Bitcoin Forum

Hello, everyone, I think the malware attack is getting rampant and would want to know a better means of absenting myself from being a victim. Regarding some articles I've read about clipboard manager and how so many other Malwares except the clipboard malware attack still access the clipboard if a user opens an Email attachment, it's relevant to know some security measures. These malwares are turned into APP and gets hosted on a remote server which people can download without knowing that it contains a malware.

Looking at the characters of an Address it'll be difficult to memorize and the only option is to copy to the clipboard. My question is if they are other means of getting around this attack except crosschecking the address before sending. Because, sometimes I'm not perfect I'll just send my funds out to the address without crosschecking like everyone else who has something to attend immediately.

Some of the articles I read, include

https://github.com/grepx/android-clipboard-security

He said something about launching the attack and the codes he provided look pretty simple to grasp, showing that the clipboard attack will explode soon on the internet. Especially on Android OS

https://www.microsoft.com/en-us/wdsi/threats/threat-search?query=clipboard (https://www.microsoft.com/en-us/wdsi/threats/threat-search?query=clipboard)

Microsoft listed some other Malwares used by attackers to access information on the computer including the Clipboard manager.

MSDN (https://docs.microsoft.com/en-us/dotnet/visual-basic/developing-apps/programming/computer-resources/storing-data-to-and-reading-from-the-clipboard)
 Gave out some useful codes that'll help one read or write on a Clipboard using Virtual Basics.

1. Stop visiting random sites. Just visit trusted sites
2. When you first visit and register then copy the URL in a note pad file. Every time go to the website by copying the URL from notepad
3. Do not click directly to an email that you were not expecting. The same apply for any link that you receive in social media and other sources too.

These are few things I try to follow to avoid phishing attack.

You can always switch to linux for crypto related activity.

If you are going to be using Windows, installing GOOD AV software is a must *and* having something like Malwarebytes as a 2nd layer does help. The security part of Malwarebytes is meh at best but it does do a good job of blocking a lot of malware hosting sites. On top of that, if you don't mind giving up some privacy / anonymity installing MetaMask might help too. It's crap software for holding crypto, but it also does aggressively block a lot of crypto fraud sites too. Not going to those type of sites will really cut down on the chance of crypto clipboard malware.

If money is no object installing real front end security is also a good thing. But getting a SonicWall and the security subscription and a Barracuda Web Security Gateway and it's subscription will run into the $1000s and $1000s to start and the annual subscriptions are not cheap either.

-Dave

Malwarebytes and Windows defender is already enough to counter this kind of malware. This 2 AV can at the same time and also they web/online protection that will warn you whenever you visit on random website. Most of the malware are hidden on random ads on a website and from the zip files available on free downloading site on the Internet especially those movie site.

Always turn your AV and run a deep scan in daily basis to make sure your device is free from malware

Keep in mind that while cross-checking you don't need to check the whole address, character for character. Checking the first 5-7 characters at the beginning and / or end of the address should be more than sufficient. The addresses that clipboard malware sneak in usually look nothing like the intended address since they'd have to generate a vanity address on the fly which isn't really feasible.

You seem to have missed the spot-on resource for this: How to lose your Bitcoins with CTRL-C CTRL-V (https://bitcointalk.org/index.php?topic=5190776)
All in all, as usual, the best protection is you: check thoroughly if the copied address and the pasted address are indeed identical. As simple as that.

Thank you for sharing. The thread summarized it all and I got the idea I need like the Don't use Windows aspect of it. Windows have a lot of loopholes that makes it easier for attackers to get hold of people's computer. I'll just have to abide by the instructions. 

Actually, the guide only guides you on how to copy the address carefully and check the pasted address 3 times.

For those who don't know how to use Linux and want to stay using Windows, it's recommended to have antivirus in my experienced never been infected with clipboard virus.
Having both Kaspersky and Malwarebytes is a pretty amazing tool to protect my machine from any threat almost 8 or 10 years of using it and always updated database to new viruses.

If you know how to use Linux then go use it but if not want to stay in Windows I suggest you disable Windows Defender and install Kaspersky instead which is much better protecting the PC from any attacks. I have experience with Windows Defender before and tried to any some files infected with viruses but it's not detected by WD.

Even if you can't leave Windows OS, make sure your OS is updated frequently. Install the antivirus as suggested above and update it regularly. For cryptocurrency asset storage, I suggest you use a hardware wallet. I even have a habit of always double-checking the address on the hardware wallet when sending coins.

While hardware wallet is not a bad advice, one has to carefully double check the addresses whether he's using it or not.
What I also mean is that HW may give a false sense of security, while it doesn't actually help (directly) against clipboard malware.

It takes 10 seconds to double check an entire address.  Even if you are in a rush for your transaction to be confirmed, the chances of a block being found in those few seconds are low, and even if it was, your transaction probably wouldn't have spread through the network and in to relevant mempools and candidate blocks fast enough to make a difference. Your transaction will almost certainly be confirmed at the exact same time whether or not you double check the address, so there is no excuse for not doing it.

You can keep your OS updated, download every piece of antivirus software there is, and all the rest of it, and still fall victim to this malware. The only 100% protection is to accurately double check the address against the source after you have copy and pasted it. It takes 10 seconds. Just do it.

There are definitely some pieces of malware out there which pick addresses from a pre-generated database which have matching characters at the start and/or end to trip up people who only check a few characters. As time goes on and technology continues to develop, this problem will only get worse. If you are going to check 5 characters at the start and the end anyway, it is absolutely trivial to just check the whole address.

Linux is not going to protect you from clipboard malware that's written for it. It's only going to make it slightly easier to remove (Windows, being the dinosaur it is, hides a lot of internal stuff inside the Registry and machine-readable files that's nigh-impossible to clean up save by reinstalling).

Yes, I went through a thread on a Microsoft special interest board that talks about the vulnerability of windows OS on clipboard snooping. The question was to know if the antivirus actually get rid of the attack. But, the answer was centered on the fact that it helps reduce the possibility of such attack but, cannot prevent it entirely because of the loopholes on computers that use Microsoft OS. I think Microsoft is not a better choice for someone that wants to stay safe from such attack.

You can check the thread below
https://answers.microsoft.com/en-us/protect/forum/all/how-to-protect-ourselves-from-clipboard-snooping/5af0be93-f4fc-4034-a305-7e8045dda2f2

The hardware wallet function is not as an antivirus. So first I suggest this:

---

Yes, but currently, the target of the clipboard malware is Windows OS users. I have not encountered any cases of Linux being attacked by this malware. I'm also a macOS user and so far haven't encountered any cases of clipboard malware as in Windows OS.

---

I would point out that if malware is able to change the content of your clipboard, it is also possible the malware can change what is displayed on your screen. So unless you are using a device that is insulated from any malware your internet-connected computer may have, such as an HW wallet, or an air-gapped computer, checking the entire address will not do much good against malware.

It is however a good practice to double-check the entire address before finalizing a transaction, in case you copied the wrong address, or didn't actually copy anything when you already had another address in your clipboard.

I never heard of a single clipboard malware for Linux operating system, I even searched the web to find more information about that, but without any result.
It doesn't mean it's impossible to make something like this but chances for this to happen are much lower than for WiNd0ws or Mac OS.
Few years ago I was testing some alternative clipboard manager software for windows, but I don't remember the name of that program that was just running in the background.
One more thing that is connected with clipboard are keyloggers, and protection for this is using encryption tools, so anything you type on keyboard will be protected.
This would be a good idea for win-addicts and lazy people, but not really needed if you use separate offline computer for crypto.

And malware could also just lift your private keys straight out of your wallet as soon as you unlock it if you aren't using a hardware wallet or airgapped wallet. Or just feed it a malicious transaction straight off, like the fake versions of Electrum did. But these kinds of malware are far rarer than clipboard malware, as is any malware which changes what appears on your screen.

The fact remains is that clipboard malware is relatively common, and it takes 10 seconds to fully check an address. It is irresponsible to do anything less.

Yes, as I mentioned in my previous post, it is a good practice to check the address before signing a transaction.

If someone knows or believes their computer is infected with malware, I would advise them to not trust any output their computer gives them, including information displayed on their screen.

This happened to me once but got saved because I like checking the last three alphabet at the end of my address most times, I wasn't able to get rid of this malware or whatever it is until I reformated my hard disk.

Well checking the sending and receiving any crypto address before sending your coins is very important, the first 3 digits and the last 3 digits would help you to determine if still using your crypto address and make sure you copied it right.
However, to avoid this problem, just regularly check your computer or any device that was used to know if it is affected by the malware attack.

So far I've experienced windows. It's purely my fault, downloading free apps and installing them on my computer from unofficial websites. That's as far as I'm concerned because I don't have enough money to pay for a paid app to get a full license. Don't do stupid things like me.

How do I know this? yes because I always check the wallet address if I want to Deposit or Withdraw. That precision made me safer, because I didn't confirm it right away. It turned out that the virus was in the chrome  add-on, even I had deleted it but it always appeared when my computer turned it back on. The last resort is that I have to clean up my Windows reinstallation. So far for Android I still feel safe.

Is there a way to test if the clipboard malware attack exist on your pc?


I remember i saw a video where a guy would just copy and paste a btc address from notepad to somewhere else as a test and noticed when he did that... it changed.  Of course the first few letters of the btc address was the same so it seems this malware is smart in that it would find the starting letter of the btc address to be similar before it makes the change.


But as long as you copy an address that looks like a btc address to say another part on the computer, whether its an address in an exchange, notepad or even google search, as long as it doesn't change it... your computer do not have that clipboard malware? 

For Windows OS users (Windows 10 and above), use the shortcut Windows key + V to view the Clipboard. In the list that appears on the Clipboard, you can first check whether the BTC address previously copied is correct or not.

Yes, because if a computer has clipboard malware, the pasted data is different from the copied data.

1. Don't visit website with http link which is not a secured connection, a secured one should be in https format.

2. Don't make crypto transactions on your PC I find phone to be less prone to malwares

I've stopped running wallets on windows OS pc the risks you go through every day by day is high.

That’s really an often stated misconception. The "s" (secure) part will imply that the data you transmit to and from the site will be encrypted, but it does nothing else but give a false sense of security when it comes to the likeliness of dealing with a site that can provide malware through some kind of download, or else other malware or intent in wrongdoing. An SSL certificate is pretty cheap to obtain, and there are multiple scam, phishing, you name it type sites that resort to it, simply because of the wrong sense of security it bears.

So is it possible for you to copy and paste a btc address ready to send and the cliipboard malware changes it... but if you copy and paste a btc address to say notepad or address bar on chrome ... and it doesn't change it?


Also what if it looks like a btc address but it has much less characters or more characters?   Could the clipboard malware recognize it such as okay this is over 80 characters long... this is not a btc address?


Also I keep hearing about only btc and eth when it comes to the clip board malware attack.  But what about other coins though?  Imagine you had some coin that is worth little and most people haven't even heard of.  What happens there?

You can try sending a large amount of coin via copying an address and see if the transaction goes to the right place.

It is really not possible to know if you have been infected with malware with absolute certainty.


No. if you are infected with malware, you cannot trust any output that your computer produces. This includes any displayed information. There is the risk that malware will change what is on your clipboard and will continue to display the address on your monitor but will change what is transmitted to any website.

There is absolutely no good reason to not have HTTPS Everywhere (https://www.eff.org/https-everywhere) installed in your browser and running at all times. If you are using Firefox or Tor (which you should be), then you can also just go to Settings -> Privacy & Security and check the box for "Enable HTTPS-Only Mode in all windows". But as DdmrDdmr says, this encrypts your communications with your destination, protecting again interception and man in the middle attacks. It the destination you are connecting to is malicious, then your communication with that malicious site will be encrypted, which offers absolutely no protection to you as the end user. So in short, you should always use HTTPS, but it doesn't guarantee security by any means.

Well, your issue with PCs is a Windows problem rather than a PC problem.

There's no inherent reason that malware couldn't detect where you are pasting the address and selectively change it based on this informaiton.

Absolutely.

There's nothing stopping someone creating clipboard malware for any coin in existence.

Would a hacker really use their time to create clipboard malware for something like greencoin or bluecoin?  How long would that even take?  So owning certain coins would prevent you from clipboard malware then?

No one can profess to know the motivation of every person in the world responsible for coding malware, but if there is potential profit to be had, then someone is likely to attempt it. Bear in mind the most shitcoins are just tokens on another blockchain, though, so a piece of malware which swaps Ethereum addresses for example will be able to steal thousands of useless tokens too.

Take existing malware, swap out BTC address detection for *insert coin* address detection, swap out BTC address insertion for *insert coin* address insertion, done. Probably under 2 minutes.

No, checking your addresses properly and having good browsing habits which prevent you from being infected by malware in the first place will protect you from clipboard malware.

At this point I'd assume that your run-off-the-mill clipboard malware comes with multi-coin support. Once a victim is compromised there's no reason not to check against multiple address formats for whatever coins may be profitable.

A good developer will make any software they create very flexible. So it should be trivial to adjust any malware that is well-written if some new coin became popular.

It is also possible that malware is written in a way such that it does not specifically look for "bitcoin" private keys, but rather looks for what resembles private keys (this might not be specifically relevant to clipboard malware).

I would also make the general statement that if a coin is not popular enough for people to write malware to try to steal, there is a good chance that coin is not very valuable.