Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    Every now and then, we get questions about password crackers. Usually, these questions are something like, why do you detect these password crackers? They’re not malicious! Well, now is as as good a time as any to address the topic.

    Obviously, password-cracking programs are not terribly malicious. Unless they have been trojanized or manipulated somehow, they just… crack passwords. Usually, given a password-protected file, they try different possibilities to recover that pesky password you forgot. I’m the first to admit that even though it might not be the best use of your computing power, it’s not terribly bad either.

    However, there is a catch. Password-crackers and other software made for network administrators are often seen as part of attacks. This applies to other administration tools as well.

    We have seen everything being used as tools in the attacker’s arsenal: from remote session helpers to file server programs and, yes, password crackers. Often times, a trojan will spearhead the attack and once it’s into the victim’s network, it will download other tools to help it further its objectives. For instance, if the attacker stumbles upon a password-protected file, he might think that’s precisely where the interesting stuff is, and use… a password cracker.

    This brings me to the second (though admittedly similar) malicious use of admin tools: targeted attacks. These usually allow the attacker to connect remotely to the victim and then move laterally inside the network looking for information to steal. In this mission, the attacker might drop in several reconnaissance and offensive tools. Among these – yes, you guess it – password crackers.

    A targeted attack is not just about the “tools” used, even if they are legitimate. It is about who is carrying out the attack. Just because a particular tool started out as a legitimate product does not mean it is always used that way.

    Because of how password crackers are abused in the wild, it makes perfect sense for us to detect them and prevent our customers from running them on their machines. At the end of the day, our customers are masters of their own machines – they can always create an exception for a password cracker if they have a legitimate use for it on their networks.

    We don’t think the freedom of letting common hacker’s tools loose in your network is worth the risk they involve. Dynamite has good uses too, but we try not to store it in our homes.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • RolandD

      Thanks for the nice read! Do you think pairing
      PUP detection with behavioral detection would be even more suitable than a traditional detection? E.g. detecting a
      password recovery tool being executed by another process

    • Nick

      What about the software “Iforgot”?



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice