Bitcoin Forum

I just got an email. Here is the content:
Hey Bro , i got wallet bitcoin , but i don't know how can i used it .. he have 5.63 BTC ..  please try with it and let me know if you done it

Attachment: wallet.dat [23k]



What do you guys think?

Can't believe that someone won't know what to do with 5.63btc

This is almost certainly malware. Delete it.

Thanks. Just deleted it.

If you know how to handle malware files safely (sandboxing, never executing stuff, extracting zip archives with safe tools etc.) you might be able to see what kind of bad dope you got there.
It's most likely an executable whose file extension has been hidden by the infamous Windows "hide known extensions" misfeature.

Onkel Paul

Really don't know how to sandbox it. I just deleted the whole email.

If it really is named wallet.dat, then I don't think there is anything to fear. My guess is that it will have no bitcoins and the scammer will ask you to send bitcoins to it as a test. Then he will take the bitcoins you sent. If you want to be safe, you can import the wallet.dat into a brand new blockchain.info wallet.

I really don't want to take any chances with Trojans and malwares.

I think you're right, wallet.dat itself can't be executed because .dat is not an executable file format like .exe, .com.

I also doubt there is some code in that file that would cause an overflow in a bitcoin wallet client but maybe indeed just to let you import it and don't know how to switch (back) to your own wallet so you're using that wallet and at the same time they have access to that wallet, or can't one wallet be used on multiple systems? (actually never tested that).

Take care,

Darkster

Just delete and move on. Why do people waste time on these things? Its not like someone is really trying to give you any coins. If its not malware its a scam of another kind. Maybe the malware comes later once he's got your confidence.

DELETE!!

sandbox it ... open it in a virtual machine ( bastion host concept  ::) - old schoolz guys lang http://www.sans.org/security-resources/idfaq/bastion.php ), you can also save the machine state and back track.... that's what security researches do.

Why would you waste time on something that is clearly a scam? Just curious ;)

Because that's what security researches do, they need to understand the attacker mindset ;) ... I'm not involved
in that kind of security research anymore. I remember years ago when I got bit engaged with metasploit project ( at ruby gem rex phase, Good times so much funny as well.... when Yukihiro Matsumoto was trying to translate lambdas, "move forward or die" LOL I know hard to understand long history but was very funny at the time :D )

Well, HDM (I also send donation to his hacker foundation ) remember he was spend loads of time just sanitizing crap code ... He was looking for patterns, attacker's thoughts, etc ... and yes sometimes we need to record his talk burn a LP Vinyl Record and playback in 33rpm (Recordsand)   

7th sphere, mean rapid7
http://youtu.be/x3-zKXiTpLE

nice haircut HD  ;D

Cool. But he's just a dude, not a security analyst. He's going to learn nothing, just waste time, and possibly infect his system.

oh yes, ok. I agree with you. ;)

Not sure about that.  First, no 'possibly infect his system' if using a virtual machine, or if infecting the virtual, scratch it and boot another, then infecting is proven.  Nature of the scam could be valuable knowledge, advance warning to people of some new cryptolocker.

In any case, for someone who does not have prior experience or lots of interest in handling and analyzing malware the proper thing to do is simply deleting the file.
The possibly small gains in knowledge are not worth the effort of setting up a virtual machine environment and all that stuff.

Onkel Paul

Agreed. Don't play with fire. What's he going to learn exactly?