|
Title: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: jimbo77 on June 15, 2011, 02:06:44 PM Just got a warning that I somehow broke forum rules. Looks like a picture link or screenshot. Virus tries to get on computer!
Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: slothbag on June 15, 2011, 02:17:47 PM Yeah, I just got this message also.
I consider myself fairly tech savvy and usually detect these scams, but this looks legit and I clicked the link, lucky my email client opened the exe as a text file instead. No doubt that sucker is going straight for your wallet.dat People will loose coins from this! Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: jimbo77 on June 15, 2011, 02:19:38 PM Yeah, I just got this message also. I consider myself fairly tech savvy and usually detect these scams, but this looks legit and I clicked the link, lucky my email client opened the exe as a text file instead. No doubt that sucker is going straight for your wallet.dat People will loose coins from this! Anyone know the details about this particular one to make sure it's completely removed. My virus scanner found something but I want to make sure it got it all!! Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: slothbag on June 15, 2011, 02:24:41 PM If you ran the program or suspect your pc has been compromised, I would recommend creating a new wallet on a different computer and transfer all your coins to the new address immediately.
Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: ukbitco.in on June 15, 2011, 03:57:21 PM If you clicked this link and have bitcoin running, or a wallet.dat somewhere on your computer, be quick!
Disconnect computer from the internet immediately!!!!!! (so virus cannot communicate) Take your wallet.dat with you, find another computer and create a new wallet. Send coins to new address. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: caveden on June 15, 2011, 04:00:13 PM This is big. Shouldn't this topic be sticked for a while?
Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: riX on June 15, 2011, 04:03:32 PM Could someone post a copy of the .exe for investigation?
Put it in an archive so no one accidentally runs it. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: TheVirus on June 15, 2011, 04:04:53 PM This is big. Shouldn't this topic be sticked for a while? A fool and his money are soon parted. If people are silly enough to click on fake/malicious links then they should take that as a lesson and learn from their mistakes. This is a big flaw in the Bitcoin system and there's no easy way to fix it. Even an encrypted wallet would mean nothing if the wallet is open and the password is stored in memory. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: gst on June 15, 2011, 04:08:43 PM This is a big flaw in the Bitcoin system and there's no easy way to fix it. No - that's not a flaw in Bitcoin. Bitcoin works perfectly fine. If you execute untrusted code on a computer that you use for financial transactions it's your own fault. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: jimbo77 on June 15, 2011, 04:11:35 PM I'm not an idiot. I didn't click run or save. I thought it was a picture file so I cliked it. Without a warning other will click it!!!!
Text: Hello Statements which should not be generally offensive, be excessively repeated or have bad formatting (spam), contain forbidden advertising or political or religious views, not be non-English when English is required, disclose personal data of others, or support any other rule violation. Proof can be seen at: http://xxxxxxxxx(added)images4u.hostil.pl/DS***054.jpg One more warning and your account might be banned. From Moonshadow~ I saw Moonshadow but didn't really look at the post count. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: TheVirus on June 15, 2011, 04:17:26 PM This is a big flaw in the Bitcoin system and there's no easy way to fix it. No - that's not a flaw in Bitcoin. Bitcoin works perfectly fine. If you execute untrusted code on a computer that you use for financial transactions it's your own fault. Not every exploit requires user intervention. There are remote exploits that can be run from an open service or from browsing a website and not clicking anything. It's not hard to grab an IE 6/7/8 JS exploit and run a website with it embedded in there. The user wouldn't notice anything and wouldn't need to click anything. In fact, said exploit can be run from any website, even bitcoin.org if it were hacked. The fact that wallets can be read from without user intervention is an issue and the fact that you can send money from the command line is another issue. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: Nescio on June 15, 2011, 04:25:14 PM Another one: do not click on any URL shortened link, that also goes for forum posts. It might almost immediately open a legit site, but go through an intermediate infectious redirect.
Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: Amechan on June 15, 2011, 04:31:50 PM Sorry I posted about this as well before I saw this thread.
The information I gathered is here: http://forum.bitcoin.org/index.php?topic=17373.0 Jimbo said that he caught a W32.Induc.A trojan. But from what I can tell is that is a very specific delphi altering script. Would that only be targeting bitcoin developers? Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: TheVirus on June 15, 2011, 04:33:22 PM Sorry I posted about this as well before I saw this thread. The information I gathered is here: http://forum.bitcoin.org/index.php?topic=17373.0 Jimbo said that he caught a W32.Induc.A trojan. But from what I can tell is that is a very specific delphi altering script. Would that only be targeting bitcoin developers? Yes, a quick hex edit of the file shows it reads wallet.dat. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: Amechan on June 15, 2011, 04:38:19 PM Sorry I posted about this as well before I saw this thread. The information I gathered is here: http://forum.bitcoin.org/index.php?topic=17373.0 Jimbo said that he caught a W32.Induc.A trojan. But from what I can tell is that is a very specific delphi altering script. Would that only be targeting bitcoin developers? Yes, a quick hex edit of the file shows it reads wallet.dat. Meaning that it would only be useful for stealing wallet.dat files from people who use the new software compiled in delphi or are more people at risk here? Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: TheVirus on June 15, 2011, 04:53:44 PM Sorry I posted about this as well before I saw this thread. The information I gathered is here: http://forum.bitcoin.org/index.php?topic=17373.0 Jimbo said that he caught a W32.Induc.A trojan. But from what I can tell is that is a very specific delphi altering script. Would that only be targeting bitcoin developers? Yes, a quick hex edit of the file shows it reads wallet.dat. Meaning that it would only be useful for stealing wallet.dat files from people who use the new software compiled in delphi or are more people at risk here? Right, it emails wallet.dat to: gaehrthsrth@wp.pl blundcoder@hotmail.com Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: Amechan on June 15, 2011, 05:08:33 PM Thanks for the information.
Interesting approach. It nice to know that the vast majority of users here who may have accidentally clicked on the link won't be affected. However it is disturbing to think that future miner GUI's or similar programs may be compromised. How easily would anti-virus programs detect such a virus complied accidentally in a new program? Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: ius on June 15, 2011, 05:16:16 PM Actually, the first (wp.pl) address is used to send the wallet (via their SMTP server) - you can send your fan mail to blundcoder@hotmail.com.
The good news is that the password for the SMTP server doesn't seem to work anymore - ie. noone should be at risk anymore (unless you already opened it before). At least the second time this guy strikes, earlier he promised a miner with increased efficiency. Please stay alert, I'm sure he'll back back (sadly). Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: TheVirus on June 15, 2011, 05:18:05 PM Thanks for the information. Interesting approach. It nice to know that the vast majority of users here who may have accidentally clicked on the link won't be affected. However it is disturbing to think that future miner GUI's or similar programs may be compromised. How easily would anti-virus programs detect such a virus complied accidentally in a new program? Very easy. Here's the report: http://www.virustotal.com/file-scan/report.html?id=fe4aab0c8e62e3a2a285f9a4a1c7cb8f10fa97fe655ea7aa0b2f71d3e6ff94ca-1308154827 Also, it seems it uses the @wp.pl account as an SMTP relay to send the email to blundcoder@hotmail.com. The @wp.pl account password has been changed (it was in plain text in the virus file) so this virus is now useless as it can no longer send email, it'd just fail to log in. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: TheVirus on June 15, 2011, 05:28:21 PM Here's some more info after a bit of digging:
blundcoder@hotmail.com uses a polish phrase for his security question. Searching 'blundcoder' returns results from various hacking forums. One forum post by "BBOYMARIO" has blundcoder@wp.pl in his signature. BBOYMARIO leads to a mySpace page by someone in Germany named Mario Basta. (Germany and Poland are neighboring countries) That's all I got. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: jakemates on June 15, 2011, 05:59:09 PM His name isn't Mario; a quick search on his email reveals him to be Mariusz Stokłosa (http://www.facebook.com/Wizzard69) - someone who has clearly sold hacks (http://haker.com.pl/threads/8554-NastyXP-Beta-9-Download) before.
Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: jackjack on June 15, 2011, 06:21:44 PM Doxing? In my forum.bitcoin.org?
Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: ukbitco.in on June 15, 2011, 06:34:47 PM Wow,
nice detective work everyone. If this is true something will have to be done? perhaps publicly naming and shaming is enough but the evidence must be concrete first. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: gigitrix on June 15, 2011, 07:48:47 PM Nothing to contribute, bumping for educating other users. This sucks: I thought we'd have a little more time before people tried to pull this.
Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: TheVirus on June 15, 2011, 07:59:08 PM Nothing to contribute, bumping for educating other users. This sucks: I thought we'd have a little more time before people tried to pull this. Honestly, I'm surprised it took this long. The only reason why it never happened before was because the value of the BTC was so low it wasn't worth the time to invest in creating the virus and spamming it. Now that 25,000 BTC is worth $500,000, it seemed it was only a matter of time and we're just getting started. Bitcoin needs some end-user encryption/protection to prevent unauthorized access. Title: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: jackjack on June 15, 2011, 08:35:27 PM Bitcoin needs some end-user encryption/protection to prevent unauthorized access. Sure. Waiting hard for next releaseTitle: Re: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES Post by: NothinG on June 20, 2011, 12:37:05 AM Just wanted to let everyone know, that this thread has hit an awesome site (meaning more and more hackers have just received the same email I got).
http://www.f-secure.com/weblog/archives/00002187.html In other words, stay frosty my friends! |