Check Your PC For Signs Of A Dangerous Password Stealer

toggle-button

Password stealerOrganised crime syndicates are using the internet to steal money from unsuspecting customers of online banking. Some of the software being developed by the criminals is worryingly effective. For example, take the case of one program that was used to steal money from almost 10,000 accounts.

The trojan software spreads via a malicious email attachment. Click on the attachment, and a program gets installed on your computer which routes all your internet traffic through the hackers' server which happens to be on the anonymous Tor network. So although it appears that you're talking to your bank's web site, you're actually connected to the hackers' server which is doing a fine job of impersonating the bank. Except that it's also capturing all the usernames and passwords that you enter.

Security experts always advise that you never type confidential data such as banking passwords into a web site unless that site is using encryption, which will be obvious because of the padlock symbol on your browser and the https:// (the s stands for secure) at the start of the web address. But the hackers managed to find a way around this, by using the trojan software to install a "rogue certificate" file on the victims' computers. A certificate tells a computer which servers and sites to trust. So when you see the https:// and the padlock symbol, this is merely showing you that your computer has been persuaded to trust the criminals' fake bank website.

Sigcheck, a free utility from SysInternals, will scan your PC and look for suspicious certificate files that have been installed. If it finds any, you can then uninstall them via standard means within Windows.

To get SigCheck, go to https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx and download the 0.6 MB file. It's portable, but is a command-line based utility. So to run it, go to a command prompt and type:

sigcheck -tv

Or if you want to use the 64-bit version, change sigcheck to sigcheck64. Ideally, you should simply see a message saying No Certificates Found.

NB: Incidentally, if you're technically minded and want to see whether the program is capable of detecting a bogus certificate, there's a safe way to do so. Download the http debugging tool called Fiddler from http://www.telerik.com/fiddler and install it, then select the option to decode https traffic. The program will install a fake (yet perfectly safe in this instance) certificate on your computer in order to do this. You can then use SigCheck to detect it. However, unless you're particularly interested in seeing how SigCheck behaves when it finds a suspicious certificate, there's no need to do this step. Simply running SigCheck on your computer will be sufficient.

Please rate this article: 

Your rating: None
4.21739
Average: 4.2 (23 votes)

Comments

I ran sigcheck64 as indicated and it found several certificates. How do I know whether or not they should be removed? This article says "Sigcheck will scan your PC and look for suspicious certificate files that have been installed. Ideally, you should simply see a message saying No Certificates Found. If it finds any, you can then uninstall them via standard means within Windows". How do I know which are really valid & how do I remove those that shouldn't be installed? Should I be worried about these?

Examples found:

Machine\AddressBook:
Joe
Cert Status: Valid

Machine\ROOT:
Kaspersky Anti-Virus Personal Root Certificate
Cert Status: Valid

Symantec Root 2005 CA
Cert Status: Valid

root
Cert Status: Valid

Machine\TrustedPeople:
Joe
Cert Status: Valid

Thank you Midnight Cowboy. I will study the link you provided to learn what I should do.

Folks. You HAVE to run it within a command window. A command window will appear as a black window with simple text. You MUST open the command window in the directory that Sigcheck is in. Then you must TYPE the Sigcheck64 -tv command into the black window and hit enter. This is very similar to the old DOS operating system. Many of the Sysinternals commands must be run in a command window.
The "flash" that you are seeing is the command windows opening, running the command, and then closing the command prompt window. This will happen when you simply click on the Sigcheck file. Simply clicking on the Sigcheck file is NOT the proper way to run it.

For users who receive this message: "'sigcheck64' [or 'sigcheck'] is not recognized as an internal or external command, operable program or batch file."

Make sure that you're running the command in the same folder where you've unzipped the downloaded file.

To run a command in a folder you like, browse to and select that folder in a file explorer, then hold down the Shift key and right-click the mouse, select "open command window here" from the context menu. See also: How to Open the Windows Command Prompt from any Folder

Hope this helps.

Thanks for that. The problem here may be that often you'll want to open the command prompt as an administrator, and you may not be able to do that using that method.

http://www.ghacks.net/2014/09/11/check-windows-folders-for-file-signatures-with-sigcheckgui/
I moved SigcheckGui into Sigcheck folder.
Curious, SigcheckGUI.exe is only Unsigned of my 25 running processes.
For me Autoruns and Process Explorer satisfy.
Not sure why Sigcheck. Check digital signature thru Properties. YMMV

This is a much better choice! And easier to use for most people. Friendly interface and you don't have to learn all those options, etc. Thanks!

To be able to see the results you have to open a command line window (as administrator).
To do so (Win7, probably similar in Win10):
- type cmd in the Start --> Search box
- right-click cmd.exe and choose Run as administrator
- in the box navigate to the place where sigcheck.exe (or sigcheck64.exe) file is located. (You could *beforehand* copy the sigcheck.exe or sigcheck64.exe to an easy-to-find place, e.g. c:\ and then in the command line window navigate to c:\ by typing cd \ (or cd c:\). Another way to do it (then you don't have to navigate anywhere) is *beforehand* to copy the sigcheck.exe or sigcheck64.exe file to a folder in your path. To see folders in your path, type path in the command line window.
- type sigcheck or sigcheck64 followed by for instance -v -tv (probably not just -tv as given). See the options in the help file at the download site, or at the command prompt by just typing sigcheck or sigcheck64 without anything following.

Command Prompt (Admin)

Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd c:\

c:\>sigcheck64 -tv
'sigcheck64' is not recognized as an internal or external command,
operable program or batch file.

c:\>sigcheck64.exe -tv
'sigcheck64.exe' is not recognized as an internal or external command,
operable program or batch file.

c:\>
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>sigcheck
'sigcheck' is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS\system32>cd c:\

c:\>sigcheck
'sigcheck' is not recognized as an internal or external command,
operable program or batch file.

c:\>

Did you copy the sigcheck.exe file to C:\ first? - Otherwise it won't work.
Alternatively, you could first copy the sigcheck.exe file to C:\windows\system32 which is in your path. Then you don't have to change folder. You can just type sigcheck (+ options).

Portable application. Where do instruction say copy to system space.

You can search for the file sigcheck.exe (Start --> Search box) to find it. - The point is that to run the sigcheck.exe file from the command prompt, the file must be in the folder shown in the prompt (e.g. C:\) - or the file could be in a folder in the path (e.g. c:\windows\system32\).
Please see newer post (above) with SigcheckGUI - which is much easier to use!

Yes I just put it on the "Fix" forum, it sounds like I'm not the only person having problems with it.....

Thanks bjm, things are so screwed up now I can't even figure it out, each time I try to sign in I can't and have to request a new PW so posting my email is not a problem, if it attracts junk it's OK it's just a response email and judging from the past few minutes I'll have to create a new PW anyway. Sorry you're have the same trouble with "sigcheck". Maybe Gizmo will have one of his troops answer and try something, who know it's been a messed up morning here.....

Same problem with sigcheck64

I'm doing something wrong >

C:\WINDOWS\system32>sigcheck64 -tv
'sigcheck64' is not recognized as an internal or external command,
operable program or batch file.

I saved zip download to desktop. Extract. I see sigcheck and sigcheck64 applications. Command line prompt sigcheck64 -tv = 'sigcheck64' is not recognized

first copy sigcheck64 to C:\WINDOWS\SYSTEM32. THEN USE sigcheck64 -t[v] that should do it.

I tried this, downloaded, unzipped, open it, a flash of black (Maybe Com Prompt) then nothing. Repeated three times same result. Trued to contact Gizmo's none of my signins worked had to re-establish new still don't know what has happened, used gismo for years, first time experienced difficulties. Would appreciate a response if my name and PW work now and then what is happening with this recommendation for "sigcheck" thanks. s rubin [email address removed as per site rules]

I get same flash of black trying to direct launch application. rubin are you sure you want to publish your email for all to see.