"It seems like a usual executable malware or botnet client being spammed that does its thing when executed, but after looking into it further, I find it very interesting how simply it was written and how it uses some network administration tools to effectively steal users sensitive info from its computer," he says in his analysis of the software.
What is interesting about the software - and its raison d'être - is that, unlike Elcomsoft's password recovery applications, the Freehostia application is designed with one purpose in mind - the theft of user credentials.
Elcomsoft is a privately owned software company headquartered in Moscow; since the company was created in 1990, it has been working on computer security programs, with the main focus on password and system recovery software.
In July of 2001, Dmitry Sklyarov, a Russian citizen employed by Elcomsoft - who was visiting the US to attend the DefCon show - was arrested and jailed for allegedly violating the Digital Millennium Copyright Act (DMCA) after he coded the firm's Advanced eBook Processor software. By the end of 2002, Sklyarov and his employers were found not guilty under the DMCA.
Since then, Elcomsoft's password recovery software has become the de facto `password recovery' application of its type, raising the profile of this type of utility and creating expectations amongst Windows and Mac users.
It's free and it works
It's against this background that Ramos discovered the Freehostia software, which he found containing a file named `document.exe' with a fake PDF file hiding the software's true intentions.
Central to the Freehostia software, he says, is AdbeR.exe, a command-line tool called `All-in-One Email Password Recovery Tool' that ostensibly recovers email passwords from popular email and chat applications such as MS Outlook, MS Outlook Express, Thunderbird and MSN Messenger.
The good news is that the software generates the user's Outlook Email account and passwords - as well as the user's accounts - on different Web sites, and offered to the user.
Whilst this appears to help the user, Ramos says that the password files are also uploaded to an FTP site being hosted from Freehostia.com.
"With the readily available and easy access to these so-called network admin/forensic tools, and by just using simple scripts, anyone with malicious intent will be able to easily steal any users Email and Website accounts and passwords," he said.
According to Richard Cassidy, a solution architect with Alert Logic, it is utilities like the Freehostia software that play on the weakest link in the chain of good security practices, namely the users.
"How the software operates is quite straight forward, in that it's propagated via e-mail, requiring the user to click on the attachment, which then uncompresses and runs the malware application. It's no surprise that this malware targets all available passwords in the affected systems browser. Typically most users will maintain a single password for almost all sites they access," he said.
"If an attacker can compromise even a single password from a user, it can mean `carte-blanche' for access to other sites and systems thereafter," he said, adding that it should be clear that the strongest security controls rely on good password strength and regular changes.
If the `password recovery' pathway is followed, he says then this is the Achilles heel in terms of allowing attackers continued access to corporate systems.
"Ultimately there is only so much host-based protection systems can do, to prevent users from over-riding common sense security controls," he said.
"Users need to question any external e-mails from untrusted/unknown sources that require packages to be installed and corporations need to ensure strict rights policies on users desktops, with system level and file based monitoring tools that are reviewed on a continual basis for better security protection," he added.