Bitcoin Forum

Other => Meta => Topic started by: r3wt on November 21, 2013, 02:42:41 AM



Title: Malware Bytes Reports Bitcointalk as Malicious Website. False Positive?
Post by: r3wt on November 21, 2013, 02:42:41 AM
Looks like malware distribution to Windows users. I've spoken with one individual who unfortunately was infected. the signature of the bot shows up as "bitcoinminer"(like the false positive in cgminer) and infected paint.exe. upon investigation, i was able to T/V in and determine that it is indeed not a false positive. the malware escalates privilege, opens svc host. unfortunately the bot owner caught wind of my snooping and terminated team viewer. Windows users, be careful.

Download MBAR(Malware Bytes Anti Rootkit) and check your machine out immediately. Seems like the botowner has chosen the forum as a distribution point for an upcoming Ddos attack, a complex layer 7 attack where botnets are used to circumvent convential ddos filters and detection protocols(fits timing, and mo of Person behind a previous attack of this nature on a website i won't disclose.)

Of course, it could just be an attempt to steal the wallets of BCT users.  :D

<!-- this concludes the Tinfoil Hat Report-->

<!--my logs for bitcointalk.org-->

Code:
2013/11/20 13:10:17 -0600	GN0DE	r3wt	IP-BLOCK	109.201.133.195 (Type: outgoing, Port: 50537, Process: chrome.exe)
2013/11/20 13:30:19 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 51720, Process: chrome.exe)
2013/11/20 13:50:14 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 52942, Process: chrome.exe)
2013/11/20 14:10:17 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54343, Process: chrome.exe)
2013/11/20 14:30:20 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 55592, Process: chrome.exe)
2013/11/20 14:50:23 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 56784, Process: chrome.exe)
2013/11/20 15:10:18 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 57917, Process: chrome.exe)
2013/11/20 15:30:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 59123, Process: chrome.exe)
2013/11/20 15:50:16 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 60394, Process: chrome.exe)
2013/11/20 16:10:19 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 61690, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62478, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62484, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62485, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62486, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62487, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62488, Process: chrome.exe)
2013/11/20 16:19:57 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62491, Process: chrome.exe)
2013/11/20 16:19:57 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62492, Process: chrome.exe)
2013/11/20 16:25:50 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 63281, Process: chrome.exe)
2013/11/20 16:25:50 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 63282, Process: chrome.exe)
2013/11/20 17:07:48 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49392, Process: chrome.exe)
2013/11/20 17:16:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49914, Process: chrome.exe)
2013/11/20 17:16:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49915, Process: chrome.exe)
2013/11/20 17:16:46 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49960, Process: chrome.exe)
2013/11/20 17:16:46 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49961, Process: chrome.exe)
2013/11/20 17:30:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50879, Process: chrome.exe)
2013/11/20 17:30:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50880, Process: chrome.exe)
2013/11/20 18:43:54 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 55526, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62244, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62245, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62246, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62247, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62313, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62314, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62315, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62316, Process: chrome.exe)


Title: Re: Malicious Content Has been inserted into Bitcointalk
Post by: anti-scam on November 21, 2013, 03:14:33 AM
How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.


Title: Re: Malicious Content Has been inserted into Bitcointalk
Post by: scintill on November 21, 2013, 03:25:28 AM
How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.

Yeah, I see nothing about where it is supposedly "inserted into Bitcointalk", how users can protect themselves, how the forum can clean it...


Title: Re: Malicious Content Has been inserted into Bitcointalk
Post by: r3wt on November 21, 2013, 03:29:16 AM
How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.

Yeah, I see nothing about where it is supposedly "inserted into Bitcointalk", how users can protect themselves, how the forum can clean it...

You're welcome. I expect theymos or someone else to handle it now.


Title: Re: Malicious Content Has been inserted into Bitcointalk
Post by: theymos on November 21, 2013, 03:31:52 AM
If there is actually a problem with the forum, MalwareBytes can collect a substantial bounty (https://bitcointalk.org/index.php?topic=309785.0). But they're probably just wrong. Anti-malware companies make money by scaring users into thinking that everything around them is dangerous. The forum has previously been blocked by anti-malware software because you can find download links to stealth mining software here.


Title: Re: Malicious Content Has been inserted into Bitcointalk
Post by: r3wt on November 21, 2013, 03:33:53 AM
If there is actually a problem with the forum, MalwareBytes can collect a substantial bounty (https://bitcointalk.org/index.php?topic=309785.0). But they're probably just wrong. Anti-malware companies make money by scaring users into thinking that everything around them is dangerous. The forum has previously been blocked by anti-malware software because you can find download links to stealth mining software here.

Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.


Title: Re: Malicious Content Has been inserted into Bitcointalk
Post by: theymos on November 21, 2013, 03:38:36 AM
Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.


Title: Re: Malicious Content Has been inserted into Bitcointalk
Post by: scintill on November 21, 2013, 03:43:24 AM
atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

I'm trying not to be too hostile here, but I'm really skeptical and feel like you're deliberately being vague.  What "issue"?  All you've really done is claim there's an infection, speculate on its motives, and give some sort of log without much description of what it is.

So, at least could you say what the log is?  Something has blocked outgoing connections from chrome.exe to bitcointalk.org (109.201.133.195)?  What do the columns mean?  What software produced this log?  Are the port numbers listed from your side or bitcointalk's?  It would indeed be unusual for Chrome to be connecting to high-numbered ports of bitcointalk, but not unusual for high-numbered ports to be the originating port from Chrome as a client.

Sounds like theymos has debunked the log as an overactive general blacklist, not an indication of a new, specific infection on bitcointalk.


Title: Re: Malicious Content Has been inserted into Bitcointalk
Post by: papaminer on November 21, 2013, 03:53:43 AM
I see it has been reported already..

Anyway... theymos explanation does answer why is it being blocked NOW?

I have been MBAMPRO user for more than a few years... and it only blocked the forum THIS MORNING? Just when BTC went OVER $500/USD?


anyway... here is my log... just incase... some one who really cares...

Quote
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54730, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54732, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54734, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54736, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54737, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54738, Process: firefox.exe)
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   Stopping IP protection
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   IP Protection stopped successfully
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   Starting IP protection
2013/11/20 19:44:16 -0800   admin-PC   admin   MESSAGE   IP Protection started successfully


Title: Re: Malicious Content Has been inserted into Bitcointalk
Post by: r3wt on November 21, 2013, 03:56:49 AM
Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.

Been using it for years, and this is the first time its occured at bitcointalk. Additionally, i searched malware bytes ip database and bitcointalk is not on the list of hosts. I accept that it could be a false positive, but to brush it off without investigation is lazy.


Title: Re: Malware Bytes Reports Bitcointalk as Malicious Website. False Positive?
Post by: Probably on November 21, 2013, 05:42:27 AM
https://forums.malwarebytes.org/index.php?showtopic=136963 I reported this earlier as well. Same boat, this just started happening today.



Title: Re: Malicious Content Has been inserted into Bitcointalk
Post by: BitcoinFX on November 22, 2013, 06:51:59 PM
Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.

I've just scanned bitcointalk.org

http://sitecheck.sucuri.net/scanner/ - Clean

https://www.virustotal.com/en/url/7354af8427d7b8d4236356d0bca680ad3186fce415cb51971f3793cee59e4291/analysis/1385144339/ - Clean

However, I found that hpHosts is currently listing bitcointalk.org - i.e. 'Malwarebytes'.

See: http://hosts-file.net/?s=bitcointalk.org this is probably an error and the admin. should contact 'Request removal' for more info.

Not 100% sure how ads are being served here, but it might be to do with temporarily hijacked 3rd party content and/or in relation to linked content.

This report, I suspect is actually a 'false positive'.