We all know that you should back up your data periodically if you don't want to lose it in the case of an incident. This is not as trivial as it used to be. You might have some information stored remotely in online services. Most likely you will have an online email account and may want to have those emails archived on your local backup drive.
So I wasn't surprised when I saw an article last week on Jeff Atwood's blog about someone searching for a way to archive emails from Gmail. By the way, any IMAP client might be a good way. The sad part of the story was that the guy stumbled on a shareware tool called G-Archiver. After playing around with the software, he discovered that there is a hard-coded Gmail account with a password in this application. After doing some more analysis, it was evident that this tool does not only archive your emails locally, it will also archive your password remotely by sending an email with your username and password to the hard-coded Gmail account. I personally doubt that the author of the tool wanted to expand his tool and offer a password recovery service for your account. According to the vendor's Web site, it was a coding mistake that is now corrected. Although I do not see any legitimate reasons why this tool would need to store your passwords (not to mention mailing it away somewhere). So, it looks more like it was an attempt to steal passwords. Checking the hard-coded account showed more than 1700 emails with passwords of unaware users.
Backdoored applications are by no means anything new. I mean, that’s the exact definition of a Trojan horse. But, it shows that you should always check new software that you install on your system. Hoping that it is safe is nice, but hope is not your best strategy when it comes to security or availability. Clearly not everyone has the time to disassemble each new tool, but doing some research and downloading from reputable sites is a good start. As soon as an application asks for your password you should be much more vigilant.
After realizing what had happened to his password, the concerned user deleted all of the accumulated emails and changed the password of the drop email account and reported it. Still, if you've used G-Archiver in the past, I would recommed that you should go and change your Gmail password right now. Obviously the author has a tool to archive emails from Gmail accounts, so it would be no surprise if someone made a backup of all passwords before they were deleted.
Many download sites have now removed this tool from their repositories. We added detection for this tool as Infostealer.Geemarc.
Thanks to Kevin S. for the screenshots.