NIS2008 Sidebar.exe Password Stealer

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Hi Redox,

 

As Floating_Red mentioned in the previous reply, this may be a false positive detection. I replied to a similar question here, but that had to do with a very likely false positive detection for a keylogger. In that message, I mentioned screen capture programs but had forgotten to list "password stealer" as the third category of programs that this feature can detect and block. If you haven't already done so, try running LiveUpdate again because there could be an update to address this if it's been analyzed and dermined to be a false positive.

 

The Crimeware Protection feature is capable of detecting various types of keyloggers, screen captures, and password stealers. It does this by detecting behaviors that are often asociated with such programs. Key logger and screen capture programs are pretty well known, but many people have never heard of password stealers. Password stealers are malicious programs that overlay invisible windows above legitimate programs' username and password fields in order to capture and steal a user's login. Some of these, such as certain variants of the Infostealer.Bancos malware, monitor the web browser and display these overlay windows only when the user visits the login pages of specific banking websites. The user thinks they are typing into the bank's login form, but the keys are actually going into the malicious overlay window, which captures them to make them available to the bad guys. The password stealer may even forward the keys on to the actual web form so the user doesn't see anything unusual.

 

It is very likely that Windows Sidebar was detected as a password stealer because either its own window or that of one of its plug-ins was transparent and overlapped your web browser while it was displaying a login page. You've raised an excellent question about narrowing this down to a specific sidebar gadget. Unfortunately, the detection can't be resolved down to the file level, only the process level. That is, Crimeware Protection can detect a suspicious window and see that it's owned by sidebar.exe, but not the individual plug-in that created the window. I'm afraid that the only way to narrow this down is to selectively disable gadgets and check if the sidebar is still detected.

 

Though it is probably a false positive, in this case I don't advise changing the crimeware protection setting to "Allowed" on it in the NIS Blocked Programs list. This is because Windows Sidebar has a plug-in architecture and it is possible for it to load a malicious keylogger, screen capture, or password stealer gadge. For the same reason, I wouldn't recommend anyone marking a web browser or other programs that commonly host plug-ins as Allowed.

 

Can you post the list of Sidebar gadgets that you're running and the file version number of sidebar.exe that you're running? To view the list of gadgets, right-click on the sidebar, select "Properties", and click "View list of running gadgets".

Sorry, I forgot about this post.

 

App Launcher v3 3.3.4.6

HDDlife 3.0.141 --an installed program called BinarySense.

Multi HDD Meter 2.31

Multi Meter 4 Core 1.22

Wired Network Meter 2.0

Notes 1.0.0.0

Sidebar.exe file version: 6.0.6001.18000

 

BTW, Transaction Protection also blocked C:\Windows\system32\Bubbles.scr identifying it as a screen capture program. Actually it’s a user modified version of Vistas bubbles screen saver.

 

Thanks Again for your help….

About a month ago I notice under “Transaction Protection, “ C:\Program Files\Windows Sidebar\sidebar.exe has been blocked. Under “Behavior” it’s listed as a “Password Stealer.” When I run a virus scan, no security risks are detected. How do I discover which sidebar gadget is the password stealer, and the files involved. I have noticed the “Blocked” date changes about once a week, but not every time I connect to the internet. Any help would be appreciated.

BTW: Log Viewer doesn’t identify the culprit.

Also:Under sidebar.exe properties, it identifies the program as having been created on 3/20/08--the same date and time I installed Vista SP1. 

As long as it keeps getting Blocked, you should be fine.

 

There is a program in Windows S.P. 3 that Transaction Security Blocks as a Keylogger, but is part of the Software so there is nothing to worry about (haven't read-up on what is does and why it is needed, yet), so it could be something like that in Vista; not sure, though.

Message Edited by Floating_Red on 08-09-2008 08:30 PM