Title: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: HighSociety on December 23, 2013, 07:54:34 PM Hi all,
I downloaded a file which was listed on this website. It was zipped with an executable. So my spider sense was tingeling ofcourse. Now this executable creates several hidden files @ AppData\Local\Temp\raxnm\ whiclh are only visible through using cmd and dir/a I'm very curious what these files are. I'm wondering if it's some kind of hidden miningsoftware or a keylogger for bitcoin wallets? I attached these hidden files in a zip @ the link below. http://www.sharebeast.com/0kldteijxrlx *Be aware that if you download the file from the site to not run the executable but instead open it with winrar. I hope you guys can help me to crack this case :D Thanks Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: chris267 on December 24, 2013, 12:30:09 AM Hiya,
Just a quick question: 1. Are you stupid, or are you stupid? - Downloading an executable file which is just shouting VIRUS VIRUS VIRUS, IM HERE TO STEAL YOUR WALLET ALONG WITH ANY SAVED PASSWORDS ON YOUR COMPUTER TO TAKE ALL YOUR PERSONAL INFORMATION/MONEY AND RUN. Use some common sense. On another note, having used wireshark to trace the connection (In a safe environment ofcourse) I have got a valid IP address. I shall create an IC3 report along with a complaint to the webhosting company to shutdown the site. Have a good day all, if you need help with anything malware related. I'm your man. 8) Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: Citrux on December 24, 2013, 04:47:56 PM Hiya, Just a quick question: 1. Are you stupid, or are you stupid? Nice people skills there Chris. I know many very intelligent people that have no interest in IT and so wouldn't be able to tell the difference between trojans and utils until it's too late. Lets not get too egotistical on our geek abilities and lets try to help each other out with a bit of respect. And if you're wondering, yes I got caught out and lost my bitcoins - so by your criteria, I'm stupid - no offence taken. Thanks, HighSociety. I was directed to that website due to references mentioning http://www.bitcoindriveprice.com/ over bitcoinwisdom.com which i felt was lacking in info. The website doesn't look too convincing but the amount of comments elsewhere promoting it can be seductive. I did a google search to check it out and came up with these results: thuckgood 4 Days Ago salt, www.bitcoindriveprice.com is better then bitcoinwisdom in my choice test it... btce1s 18 Hours Ago smedia2010, lol true, anyone now should wait until price drop look here it will be happen soon: www.bitcoindriveprice.com http://dcaz.net/user/thuckgood - pushing this website all over this page. http://dcaz.net/user/btce1s - pushing this website all over this page. olliebtce Can the moderator ban btce1s: !!! If you look at their history they keep plugging their scam website www.bitcoindriveprice.com. 00:45:32 btce1s DBOOTYNABBER, BTC going to drop to 550$ today look at the analystics www.bitcoindriveprice.com 00:49:33 btce1s jhovanny8, dont look on fiat they giving false result look here: www.bitcoindriveprice.com http://dcaz.net/user/hardergamer - 3 entries on 22/12/2013 17:09:57 evilsim my antivirus telling me this page is a trap - www.bitcoindriveprice.com http://www.skyminerlabs.com/drive/ is another website to beware of - a replica of www.bitcoindriveprice.com that contains the same download link address. http://wscheck.com/trust-report/bitcoindriveprice.com -the website is less than a week old. I think driveprice is a keylogger for the fraudulent benefit of thuckgood and/or btce1s, which I think is one of the biggest threats to bitcoin take-up for the regular guy. Bitcoin maybe secure but the exchanges aren't, which means bitcoin funds are far more vulnerable than in banks. The bitcoin world is still very much the wild wild west and open to thieves and pirates. You only have to look at BTC-e's troll box to see the type of people rife at the moment. Trying to screw each other over with pump and dumps. There are some helpful comments but mostly full of ego battles and name calling. OK, so assuming that BTCDriveprice is a logger. How many people have already clicked on the download and lost money? I will help all I can to help get it back and bring the scumbag to justice. I want the financial revolution to kick out the bankers, I don't want the people screwing each other over. I'll share more info here later as I learn more - but if any techie whizzes out there can help then that would be cool too. Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: chris267 on December 24, 2013, 08:26:51 PM Just a quick question? Are you using the same PC which you had been infected on? If so, dependant on the malware itself, you may still be infected. I can provide you with some info on how to make sure you're completely free of any malware if required.
Truth is, these websites will operate no matter how hard you try. The best we can do is shut them down before another unsuspecting user falls for the trap. I've managed to file an IC3 report on this. However I need your help. http://who.is/whois/bitcoindriveprice.com http://who.is/whois/skyminerlabs.com Whois guard = protected meaning the details of the owner of the site aren't visible to the public eye. However, looking at the info the web hosting company which provided the webhosting/domain has a report email. Please send a report to: abuse@enom.com - make sure to let them know the following. 1.the site is being used for malicious intention with the purpose to steal user data. 2.IC3 complaint form has been initiated. 3.users have lost money from this person. The webhosting company may even decide to pursue their own legal action as what the hacker has done goes against T+C's of the site. P.s - my bad, I thought by obvious standard it was easy to distinguish what is a scam site and what isn't. Nonetheless that's not for me to be debating about, I'm just here trying to get rid of the low life scums who try and benefit from others misfortune. Let me know if anyone needs help related to this topic. Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: Citrux on December 26, 2013, 11:36:16 AM Chris
Thanks for the info - I've learned a lot from you already. I'm using another PC for changing passwords and was planning to reinstall the infected PC except I've got some software that I can't afford to lose on it at the moment. If the PC can be cleaned instead of wiped it would be a better option for me. I use Sunbelt Vipre which is great for blocking viruses but this little gremlin wasn't detected even by a manual scan. Malwarebytes picked up the log directory and deleted it but I can't tell whether the PC is clean since I don't know how the thiefware works. If you could provide the info on checking if the PC is clean I would be very thankful. I've followed your three steps to report the sites and I'll be going onto Twitter and Facebook searching for other victims of this scam. Looking at the volume on BTC-e, there are potentially thousands of bitcoin being syphoned off. I would put the alert out on BTC-e chat but ironically I don't have enough funds to be allowed to chat :) Thanks and best wishes Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: chris267 on December 26, 2013, 09:58:02 PM Please have a look at the attached PNG file.
https://i.imgur.com/8q74Mhc.png You may notice that not many antiviruses have picked up the file. This is because the file data has been obfuscated, in essence what this does is encrypt the information so that variables/strings which are usually detected by antiviruses are not detected in this case. Although the virus has an equal effect as one which is detected by an antivirus, this bypasses AV detections. Avast has recognised the file as a virus, this is noted. - the virus itself has been compressed and the data has been encrypted, no ordinary file would need this. http://anubis.iseclab.org/?action=result&task_id=14da8ed3789a7a6f40127038770170b4d&format=html PDF Version:http://anubis.iseclab.org/?action=result&task_id=14da8ed3789a7a6f40127038770170b4d&format=pdf Anubis is used to analyze malware. It gives an indication of what processes are running / created by the malware itself. Please have a look at the report which indicates what the file "DrivePrice.exe" Does. I will proceed to explain to you what the file does. HKLM\Software\Classes 1 Key Change,Value Change 3 HKLM\Software\Classes\CLSID 1 Key Change,Value Change 2 HKLM\Software\Microsoft\COM3 1 Key Change,Value Change 6 HKU 1 Key Change,Value Change 4 The file upon execution, automatically creates a startup module so that every time the computer opens up, the file will automatically execute without user request. C:\Documents and Settings\Administrator\bbany C:\Documents and Settings\Administrator\bbany\JkjQmRMVf.QSP C:\Documents and Settings\Administrator\bbany\UUEROZbb.RXS C:\Documents and Settings\Administrator\bbany\__tmp_rar_sfx_access_check_416609 C:\Documents and Settings\Administrator\bbany\iRAjSEv.VPC C:\Documents and Settings\Administrator\bbany\laRO.exe C:\Documents and Settings\Administrator\bbany\nNCigjkgoI.vbs Files of the malware are duplicated throughout the computer to increase the chance of the virus staying on the computer. If an antivirus was to delete one instance of the virus, the virus has enough information to duplicate and attack again. There is no reason for a legitimate file to: 1. Create multiple instances of the file 2. Create registry keys in the computer to boot up automatically upon computer startup. 3. Be detected by an antivirus Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: chris267 on December 27, 2013, 01:14:02 PM Both websites have been taken down.
Mission accomplished. ;) Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: Luror on December 27, 2013, 02:17:27 PM C:\Documents and Settings\Administrator\bbany Seems to be a similar set of files to what I found on another site: https://bitcointalk.org/index.php?topic=308982.msg3989992#msg3989992C:\Documents and Settings\Administrator\bbany\JkjQmRMVf.QSP C:\Documents and Settings\Administrator\bbany\UUEROZbb.RXS C:\Documents and Settings\Administrator\bbany\__tmp_rar_sfx_access_check_416609 C:\Documents and Settings\Administrator\bbany\iRAjSEv.VPC C:\Documents and Settings\Administrator\bbany\laRO.exe C:\Documents and Settings\Administrator\bbany\nNCigjkgoI.vbs One of them is then a copy of AutoIt engine, and another is an encrypted AutoIt script. Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: chris267 on December 27, 2013, 04:22:40 PM ... One of them is then a copy of AutoIt engine, and another is an encrypted AutoIt script. 1.same person spreading same malware 2.both malware have been encrypted using the same method Are the sites still operating? If so can you forward me the domains and ill take them down. Thanks. Glad I took these 2 domains down today, hopefully that will have prevented some potential victims from losing their btc. Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: Luror on December 27, 2013, 06:51:07 PM There's two possibilities. The first one was asicminersoft.com, now seems to be empty (I see only "Welcome ! Site asicminersoft.com just created. Real content coming soon." there), second one with the same content is minersoftware.com - still functioning. However the problem is there's no direct link to a trial now on the site, I managed to find it in google cache: q="site:minersoftware.com" -> http://webcache.googleusercontent.com/search?q=cache:vqMlzDWaJnsJ:minersoftware.com/free-7-days-trial/+&cd=8&hl=en&ct=clnk&lr=lang_en -> minersoftware.com/wp-content/uploads/2013/12/BitcoinMinerSoftware.rar (file is still there)1.same person spreading same malware 2.both malware have been encrypted using the same method Are the sites still operating? If so can you forward me the domains and ill take them down. Thanks. Glad I took these 2 domains down today, hopefully that will have prevented some potential victims from losing their btc. Virustotal.com for .rar: https://www.virustotal.com/en/file/6902c37d7458b33d5969859377efc5f9310c820476167ff4f234dae450158593/analysis/1387073852/ (this one is not AutoIt based, just a 26Kb trojan) And there was bitcoinwisdom.net, which redirected to skyminerlabs.com, which hosted a similar AutoIt-based malware, you seem to terminate it already :) Re: "same person spreading same malware", the scripts were not really similar, at least size was wildly different 800kb to 20mb or so. Maybe there's some generator out there. Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: chris267 on December 27, 2013, 09:04:02 PM Good job on finding some evidence. Ill sort this one out :)
Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: SgtMoth on February 09, 2014, 08:33:15 AM Hi,
here are the relevant web server log entries. 2014.01.30: 23:58:24.237 [qtp1093804284-39801] INFO code.lib.BitMinterOpenIDVendor - User SgtMoth logged in from 79.183.71.69 with OpenID handle https://www.google.com/accounts/o8/id?id=AItOawl3gwngW02OnsMjL4IaoZrIORTLQxh9MxQ 23:59:23.603 [qtp1093804284-39901] INFO code.snippet.Cashouts - SgtMoth (from 79.183.71.69) set new NMC auto cash out settings. Threshold 1991.00000000 Address NKoRGdKkDHNQSTXwednEdyMsgnJA2oyxk2 Enable: on 23:59:51.711 [qtp1093804284-39787] INFO code.snippet.Send - Not enough funds! SgtMoth tried to send 374.04698537 NMC to address NKoRGdKkDHNQSTXwednEdyMsgnJA2oyxk2 2014.01.31: 00:00:06.181 [qtp1093804284-39785] INFO code.snippet.Send - SgtMoth sent 374 NMC to address NKoRGdKkDHNQSTXwednEdyMsgnJA2oyxk2 Timestamps are in UTC. Info on the company owning the IP address he connected from, probably his ISP: http://whois.net/ip-address-lookup/79.183.71.69 thats all the info i have on him Title: Re: Hidden miner software? http://www.bitcoindriveprice.com/ Post by: SgtMoth on February 09, 2014, 08:36:38 AM bounty offered
got it from here http://www.reddit.com/r/Bitcoin/comments/1xdg60/heads_up_thebitcoinnewscom_is_hosting_a_fake/ |