|
Title: Security warning: trojan stealing coins, swapping C&P addresses Post by: Nefario on March 22, 2012, 06:28:02 PM I'm after being in contact with one of GLBSE's users who's funds have didn't seem to show up. After more investigation we discovered that he has a trojan/malware.
The malware recognises any bitcoin addresses that are copied, and replaces them with a new address, when you copy an address from your service you're using (GLBSE.com, Intersango.com) to your bitcoin client to transfer your coins, the malware replaces them with the scam address, so that your coins are sent to the hacker. When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste. I believe that this is a windows only vulnerability. Nefairo Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: Remember remember the 5th of November on March 22, 2012, 06:35:43 PM I'm after being in contact with one of GLBSE's users who's funds have didn't seem to show up. After more investigation we discovered that he has a trojan/malware. The malware recognises any bitcoin addresses that are copied, and replaces them with a new address, when you copy an address from your service you're using (GLBSE.com, Intersango.com) to your bitcoin client to transfer your coins, the malware replaces them with the scam address, so that your coins are sent to the hacker. When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste. I believe that this is a windows only vulnerability. Nefairo Figures, Linux is not nearly exploitable. Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: RodeoX on March 22, 2012, 06:38:55 PM So am I correct in assuming that a countermeasure could be verifying the address before sending? Or does it make the change in a way that is not visible to the user?
Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: Kaos on March 22, 2012, 06:45:56 PM what's the dodgy bitcoin address? Is it static or does it change every time?!
Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: Nefario on March 22, 2012, 06:48:59 PM Quote any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now From the user. It's a new address each time. I believe that visually verifying the address will protect against this. The addresses so far: 17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd 14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: DeathAndTaxes on March 22, 2012, 07:04:09 PM I mean that sucks but on the other hand I got to say awesome to the malware writer. Get the user to send coins to the wrong address. No need to keylog, hack the client, look for wallet.dat, spoof RPC, etc. Just get the user to send you money.
Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: Stephen Gornick on March 22, 2012, 07:04:58 PM When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste. I believe that this is a windows only vulnerability. Possibly related: - http://stackoverflow.com/questions/400212/how-to-copy-to-the-clipboard-in-javascript Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: MysteryMiner on March 22, 2012, 10:52:58 PM Trojan that replaces the filled data for bank transfers was around at least 4 years ago. Adopting such system for Bitcoin is no brainer.
I was looking for exploit to copy address to clipboard using javascript but it did not work with FireFox without user intervention. I abandoned the idea. Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: foggyb on March 22, 2012, 11:25:17 PM I mean that sucks but on the other hand I got to say awesome to the malware writer. Get the user to send coins to the wrong address. No need to keylog, hack the client, look for wallet.dat, spoof RPC, etc. Just get the user to send you money. I've been WONDERING when the first hacker would do this. Its so obvious. Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: drakahn on March 22, 2012, 11:27:32 PM Quote any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now From the user. It's a new address each time. I believe that visually verifying the address will protect against this. The addresses so far: 17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd 14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ Any info what the optimised miner was? or a link to the thread? Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: Nefario on March 22, 2012, 11:47:11 PM No I've not heard back.
Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: foggyb on March 23, 2012, 12:09:35 AM Quote any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now From the user. It's a new address each time. I believe that visually verifying the address will protect against this. The addresses so far: 17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd 14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ Is it possible for malicious code to detect a <mousebutton-down> event on a send dialog box, then insert the hackers address a millisecond later? In such a case, visual verification may not thwart the attack. A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel). Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: payb.tc on March 23, 2012, 12:25:48 AM A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel). or just a regular confirmation dialog... Are you sure you want to send 1 million bitcoins to 1ffjfitetwrexjf...? YES / NO Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: marked on March 23, 2012, 12:27:46 AM Any info what the optimised miner was? or a link to the thread? neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat. marked Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: drakahn on March 23, 2012, 12:29:04 AM Any info what the optimised miner was? or a link to the thread? neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat. marked i know... i'm the one discussing, lol http://xml.ssdsandbox.net/view/91c66258f4294c95a77a6aaa8ef3ec39 it reads your wallet.dat as well, so if you notice this make sure to make a new wallet for your coins Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: Nefario on March 23, 2012, 12:37:27 AM Any info what the optimised miner was? or a link to the thread? neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat. marked Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: marked on March 23, 2012, 01:01:27 AM i know... i'm the one discussing, lol http://xml.ssdsandbox.net/view/91c66258f4294c95a77a6aaa8ef3ec39 it reads your wallet.dat as well, so if you notice this make sure to make a new wallet for your coins oops, didn't see far enough back to see you were already there talking about it. marked Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: finway on March 23, 2012, 03:48:33 AM Check address.
Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: CIYAM on March 23, 2012, 04:00:59 AM A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel). or just a regular confirmation dialog... Are you sure you want to send 1 million bitcoins to 1ffjfitetwrexjf...? YES / NO Unfortunately it's fairly easy to write software to send a Yes/No the instant the confirmation dialog appears (I built a tool for doing this in order to get around some shareware nags years ago). Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: dayfall on March 23, 2012, 04:44:21 AM Perhaps someone could code vhash into their webpage and into a client.
Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: Kluge on March 23, 2012, 05:13:14 AM Hm. Glad I double-check the entire address before sending out of habit (originally, I didn't know Satoshi Client checks for address validity, and always worried I would accidentally not copy the entire address). [subbed]
Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: phelix on March 23, 2012, 10:44:49 AM subscribing
another argument pro aliases Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: rdponticelli on March 23, 2012, 10:56:52 AM another argument pro aliases And another reason not to use windows with valuable data... Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: MysteryMiner on March 23, 2012, 11:04:31 AM another argument pro aliases And another reason not to use windows with valuable data... Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: foggyb on March 23, 2012, 12:51:59 PM another argument pro aliases And another reason not to use windows with valuable data... 300 million windows 7 users are not going to switch to linux. The windows bitcoin client should be hardened as much as possible against these kinds of attacks, because windows users are by far the largest demographic. We need them if bitcoin is to succeed. Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: rdponticelli on March 24, 2012, 04:21:00 PM another argument pro aliases And another reason not to use windows with valuable data... True. But almost every horse out there is targeting windows users. So, at least by now, being out of it is being safer... And the diversity and complexity of the free software ecosystem also makes more difficult to make horses which works out of the box on every setup. Some users will choose gnome, some kde, some unity, some fluxbox, and so on... It's not that easy to write exploits which would work with every possible setup... 300 million windows 7 users are not going to switch to linux. The windows bitcoin client should be hardened as much as possible against these kinds of attacks, because windows users are by far the largest demographic. We need them if bitcoin is to succeed. Of course, and developers are working hard on this. And hopefully, p2sh will be a step in that direction. But people have to know that they have safer choices... Title: Re: Security warning: trojan stealing coins, swapping C&P addresses Post by: John (John K.) on March 31, 2012, 09:29:47 AM Here's the guy: https://bitcointalk.org/index.php?topic=74828.msg828719;boardseen#new
|