what's out there, but it will take time to cover all bases and these guys know what they are looking for. Other things could be compromised already, and I don't even know it yet.

Fact is, I'm rather fing peeved off about this. I have a very good track record. I know what's safe amd what's not. I haven't been infected with a virus EVER except for one that clearly was a room-mate's doing (she was like "hey this ebook i got on emule on your pc won't open, I tried it five times" when it was a frickin EXE file). I avoided viruses back in 1991 on the BBS systems when they were rampant, on IRC in the 90s, and I know every nook and cranny of the internet and Windows. I don't fall for things. I run multiple security precautions. I submit suspicious files to quite a bit of scrutiny before I run them. I keep windows updated. Yet one little hole is all it takes, and from what I've read Google will do very little to help you in a situation like this.

Rant over.


(UPDATE)

a href="http://www.mail-archive.com/foss-nepal@googlegroups.com/msg04114.html

I've found an advisory that points out that Pidgin stores its password file IN PLAIN TEXT! I'm now 100% certain the passwords were stolen from Pidgin, though the hole that allowed someone in could have been elsewhere. Any hack/trojan that could get a file from my home directory would therefore have access to this file. I cannot say for certain how the hacker got access to the file - it may or may not have been a remote hole in Pidgin as I initially suspected, but the fact that Pidgin stores its passwords in PLAIN TEXT and that one of the passwords stolen (my ICQ account) ONLY exists in Pidgin and nowhere else on my system (for years), there is no other place it could have come from but the Accounts.XML file.


Upon checking, yes, this is true. Accounts.xml is the file and it has all plaintext passwords. If you use Pidgin, you better hope your system is locked down, because you don't even have the simplest of protection if someone can get the file.

Here is the argument the Pidgin Developers give for giving away your passwords:

http://developer.pidgin.im/wiki/PlainTextPasswords


Comments
on Feb 22, 2008
sorry to here about all that

I have 2 (Two) ?'s (Question's)

why was you using a Keygen aint they for getting the SS #'s for programs that are pay to use
Pirated ?

Why would RoadRunner tech support have an problem with your PC going through a router.
I have a router and Never had to unplug it from my PC for them to help me.. and they have even told me to reset the router then reset the modem or was it the other way around ether way they helped..

anyway Good Luck with all that..


I guess Vista is to bizzy keeping you from doing some criminal stuff it don't care if your the one being criminalized. ok you Vista lover's I was Just joking.. lol
on Feb 22, 2008
Not all keygen programs are for cracking serial numbers. I have 2 or three on my computer because they are used to make codes for ebooks, programs, passcoded purchases online of items you may be selling. As for RR having a problem, I can't say for sure as I have never had their service, but I'd hazard to bet that they're in the same line as my service provider here on the East Coast: they will not help with any tech solutions or troubleshooting if you have a home network or any hardware/software that they didn't install or came with their installation package. And because RR is such a large provider, they may have different rules in different areas regarding working with people that have additional hardware installed. DD
on Feb 22, 2008
I don't remember who invited me, though, and that's a key part of the info they want if they are to talk to you about recovering your account.



Holy crap. They expect people to remember that after possibly years? What if it was just some random stranger doing you a good? Or someone who posted the invite links on someplace like JoeUser for a "first come first served" grab fest (which I saw done many times)?

on Feb 22, 2008
Watch your Pay Pal account. I had identity theft from my Pay Pal account to my checking account. They got me for about $100.00 until my bank thought something was funny... They were from France. So I had to close out my bank account and open up a new one. I closed my Pay Pal account and have no more problems.
They even went so far as to change my PP acount language to French. Very scary..

I checked to make sure it wasn't coming from my computer, but I am clean.. It was all from the Pal Pay..

Good luck...  
on Feb 22, 2008

DisturbedComputer

why was you using a Keygen aint they for getting the SS #'s for programs that are pay to use Pirated? Why would RoadRunner tech support have an problem with your PC going through a router.

As far as the keygen... I know it is controversial, but if there are not sufficient demos of a program/game, I will use a keygen to try it out. I have been burned too many times buying something (especially from EA) and then finding it to be utter trash, to not try something out before I buy it.

As far as the roadrunner tech, well, he did have me disconnect the router. Since it was an issue with the computer being unable to connect to the internet, they won't diagnose your router for you. It was the modem not requesting its IP properly - it finally kicked in and worked but took quite some number of reboots of the modem.

on Feb 22, 2008

RoseNell

Watch your Pay Pal account.

I changed all my important passwords. I'm planning on changing unimportant passwords as well, but this all takes time and some sites make it very difficult.

Paypal and eBay I'd have expected to be hit first, but they weren't, confirming my belief that it was through Pidgin that they got the passwords.

Honestly, now that I think about it, I wonder if maybe the hole that allowed them to get the Pidgin password file was perhaps the well-publicized Traversal exploit in Firefox 2.0.0.12 - I'm ot certain how it works, but I have read that it may allow files in a user's home directory to be read remotely. Well, Pidgin's Accounts.XML is in the home directory... unprotected. Makese sense to me.

on Feb 22, 2008
cool did not know that about Keygen's

[quote]Not all keygen programs are for cracking serial numbers. I have 2 or three on my computer because they are used to make codes for ebooks, programs, passcoded purchases online of items you may be selling.[/quote


ye I know EA sucks at times. I got one game that I don't remember were i put it and called EA for a replacement and they wanted $30.00 or $40.00 for it NOT buying I can buy the game cheaper for $19.99 and told them that. hell it's only like 10 pages at the most and in Black and White.