Password Stealer in Email Files (Mac)

[chris12dec]

Hello, I was wondering if anyone has come across a situation where Windows Defender quarantines files in your Thunderbird profile for the Gandi inbox saying that they are password stealers? That day I had been connecting to nodes with my bitcoin wallet down port 8333 and wondered if it was feasible that a password stealer could have embedded itself in the files that way. Just before Windows Defender told me about the PWS, Twitter wouldn’t display properly for 10 minutes, only for me it seemed, i.e. no CSS. It all seems very odd. Thank you for any ideas on whether Thunderbird files are vulnerable in this way.

[chris12dec]

Hi, just to add, this is in Windows 10.

[tanstaafl]

Anything could be in a messages attachment. Hopefully you have "view -> display attachments inline" UNchecked so that you have to explicitly open an attachment.

I suggest you run a scan using specialized anti-malware software like the free version of MalwareBytes as a precaution. Windows Defender has improved but its still just an anti-virus scanner. You should have something else that specializes in detecting malware. Think about browsing the Wilders security forums for suggestions/reviews.

https://www.av-comparatives.org/wp-cont ... 17b_en.pdf

[chris12dec]

Hello, thank you for replying. The particular account has not received messages for a few years (the reason I like Thunderbird is that you can store email files as archives easily). In that time I have had the Malware bytes paid for real time protection and it has never quarantined these files in the directory. So I thought that these files had to have been comprimised very recently to make them appear to Windows Defender as a password stealer. It quarantined 5 files altogether from the folder containing the inbox files for my gandi account. No other folders for my 2 gmail, 2 outlook, 1 yahoo or 1 hotmail accounts had files that were quarantined. I have wondered if Windows Defender has just made a mistake, so was curious if that happened in the past to anyone. Could malware embed itself by burrowing into the profile directory and then into the email files? Thank you.

[tanstaafl]

Anything is possible, but malware deliberately burying itself in a Thunderbird profile seems unlikely given how many better targets there are, and the small percentage of users that have Thunderbird. I'd assume if a message was infected it was because the original message received at the mail server was infected.

However, false positives is a common problem with anti-virus scanners. One of the main reasons for using a AV that is email aware (knows how to intercept and scan email before it is stored in a file rather than just scanning every file when they are opened) is to avoid it clobbering the entire mail folder due to one possible infected mail message.

http://kb.mozillazine.org/Antivirus_pro ... as_a_virus has links to three web sites (Jotti is the only one that tells you what AV's it will use beforehand) that you could upload a file and have it checked by many anti-virus scanners at the same time. That would make it easier to spot false positives, though you would either have to tell your resident anti-virus scanner not to do anything to the infected file, or tell it to remove it from the quarantine so that it can be uploaded.