Fake MultiBit sites and scams appearing. Download only from https://multibit.org

[jim618]

In the last 24 hours fake MultiBit sites have starting appearing.
There was also a scam posting on r/bitcoin (now deleted)

Download MultiBit only from https://multibit.org

The scam site:
+ is a name squat ie slightly different letters
+ is using http only (the real multibit.org is https).
+ is advertising with google ads. MultiBit does not use google ads. Any ad you see is a scam.

I will post a bit later on how exactly you can check your binaries - they are all PGP signed.
I won't post the scam site URL but if you are interested in doing forensics on them just message me.

[jim618]

The fake MultiBit site gives links to an exe and jar that are repackaged MultiBit installers.

When you run the fake MultiBit that is installed it runs wallet stealing code. It attempts to spend your balance to an address it gets from a command-and-control server. This would definitely succeed for unencrypted wallets.

There may well be similar modifications to send after you decrypt an encrypted wallet (ie. you have entered your password). I have not spotted the actual code that does this in the malware but I would be surprised if it was not there.

Only install MultiBit from code that you have downloaded from https://multibit.org

[Mike Hearn]

Wallet encryption is very new. It may be that this code was written before it became available.

Still, there's not much you can do against trojaned wallets - it's like any other kind of malware. Moving the core to Trezor is the only way, long term.

[da2ce7]

If you post the SHA256 has of your new releases on the forum. that is far more trivial to check than PGP.  (of course your forum account could be attacked, however at-least it is one more step for an attacker to take).

[jim618]

SHA256 hashes are easier to check but don't give identity information.
To check the PGP is straightforward it is just:

> gpg --verify <filename>.asc

I don't really trust bitcointalk for anything sensitive and a SHA256 on the website is a false friend because an attacker can create them easily.

I'd rather people got into the habit of checking the PGP. SHA256 is a good check for file integrity but no good to check where it has come from.

[da2ce7]

For my releases of OT for windows; I contained both in my post:

https://bitcointalk.org/index.php?topic=77301.0

[jim618]

Yes I think having both is the best idea.

Looking at the downloads of the asc files it is less than 1% of downloads of the corresponding binary.
Including SHA256 hashes somewhere separate to the site gives people another opportunity to crosscheck.

I'll start posting the SHA256 hashes in the bitcointalk release post. The sigs can stay on the website - no point making work for myself.

[melon]

just downloaded 5.12 and my scanning software immediately detected trojan:js/seedabutor.b...cant remember if it was on the secure channel or not...kapersky has a different naming convention listed as a redirector.. acted as if trying to redirect ,ultiple browser windows and opening multipke inbound connections but i'm no wiz on this sufff

[jim618]

If you go to the https://multibit.org site (by typing the site name explicitly) and download the installer do you have the same problem ?

Also is that for Windows, Mac or Linux ?

[jim618]

Also have a read of :
http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Seedabutor.B

[melon]

windows.. i'jj try ditecty from your secure kink later and let ya know