giulia

Level 5
Hi
PasswordFox is a tool to export firefox password and it can save in many way , even in keepass csv file

the last version is protected by password nspsfx403!
Code:
nspsfx403!
and many antivirus mark like malware
virustotal

Nirsoftware release amazing utility just a look at the list
nirsoftware list

do you think PasswordFox is really malware?
some antivirus mark as potential unsafe other like malware

and can i ask you what do you use to export your firefox passwords?
thanks
 

MacDefender

Level 11
Verified

Based off what some of the other engines say, it seems like it's labeled as a hacktool because of its ability to reveal passwords already stored on the user's machine. I suspect this was probably used as part of some piece of ransomware to exfiltrate passwords from the browser, hence why it's now labeled across the board as malware.

Here's what the vendor says if you want to take their word: NirBlog » Blog Archive » Antivirus companies cause a big headache to small developers.
 

MacDefender

Level 11
Verified
Kaspersky already fixed it, not showing up on VT anymore.

BTW this is right in line with one of my gripes about certain engines, particularly BitDefender, Norton, and Microsoft. They frequently label hacking/piracy related tools with extremely generic malware sigs like Trojan.GenericKD or similar. Surely it's not coincidence the same is true of those 3 engines for this sample.

This tool is even borderline to label as PUA or a HackTool. Labeling it as a trojan I think should be considered a false positive, period.

(With regards to Kaspersky, it's really rare in my experience for them to mislabel a PUA as a generic malware detection, so I'll be a little more forgiving compared to with WD or BD who have a long track record of these misclassifications... Kudos to them for their quick response)
 

giulia

Level 5

Based off what some of the other engines say, it seems like it's labeled as a hacktool because of its ability to reveal passwords already stored on the user's machine. I suspect this was probably used as part of some piece of ransomware to exfiltrate passwords from the browser, hence why it's now labeled across the board as malware.

Here's what the vendor says if you want to take their word: NirBlog » Blog Archive » Antivirus companies cause a big headache to small developers.
hi
it's weird it's password protected, it makes me suspicious
and i have appreicated your help to submit to kaspersky
I often submint some sample but never got an answer even from eset
thanks!
 

MacDefender

Level 11
Verified

FWIW It's not signed either -- getting it properly digitally signed and working with AV vendors to get their certificate whitelisted is probably the right way instead of just complaining on blogs. This app apparently has 4 KSN users per day at this point -- if an app with that low prevalence is peeking into my browser passwords, IMO I'd expect a good AV to be suspicious.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
I ran it on AnyRun and it did nothing else then advertised. Zero outbound connections, so yeah I would guess the VT results are false positives. It's still the developer/s main responsibility to get that fixed as in the end it boils down to the keyfactor, trust.

Btw, F-Secure ( latest stable version 17.8 ) blocked it on the spot after extracted.
 
Last edited:

MacDefender

Level 11
Verified
I ran it on AnyRun and it did nothing else then advertised. Zero outbound connections, so yeah I would guess the VT results are false positives. It's still the developer/s main responsibility to get that fixed as in the end it boils down to the keyfactor, trust.

Btw, F-Secure ( latest stable version 17.8 ) blocked it on the spot after extracted.
Interestingly, F-Secure only blocks the 32-bit version and thinks the 64-bit one is clean. It's labeled as a "PrivacyRisk.SPR" Avira signature, and is classified as a PUA with the option to trust it if you'd like. I think they should be consistently classifying the 32-bit and 64-bit versions the same way.

I agree with your assessment, but will add, the ones that detect this as a PUA explicitly (in terms of being a privacy risk or HackTool) I think are acceptable. A password reader could be used in suspicious or legitimate ways, labeling it as a PUA is probably accurate. But the ones that flat out label it as a trojan, that is a false positive for sure.
 
Top