|
Nefario (OP)
|
 |
March 22, 2012, 06:28:02 PM |
|
I'm after being in contact with one of GLBSE's users who's funds have didn't seem to show up. After more investigation we discovered that he has a trojan/malware.
The malware recognises any bitcoin addresses that are copied, and replaces them with a new address, when you copy an address from your service you're using (GLBSE.com, Intersango.com) to your bitcoin client to transfer your coins, the malware replaces them with the scam address, so that your coins are sent to the hacker.
When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.
I believe that this is a windows only vulnerability.
Nefairo
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com |
|
|
|
|
|
|
|
|
|
The Bitcoin network protocol was designed to be extremely flexible. It can be used to create timed transactions, escrow transactions, multi-signature transactions, etc. The current features of the client only hint at what will be possible in the future.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
Remember remember the 5th of November
Legendary
 Offline
Activity: 1862
Merit: 1011
Reverse engineer from time to time
|
 |
March 22, 2012, 06:35:43 PM |
|
I'm after being in contact with one of GLBSE's users who's funds have didn't seem to show up. After more investigation we discovered that he has a trojan/malware.
The malware recognises any bitcoin addresses that are copied, and replaces them with a new address, when you copy an address from your service you're using (GLBSE.com, Intersango.com) to your bitcoin client to transfer your coins, the malware replaces them with the scam address, so that your coins are sent to the hacker.
When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.
I believe that this is a windows only vulnerability.
Nefairo
Figures, Linux is not nearly exploitable. |
BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
|
|
|
RodeoX
Legendary
Offline
Activity: 3066
Merit: 1145
The revolution will be monetized!
|
|
March 22, 2012, 06:38:55 PM |
|
So am I correct in assuming that a countermeasure could be verifying the address before sending? Or does it make the change in a way that is not visible to the user?
|
|
|
|
Kaos
Member
Offline
Activity: 64
Merit: 10
|
|
March 22, 2012, 06:45:56 PM |
|
what's the dodgy bitcoin address? Is it static or does it change every time?!
|
|
|
|
|
|
Nefario (OP)
|
|
March 22, 2012, 06:48:59 PM |
|
any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now From the user. It's a new address each time. I believe that visually verifying the address will protect against this. The addresses so far: 17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd 14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ |
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com |
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
March 22, 2012, 07:04:09 PM |
|
I mean that sucks but on the other hand I got to say awesome to the malware writer. Get the user to send coins to the wrong address. No need to keylog, hack the client, look for wallet.dat, spoof RPC, etc. Just get the user to send you money.
|
|
|
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1470
Merit: 1029
Show middle finger to system and then destroy it!
|
|
March 22, 2012, 10:52:58 PM |
|
Trojan that replaces the filled data for bank transfers was around at least 4 years ago. Adopting such system for Bitcoin is no brainer.
I was looking for exploit to copy address to clipboard using javascript but it did not work with FireFox without user intervention. I abandoned the idea.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
foggyb
Legendary
Offline
Activity: 1652
Merit: 1006
|
|
March 22, 2012, 11:25:17 PM |
|
I mean that sucks but on the other hand I got to say awesome to the malware writer. Get the user to send coins to the wrong address. No need to keylog, hack the client, look for wallet.dat, spoof RPC, etc. Just get the user to send you money.
I've been WONDERING when the first hacker would do this. Its so obvious. |
|
|
|
|
|
drakahn
|
|
March 22, 2012, 11:27:32 PM |
|
any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now From the user. It's a new address each time. I believe that visually verifying the address will protect against this. The addresses so far: 17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd 14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ Any info what the optimised miner was? or a link to the thread? |
14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
|
|
|
|
Nefario (OP)
|
|
March 22, 2012, 11:47:11 PM |
|
No I've not heard back.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com |
|
|
foggyb
Legendary
Offline
Activity: 1652
Merit: 1006
|
|
March 23, 2012, 12:09:35 AM |
|
any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now From the user. It's a new address each time. I believe that visually verifying the address will protect against this. The addresses so far: 17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd 14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ Is it possible for malicious code to detect a <mousebutton-down> event on a send dialog box, then insert the hackers address a millisecond later? In such a case, visual verification may not thwart the attack. A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel). |
|
|
|
|
|
payb.tc
|
|
March 23, 2012, 12:25:48 AM |
|
A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel).
or just a regular confirmation dialog... Are you sure you want to send 1 million bitcoins to 1ffjfitetwrexjf...? YES / NO |
|
|
|
|
|
marked
|
|
March 23, 2012, 12:27:46 AM |
|
Any info what the optimised miner was? or a link to the thread?
neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat. marked |
|
|
|
|
|
drakahn
|
|
March 23, 2012, 12:29:04 AM |
|
Any info what the optimised miner was? or a link to the thread?
neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat. marked i know... i'm the one discussing, lol http://xml.ssdsandbox.net/view/91c66258f4294c95a77a6aaa8ef3ec39it reads your wallet.dat as well, so if you notice this make sure to make a new wallet for your coins |
14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
|
|
|
|
Nefario (OP)
|
|
March 23, 2012, 12:37:27 AM |
|
Any info what the optimised miner was? or a link to the thread?
neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat. marked Thats funny, the affected user was sent to me from btc-e. |
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com |
|
|
|
marked
|
|
March 23, 2012, 01:01:27 AM |
|
oops, didn't see far enough back to see you were already there talking about it. marked |
|
|
|
|
|
finway
|
|
March 23, 2012, 03:48:33 AM |
|
Check address.
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1075
Ian Knowles - CIYAM Lead Developer
|
|
March 23, 2012, 04:00:59 AM |
|
A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel).
or just a regular confirmation dialog... Are you sure you want to send 1 million bitcoins to 1ffjfitetwrexjf...? YES / NO Unfortunately it's fairly easy to write software to send a Yes/No the instant the confirmation dialog appears (I built a tool for doing this in order to get around some shareware nags years ago). |
|
|
|
|
dayfall
|
|
March 23, 2012, 04:44:21 AM |
|
Perhaps someone could code vhash into their webpage and into a client.
|
|
|
|
|
|
