Show Posts
|
Pages: [1] 2 »
|
Can an expert explain, how this hack really worked? The technical information in this article is useless. As I understand the Bitcoin protocol the block reward is just a transfer like any other but with no input. Since only the block reward was stolen, it can't be a weakness of the protocol. The hacker must have gained access to the private keys of the miner. But why would a miner store the reward in a hot wallet with the private keys revealed and not notice the theft over a period of 4 months?
There was no theft of any private keys. The miners were hit with a man-in-the-middle attack that redirected them to a malicious mining pool where they kept receiving new blocks to work on, but were not paid their share for that work. The technical analysis is here: http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/
|
|
|
My hopes for the future: -Wallet that supports 2 factor auth - Spend verified through phone app or thumbprint
If the thief has malware on your PC they can bypass or hijack any authentication you can perform in order to authorize a different transaction. This has long been a problem for online banking systems that attempt to employ 2-factor. The thief can use malware to change what you see on your screen and change what's happening in memory so you end up authorizing a different transaction than what you intended. What's really needed is end-to-end transaction integrity verification on a dedicated hardware device. Trezor gets us most of the way there but the transaction is not verified end-to-end, only workstation-to-Trezor. A system like the Cronto banking hardware device is needed for Bitcoin, where a PKI implementation similar to BIP70 could be used to verify the address of the payee all the way to the secure device of the payer.
|
|
|
so even scanning with virus total would not have revealed this?
This one had a few detects in VirusTotal but I think one problem is that there always seem to be a few false-positive detections on all Qt wallets, so people are being trained to ignore VirusTotal results for new altcoins even when they are true-positive. It's just downright crazy to run a program downloaded from this forum on a machine where your other important files (i.e. wallets) are stored. If you want to beat everyone else to jump on the latest coin or whatever, use a separate VM for each wallet until its code is shown to be trustworthy. And if for some reason it doesn't run in a VM, that's probably a good sign it's malware.
|
|
|
Just verified that the Win32 JunnonCoin-Qt client posted in the thread I linked to above is also the same malware.
|
|
|
No, this coin's problem is that it is (or, alternatively, has been infected with) a wallet stealer. A Russian wallet stealer. What a "coincidence" that the last posters in this thread, bumping it, seem to be Russians. Hoping to get some victims to download the client, perhaps?
Chinese wallet stealer, not Russian. See: https://bitcointalk.org/index.php?topic=512966.msg5669194#msg5669194
|
|
|
A friend of mine who mines scrypt coins, but who otherwise isn't that geeky, discovered an oddly named hidden .zip file in his C: root directory (2014Äê2ÔÂ13ÈÕ18ʱ45·Ö.zip - he doesn't have cyrillic script installed). In it are contained the wallet.dat files for all his cryptocoins (renamed to Bitcoin.dat, Litecoin.dat, etc).
The filename isn't Russian, it's a date/time in Chinese. The trojan sends the wallet files to 23.239.111.68 on TCP port 12730. That IP is assigned to a "Wei Cheng": [support.gorillaservers.com] %rwhois V-1.0,V-1.5:00090h:00 support.gorillaservers.com (Ubersmith RWhois Server V-2.4.0) autharea=23.239.96.0/19 xautharea=23.239.96.0/19 network:Class-Name:network network:Auth-Area:23.239.96.0/19 network:ID:NET-2827.23.239.111.64/27 network:Network-Name:23.239.111.64/27 network:IP-Network:23.239.111.64/27 network:IP-Network-Block:23.239.111.64 - 23.239.111.95 network:Org-Name:cheng, wei
That IP was also listed as a static node in the QT configuration file for JunnonCoin, a Chinese altcoin: https://bitcointalk.org/index.php?topic=413045.0I'm going to go ahead and say this is a Chinese wallet-stealing operation, not Russian.
|
|
|
It's true not so save your Bitcoins at Online Wallets but here the Bitcoins are not saved at our Server they are saved in your Browser Cache and RAM
Until the Javascript on your page is changed by a hacker, and the key is sent back over HTTP instead of being cached.
|
|
|
is 2FA the best way to safeguard against hacker attacks ?
If the hacker just has your password somehow, 2FA can help. If they have malware on your machine, 2FA won't necessarily stop them. They can just wait for you to log in with your 2FA and then have their way with your account.
|
|
|
There is only one solution. Its called Keepass.
keepass.info
There is malware that targets KeePass so even it is not secure unless you keep it on a separate computer that isn't ever connected to a network.
|
|
|
Checked my post log and there is nothing there. Password has been changed, strange???
The fake wallet posted using madmartyk’s account is NetWire RAT. It connects to jenny15.no-ip .biz on port 3360. madmartyk - your account has been used twice before to do this: https://bitcointalk.org/index.php?topic=459622.msg5344227#msg5344227https://bitcointalk.org/index.php?topic=475160.msg5320506#msg5320506If you really aren’t posting these links to fake wallets that turn out to be RATs, I would advise you to check netstat -an and look for suspicious connections on port 3360. If you don't find any, you're probably still infected, but you'll need to look harder. Once you confirm, reformat your machine and reinstall Windows, and change all your passwords everywhere.
|
|
|
I believe my Vert wallet I got is hacked. The balance that shown on wallet is different from the published blockchains.
The wallet reported less than actual amount for the sake of sending out units to secret address not shown in wallet but showing in blockchains.
You're not hacked. Read up on change addresses. https://en.bitcoin.it/wiki/Change
|
|
|
The Adwind/UNRECOM RAT in question connects to khaleeel.no-ip.info (currently resolves to 82.205.115.201, a Palestinian IP).
|
|
|
I feel like such an idiot. Anyway, the above program has been promoted in bitcoin chat rooms/channels and some websites. If you downloaded it assume you have a remote backdoor and keylogger on your system. Remove it with Anti-Malware program.
Where was the original file downloaded from? I'd like to analyze it.
|
|
|
Does virus total detect most virus, & trojans?
Not at first if it's a newly developed family or packer. After a time, you'll get some detection from some of the AV engines used by Virus Total. Of course, the malware author can tweak the file until it's no longer detected, and the game starts all over again.
|
|
|
I'm a little unclear on what vulnerability was exploited to gain access to your wallet. Please keep us updated with details as you uncover them, you never know what might lead to the perp. The notable IP above appears to be a VPN endpoint for perfect-privacy.org, so it's probably not going to be much help.
|
|
|
Learn how to hack BTC wallets.... It is legit if you learn how... I'm curious, where did you grow up, that stealing is considered "legit"? District of Columbia? Or possibly Nigeria . Apparently he's from Croatia. lol, where did you find that info? Here, among other places: https://bitcointalk.org/index.php?topic=25215.msg5034826#msg5034826
|
|
|
Learn how to hack BTC wallets.... It is legit if you learn how... I'm curious, where did you grow up, that stealing is considered "legit"? District of Columbia? Or possibly Nigeria . Apparently he's from Croatia.
|
|
|
Learn how to hack BTC wallets.... It is legit if you learn how... I'm curious, where did you grow up, that stealing is considered "legit"?
|
|
|
I don't see a display; how does the user verify the transaction details haven't been modified by malware before signing the transaction? You submit the transaction to the dongle, then remove it, then insert it again into the same computer and a different application (f.e. Windows login screen) / another device supporting HID keyboards, depending how much you fear being compromised, the dongle types (as a keyboard) a summary of the transaction and a unique PIN code, finally you plug it back into the original computer (or just remove it / plug it back again) then type this PIN code to validate the transaction. and it's easier than it sounds Ah, clever. I'll buy one when they are available. Seems like you could use a modified version of this to verify transactions/account changes on an exchange or mining pool.
|
|
|
I don't see a display; how does the user verify the transaction details haven't been modified by malware before signing the transaction?
|
|
|
|