Bitcoin Forum

I don't have any access to the original thread. http://bitcointalk.org/index.php?topic=73562.0 I wrote the malware. Ask your questions.

All coins captured are sent back.

Is this an experiment?

Yes

Is the addresses hardcoded in the malware, or the malware generates addresses on-the-fly and the keys sent back via IRC/FTP, or the malware downloads a set of addresses off a server each time?

How does the malware detect the address? By identifying the checksum? Or by using GetWindowTitle and replacing C&P addresses when a predetermined window(client / glbse window) is detected?

The addresses are generated on-the-fly and the keys are encrypted with RSA+custom encryption, and pasted here ( http://yourpaste.net/10173 ) with increasing number since 10173 till this day.

The address is detected by it's length and content. A bitcoin address should contain certain characters only and begins with a 1 or a 3, and has a typical length (required length here is 29 to 40).

----------------------------------------------------
allAreCharacters=true;
for(int i=0; i < cbsize-1; ++i)
      if( !((clipboard>= '1' && clipboard <= '9') || (clipboard>= 'a' && clipboard <= 'z')  ||  (clipboard>= 'A' && clipboard <= 'Z'))
                  || clipboard == 'l' || clipboard == 'I' || clipboard == 'O' || clipboard == '0'){
                  allAreCharacters = false;
                  // ......
}

if(!allAreCharacters || ! (clipboard[0] == '1'|| clipboard[0]=='3'))
      // Not-an-address
-----------------------------------------------------

The clipboard is constantly checked for bitcoin addresses (every 500ms) regardless of the activity of the user, and replaced if the detected address was not put there by the malware. So the instant one copies a bitcoin address, it's replaced with an evil one.

Sounds like a good methodology for this, although a bitcoin address should be 33 chars and below. How are you going to be so sure that all bitcoins are sent back correctly after the experiment?

I'll be checking for transactions occasionally till the end of this year, it's done with a few clicks. I send back the coins to where they were sent from (that's the best I can do) when I see a transaction. The distribution of the trojan ended this month --hosting ended--, so there should not be any new victims unless someone else spreads it for some reason; it is hard to edit it to make a custom version of it, it should just not work then.

You should be glad no one can reach you to strangle the soul out of you.
did you also send extra to compensate for the time you held them ransom?
You exemplify why bitcoin is such a piece of shit.

someday soon you will have to hide in sewers.

I do not have any coins besides the captured ones.

Not a good idea, many people use online wallet, who can't receive coins from the address where they sent.

Indeed. That might be solved in some cases, like in the thread linked in the OP where the online wallet provider is aware of the situation (the costumer's story) and have gotten the coins back. Most incoming transactions has been small ones, like 0.10 btc. Huge transactions (50-1000+) might take some consideration and communication first from my side.

What did you learn from your experiment?

How many coins were taken? Do you have any data on the people whose coins you took? Or was it just, "could I do it? Would they really download it?"

"Can I do it?" was the question. What would the result be? I thought, "is it really that easy?". In about 3 months since the "release", a total of maybe 110 btc has passed me (while I'm doing absolutely nothing), with the trojan "lightly" advertised here and there. The trojan was uploaded to a temporary host (which automatically would be inactivated after 3 months without login). Anybody could do it.

I was certain that people would download it. Dangerous "security threat" indeed.

I learned that "projects" like this is a waste of time. I learned that even smart people can be really curious about something being advertised. I learned that scammers must live a sh**ty life (that's what I felt overall).

I also learned that there are insecure fields to harvest from though, with not that much effort, by those with that sh**ty life. The attacker wouldn't have to do more than creating his trojan and mass-spreading and mass-advertising it on more stable places. I did some light advertising and a not too sophisticated trojan, and 3 months later, I still "harvest".

download what exactly? what was the trojan advertised as?

you should keep 5% as tuition  ;D

+1. And I've helped you to link this thread in the original post, so the parties involved can take a look too.

i am the one that got scammed ask nefario

i lost 26.23 and 6.63 and no i was never paid back the coins were sent from btc-e
and they use a different address to send them than my bitcoin adress that i deposit too
plz next time if you scam them talk to them if you would have talked to nefario he would have told you to talk to me

thx for becoming honest though now i have to go talk to btc-e and see if they can find them

With such talents why don't you help the bitcoin community be a more secure place?  I think the bitcoin project definitely need capable people like you. 

As a bitcoin wallet stealer, and as a miner.


I sent them back to where they came from. Nefario should be able to follow them back to his system.

i believe he has just done that, by making a few people more cautious of malware.

Thought about it. But sure! Not sure how much I'll be able to help. But I will try to make a list of some potential "exploits" and potential solutions eventually, and tip the developers.

they never got to nefarios system i was sending coins to glbse and copied th glbse deposit address and pasted to withdraw from the btc-e.com address and it changed the address i didnt pay attention and sent i had copied and pasted btc addresses before and never second checked
so they were sent back to btc-e but btc uses a different external address to send coins than my personal deposit address

watching.

Wake up, he helped much more in that way

If it take such simple things to write a working malware and actually steal bitcoins, what can happen with a more concerted effort?

Usually don't do this. Wanted to try it just because it seemed so easy (something that anyone can do), to see what would happen. A little test.


A lot. The wallet is easily accessed by a trojan, and all the keys are there ready to be used. The wallet doesn't even have to shift owner; the malware could spend the money there right away.

In "my" case, only the intended amount of btc (by the victim, thus limited) to be sent are captured, and the [intended] coins are only captured when the victim actually sends anything.

A trojan made with more effort could simply just use the keys in the wallet and spend all the coins right away. A password for the wallet could be cracked firsthand on the victim's computer, and/or the passphrase could simply be captured from the keyboard/bitcoin software directly whenever it's used (which it eventually will).

Even if the wallet is stored somewhere else than the default place, for example in a truecrypt file, whenever the wallet is loaded into the bitcoin client, the wallet can be read directly from the bitcoin client's working memory.

well ive been talking to btc-e and they never reveived them  back heres our conversation




support: abbeytim, I checked on the base of the purse bitcoin

abbeytim: ok

abbeytim: k

support: abbeytim, btc means not gone

abbeytim: and the block chain says they were sent back to look bottom there http://blockexplorer.com/address/19C16JK7tup7rnCvgY7nwAEXCPHFjans75

abbeytim: none of those are btc-e adresses??

support: abbeytim, I checked 30 and March 31, 2012

abbeytim: k thanks

support: abbeytim, http://blockexplorer.com/tx/2392adbd8784dc8ab16600f10be874c02c37886fd7b09fe0989b9144868973d0

support: 17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd -6.63 BTC -0.001 BTC 1399 blockexplorer 11:25 22.03.12

abbeytim: so does that mean he still has them ??

abbeytim: or he sent them to wrong address

support: abbeytim, Кoмy: 14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ -26.23 BTC 0 BTC 1575 blockexplorer 09:53 21.03.12

support: http://blockexplorer.com/tx/fcf078588cc961e6af4a5aa8faab559a3d7b5867c16bbf38dfccc4d4f90ea19a

support: abbeytim, btc on our accounts were written off

abbeytim: and we never recieved them back right??

abbeytim: we meaning btc-e

support: abbeytim, and as we get them back?

abbeytim: l well thx for your time


see if you guys can figure out what happened

As long as users are foolish enough to install software laden with trojans and run it with root privileges they will suffer the dire consequences.

Did you read this post in Bitcoin discussion? (http://bitcointalk.org/index.php?topic=73562.0)
The security-imbecile fell for some "optimized miner" mumbo-jumbo, installed this crap and when it -apparently- failed to work he instantly forgot about the whole matter!

Congrats bitcointalk3, you have proven there are fools aplenty.
If you really merely wanted to test your abilities have you perhaps set some TTL value (e.g. 30 days) after which the malware goes inactive?
That's the responsible thing to do, you know.

sorry some of us are fools either way i learned from my mistake

i guess thats whats important even though i lost 32+ bitcoins

and if anyone feels bad for me send some btc here

                                                                     148PmRLnHj4K89CcQajhz3dZQt7E66d53W

btc-e just got my coins back too me thx :)

Are you sure its good address this time?  ;)

He typed it in 1 bit at a time just to be sure, took him ages too, as the line noise on the morse code tapper was just terrible.

marked

Do current anti-virus security providers (e.g., AVG, Avast, McAfee, etc.) detect the download as being malware now?   Or is this likely occurring from those who either don't have anti-virus or don't keep it current  (and do dumb stuff like downloading and installing .exes from untrusted sources).

Antiviruses doesn't do good for Dday releases like this one is, unless the heuristics pick it up.
OP has a point there - most Windows users are too moronic to check their downloads, and this is why botnets are so abundant nowadays.

http://blockchain.info/address/19C16JK7tup7rnCvgY7nwAEXCPHFjans75

the 2392adbd8784dc8ab16600f10be874c02c37886fd7b09fe0989b9144868973d0 transaction is when the coins got to me,
7303bb4534c085b05e09af9bfa89a90f2a2674e58552594f0ea7cf84fd4d1194 is the transaction from when I sent the coins back to btc-e or where they came from, to address 19C16JK7tup7rnCvgY7nwAEXCPHFjans75  . Those 6.63 coins (which I then lost control over) were then transferred to 1GzrUY3HpBBpbtxgZbDMcokLQTQXQdAiqc , which I suppose is part of btc-e's (or any other online service's) system.

The trojan is easy to remove. CTRL+ALT+DEL and kill a process named mcfar*. It is then easy to remove it manually from autostart by running the command (trough the run command, WINDOWSBUTTON+R) msconfig. Click the autostart tab and uncheck the one called Avast7*, filename mcfar*(begins with mcfar*). The trojan can manually be removed from "c:\windows\mcfar*.exe". I don't have the source code right here, but that's what I'm really sure about.


All the pages are down, and they did also have a limited traffic threshold. I didn't think about giving it a TTL value, I thought about it afterwards. A mistake from my side (well, doing this was a mistake to begin with, it could just have warned the user that he/she'd be hacked now).

There's one source left, tricking pure ped*****es. I didn't bother giving that page a TTL (and I couldn't). Though that host will not be up forever.

I take it noscript for firefox would protect you from this sort of attack?

http://noscript.net/

I think as long as you downloaded and ran the exe, you are sort of doomed until you get it out. I made something like this about 15 years ago for another popular software, and it was even programmed in VB. Disclaimer: I didn't make anything (money) out of it, except give people head aches, and it was 15 years ago.

Whitelisting software like Anti-executable or something similar would work, up to the point that it asks "Are you sure you want to run optimizedminer.exe?" and you still click Yes, on a live machine (not virtual, not sand boxed, not protected or whatever.)

The fundamentals of conning people have not changed, and social engineering can still be done today, the same way it has been done 20 to 30 years ago, because a lot of people are simply ... ... they don't know any better.

In fact, I'm pretty sure someone can or has come up with malware that gets your credit card number from the clipboard.

Geez, I paste almost all my passwords from the clipboard from notepad.......... better check my own system now.

no

Or more probable they will stop using bitcoin