Title: Beware of Increasingly Sophisticated Malware Infection Attempts Post by: mprep on January 26, 2015, 04:13:37 PM In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety. "latest wallet"/"custom wallet"/"faster miner" A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly. Copied/new ANN The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later). Replacing links in quotes The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link. Compromised dev account The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update. Packed/FUD executables In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable. Modified source with backdoor This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism. here is the relevant source code (https://github.com/alerj78/lucky7coin/blob/master/src/irc.cpp#L350-364): Code: if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1) Code: if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1) Main thread: https://bitcointalk.org/index.php?topic=935898.0 (https://bitcointalk.org/index.php?topic=935898.0) |