Bitcoin Forum

Claim
There are reports from various people, that YAcoin has built in wallet stealer.

What you can do
It's a common feature for malware to activate its main task on random date, and add a mark to the computer so it doesn't do the same thing twice (like uploading the stolen wallet.dat twice after your wallet is already uploaded, it's a waste of resource).
Since you can't be too safe, if you have run YAcoin's client or modified minerd.exe and don't encrypt your wallet, make sure you install Bitcoin in another clean computer and send your bitcoin there.
Make sure you password protected your wallet on that new computer.

Does YACoin really have malware module in it ?
Who knows, it's possible that it's a joke, someone wants to drop YAC's price on orderbook.
Or, it's the real deal. The attackers want people to believe that all of the various malware report that we receive now is a joke, and further report will be ignored once the real attack is really launched.
Hence, the investigation.

Investigation
I'll list what I found here :

List of YACoin related binary

yacoin-qt-2013-05-08.zip (yacoin's main client, uploaded during YACoin launch)
https://mega.co.nz/#!UowEmZYS!AAK7DVwYoTqy96oTRzUaLCS0UMsAfosJiRQmBn1jzcA (https://mega.co.nz/#!UowEmZYS!AAK7DVwYoTqy96oTRzUaLCS0UMsAfosJiRQmBn1jzcA)
Detection ratio : 0 / 46 https://www.virustotal.com/en/file/7381b3ea8e872d860cf8279b98cb74a01cd21ecebaa1af7e537a040b6c5ad1e7/analysis/1368286925/

yacoin-qt-2013-05-09.zip (yacoin's main client, updated binary)
https://mega.co.nz/#!5wgDnKyZ!QLfWTXNRMRTwmb60rfpuFgzH48BCl4fpwb8paeAaqRs (https://mega.co.nz/#!5wgDnKyZ!QLfWTXNRMRTwmb60rfpuFgzH48BCl4fpwb8paeAaqRs)
Detection ratio : 0 / 46 https://www.virustotal.com/en/file/8c1b9dcc90e163a357b3861c10d8cec67c351a928e0b5e1e0dcf74d65d4a4b76/analysis/

cpuminer-scrypt-jane-win32.zip (modified minerd to mine yacoin on multiple computer)
hxxp://mega.co.nz/#!IJRziTBD!ZCAKGC7fqYkyXsEDi9GB1RYiqIUqj2S9bEm6UI2y1no
Detection ratio : 6 / 46 https://www.virustotal.com/en/file/2b7e630cfb2d173eb14e4dd88a7879527f5c52cbc77ace0c0742942aad46faec/analysis/1368286565/

"antivirus friendly" version of minerd (don't download this, very suspicious)
hxxp://mega.co.nz/#!shoxkb5b!DjiCAQBQ627TaW0oet1C7mvqM7Q2-2u-g4kDRHbniU4
From : https://bitcointalk.org/index.php?topic=201050.0
Detection ratio : 16 / 46 https://www.virustotal.com/en/file/0ffa2116bf1027019ad94e9bf8e2340be427d6efbc9563e185096cf8550b4c3a/analysis/1368287421/

minerd_scrypt_jane.ZIP (another modified minerd to mine yacoin on multiple computer)
https://mega.co.nz/#!pUMBkbbY!cMJYcFqPCMr1idZBr30VsFw0tLY7y63J0N4RVNYMUBc (https://mega.co.nz/#!pUMBkbbY!cMJYcFqPCMr1idZBr30VsFw0tLY7y63J0N4RVNYMUBc)
Detection ratio : 0 / 46 https://www.virustotal.com/en/file/01a79a608d33d1db4eb9382db029e89e581f6e0017ddb566e7826b45370596fd/analysis/

All investigation should be done in clean Virtual Machine, otherwise, it's useless since it's possible that your computer is already marked and the malware won't run wallet stealing routine twice.

"Victim" List - Alternate cryptocurrency section

FreeTibet / Jr. Member / Posts: 11 / DO NOT DOWNLOAD YACOIN - SENDS WALLET.DAT TO http://bitcoin-ticker.netne.net/u.p

Lewies Man / Jr Member / Posts: 45 / 2.374 bitcoins stolen after downloading yacoin


Brewins / Jr. Member / Posts: 69 / Yacoin developer stole more than 256 BTC!

D35TR0Y3R / Full Member / Posts: 108 / WARNING: YACOIN HAS A VIRUS BITCOIN STEALER

nocompare / Jr. Member / Posts: 14 / yacoin developers are a bunch of crooks, steals 900 BTC

"Victim List" - Newbie section

moneytronics / Posts: 1 / YACOIN STEALS YOUR WALLET DO NOT USE

jebwizoscar /  Posts: 5 / yacoin trojan

danieljoseph /  Posts: 1 / yacoin stole my 14.25 btc

SquishySquish /  Posts: 6 / bitcoin sent from my wallet?

netne.net Whois


If you find this is helpful, any donation would be welcome :
YAcj1cSecVtCZkPpcPnb2raXdJfb3vzine

If there is indeed a scam my money is on this.

Where can we place bets?

I tried these and they look clean:

yacoin-qt-2013-05-09.zip
https://mega.co.nz/#!5wgDnKyZ!QLfWTXNRMRTwmb60rfpuFgzH48BCl4fpwb8paeAaqRs

minerd_scrypt_jane.ZIP
https://mega.co.nz/#!pUMBkbbY!cMJYcFqPCMr1idZBr30VsFw0tLY7y63J0N4RVNYMUBc


Installed yesterday on a windows pc to test, had an unencrypted old bitcoin wallet on it with a small amount of bitcoins, no suspicious activity.

I don't think there is even need for this. To be honest first few post made me bit worried as I hold nice amount of YAC but come on, what sane man would believe in this after 5 people reported it and hundreds or thousands of them have it on their pc's...

It's lame, lame attempt from some low lifes.. maybe even coming from one or max. two persons as posting style and english was pretty similar... line of fuck offs, line of scam, line of steals, line of caps locks coupled with artificial and fake "buying 300k of other alt" thread.

Yes its simply FUD I use official QT and its all fine.

could casue everyone panic and sell their at lower price

You missed a binary in your investigation, the minerd 64bit one https://bitcointalk.org/index.php?topic=201027.0 (https://bitcointalk.org/index.php?topic=201027.0)

K.

if i was a betting man, i'd put my money on the oversized "antivirus free" minerd.

That or to promote other coin(s) with royalcoin being first on my suspecting list (nothing against the coin, alt as alt, but people).

Was pretty stupid attempt to be honest, executed very amateurish.

Totally uninterested in whether it happened or not. The problem here is 10.000 morons downloading pre-compiled code and running it without the developers having a shred of credibility. Even if it's fine THIS time it's bound to happen very soon considering all you have to do is announce a new 'coin' and post a link and BAM, you got 10k people installing your virus and thanking you for it.

@VelvetLeaf

Just downloaded all three and checked their size and SHA-1:
yacoin-qt-2013-05-08.zip (uploaded during YACoin launch) (8,956,974 bytes)
SHA-1:   19b609e227944287a2c96cfbda79c3bb7459ef5c

yacoin-qt-2013-05-09.zip (updated binary) (8,957,000 bytes)
SHA-1:   b5886f224afed6a5705e080494d03f1789d3dc51

cpuminer-scrypt-jane-win32.zip (cpuminer-scrypt-jane-win32.zip)
SHA-1:   9acacfbb7c5c0861b3b2147d96c9dde35d12b0ae

I would have though it a standard thing for anyone making claims etc. to at least pin point where they got their EXE, its size and checksum. Otherwise everything is a bit hearsay.

Site bitcoin-ticker.netne.net has been redirected to 127.0.0.1 in my hosts list.

I would suggest doing that, then backing every wallet in your system and transferring to a new wallet if you believe you have been compromised. Common sense.

And yes having an unencrypted bitcoin wallet (or any wallet) with substantial funds is stupid. Double facepalm worthy.

Betting on irony?

Completely agree with you here.  I have been having the same thought for the past few days.

Could you please tell me how I go about redirecting a url to my localhost?

For what it is worth:

from this page:  https://bitcointalk.org/index.php?topic=201027.0
this link: https://mega.co.nz/#!pUMBkbbY!cMJYcFqPCMr1idZBr30VsFw0tLY7y63J0N4RVNYMUBc


$ sum *.exe
03133   350 minerd_scrypt_jane_x64_avx.exe
45517   351 minerd_scrypt_jane_x64_ssse3.exe

$ md5sum *.exe
9e8878a529978dcbc943e93ccb65aa33 *minerd_scrypt_jane_x64_avx.exe
1b5a6331149a462e15498909c1462754 *minerd_scrypt_jane_x64_ssse3.exe


run as:

./minerd_scrypt_jane_x64_avx.exe -a scrypt-jane -o http://mineyac2.dontmine.me:8080 -O myuser



made only these connections over the course of 8 hours.
  TCP    192.168.1.27:57598     54.215.7.83:8080       ESTABLISHED
  TCP    192.168.1.27:57599     54.215.7.83:8080       ESTABLISHED

stat(2) appears to not show any of bitcoin, litecoin, terracoin wallets touched
(as in stat'ing continuously from another process in case of touch'ing back)


Shrill claims from either side are pretty useless.

Compiling from source increases the comfort factor, but it is no guarantee unless you read and
understand all the code first. To do that you have to be both capable and (a priori) interested enough.

betting on the minerd that is more than doubled in size.

maybe antivirus friendly minerd

THIS IS NOT REAL.  Not one legitimate person has shown any proof. I've looked at every host file, data source, etc.. and there is nothing malicious about the YAC files from when they were released.  If you downloaded from somewhere else than that might be different.  The original links are perfectly fine.  STOP LYING.

+1, only 1 screenshot was posted and that only showed that there was 'something' detected. No one has given any screenshots of transactions out of any of there wallets.

I think this was just a well orchestrated FUD against YAK

Not really well orchestrated... it was very amateurish and included 2-3 guys at most.. some of those accounts are operated by same person, they used perfectly same style and had same english level.

And even whole idea was amateurish, you can't do that on forum filled with lot of geeks. It can last for half an hour but that's nowhere near enough to fulfill your plans.

Looking at the transactions on the blockchain, I noticed all of the addresses that sent bitcoin to 1RPrtamTACe1TcqkX2FmWVtRzmQJ6CfRx received funds right before they were "stolen". Ofc, I haven't checked all of them, but will check a few more to be sure.

Round 1: +10 for YAC   and....  -1000 for FUD dudes

Obviously YAC is causing a stir and people desperately want in--- Just mine it foo!  Mine them Yacs!

I'm still waiting for an online merchant please start accepting so I can buy some stuff?

Someone should send https://cookies4coins.net/ an email, eh?

I can confirm "cpuminer-scrypt-jane-win32.zip (modified minerd to mine yacoin on multiple computer)" does not talk to the given host below, at least not within the first 30 minutes.  Ran it with wireshark and  a filter of ip.dst == 31.170.160.169

host bitcoin-ticker.netne.net
bitcoin-ticker.netne.net has address 31.170.160.169
bitcoin-ticker.netne.net mail is handled by 0 mx.000webhost.com.

He lost BTC on bitcoin-24? Strange... I got my BTC(20.50) from Bitcoin-24 less than 24 hours after having requested them when he reopened the exchange to allow withdrawals.
Not buying a word of what that dude says.

Themida ("protection software") is used intentionally as a code obfuscator, preventing detailed analysis of the binaries. Hence, the suspicion.

why are there two threads?
https://bitcointalk.org/index.php?topic=202089.0

should not both OPS work together to make one post?  or lock one sticky the other?

stop all the fud.

I direct your attention
===> https://bitcointalk.org/index.php?topic=202255.0  (https://bitcointalk.org/index.php?topic=202255.0)

WOW dude you clearly have some kind of agenda against Limitless, you wont listen to anything anybody is telling you about the thread, Limitless started the thread with a link to a well know github repo not compiled binaries, other people posed binaries in the thread, in what universe is the OP responsible for what random people do on the internet.

Something to make perfectly clear:

There is absolutely no reason to suspect anything other than minerd at this point (and the evidence so far is fleeting). Yacoind is fine.

ehh why would you suspect minerd..

This thread is proving to be interesting:

https://bitcointalk.org/index.php?topic=202292.msg2112517#msg2112517