etotheipi (OP)
Legendary
 Offline
Activity: 1428
Merit: 1093
Core Armory Developer
|
 |
November 19, 2013, 05:32:59 PM |
|
Please only download Armory Bitcoin Wallet from https://bitcoinarmory.comWe have identified a clone website which provides malicious download links for our software. All software and communications by Armory Technologies, Inc, will happen via the domain bitcoinarmory.com. There are no other domains under which we operate! We use the following [offline] GPG key to sign all software releases, and sign all employees' GPG keys:
Armory "Offline Signing Key": 0x98832223(please do not use this key for encrypting email to us -- only for authenticating software and employees!)
Armory is a tool for advanced users, holding serious quantities of money -- please make sure you download the correct version and verify hashes & signatures before installing it! There are instructions at the bottom of our downloads page that describe how to verify the signatures in Linux. Windows is a bit harder, but possible if you install gpg4win and verify the SHA256 hashes file. P.S. - I am not posting the link to the malicious site here, because it's unnecessary and I'd prefer people only be exposed to the good domain. If you have a reason for it (such as doing a security investigation), please contact me.
|
|
|
|
etotheipi (OP)
Legendary
Offline
Activity: 1428
Merit: 1093
Core Armory Developer
|
|
November 20, 2013, 05:57:34 AM |
|
Amazing! I didn't think it would be this easy! We were told this would be difficult to deal with, but apparently it doesn't have to be hard. Our email: To: abuse@internet.bsSubject: Suspend Service/Takedown Notice: Trademark Violation Good afternoon, The website " www.btcarmory.org" is currently a registered domain of internet.bs. I'm writing to issue a Suspend Service and Takedown notification for ( www.btcarmory.org) that is in violation of Trademark law. These individuals have cloned the website listed at www.bitcoinarmory.com and are using it illegally. I have attached a copy of the original www.bitcoinarmory.com website. We're requesting immediate revocation and takedown action at this time. Please acknowledge receipt of this correspondence and advise with any questions. Thank You. Reply: Dear Armory Technologies, Inc., We have suspended it. Best regards, -- Internet.bs Corp. - Support Team ICANN Registrar http://www.INTERNET.bsThe malicious website is already offline. I wonder if they will attempt to fight the suspension... |
|
|
|
Mike Christ
aka snapsunny
Legendary
Offline
Activity: 1078
Merit: 1003
|
|
November 20, 2013, 06:13:21 AM |
|
I was wondering why there were two websites for armory; I guess I got lucky!
|
|
|
|
etotheipi (OP)
Legendary
Offline
Activity: 1428
Merit: 1093
Core Armory Developer
|
|
November 23, 2013, 11:11:26 PM |
|
So the btcarmory.org has been suspended and is empty. However I was able to pull off the "installers" using a VM before it was taken down, and currently have them in a tar archive waiting for... something! Anyone have recommendations for how to go about analyzing the executables and figuring out what they do? I'm super interested to know how they decided to "attack" you. Whether it was simple wallet stealing, some kind of trojan, or maybe even unrelated malware that does other things.
I know there's only so much you can do with a compiled binary, but I suspect there are people that know how to properly isolate and monitor the executable while it's running. I'm envisioning low-level tracing of system calls, network accesses, disk accesses, etc, while running it in a VM.
I'm not going to post the malware downloads publicly, but if someone has background to analyze them, or connections that do, I'll be happy to send them. I have both a Windows .exe, and more interestingly (to me) a Linux/ELF "armoryamd64.out".
|
|
|
|
|
Moebius327
|
|
November 23, 2013, 11:15:39 PM |
|
So the btcarmory.org has been suspended and is empty. However I was able to pull off the "installers" using a VM before it was taken down, and currently have them in a tar archive waiting for... something! Anyone have recommendations for how to go about analyzing the executables and figuring out what they do? I'm super interested to know how they decided to "attack" you. Whether it was simple wallet stealing, some kind of trojan, or maybe even unrelated malware that does other things.
I know there's only so much you can do with a compiled binary, but I suspect there are people that know how to properly isolate and monitor the executable while it's running. I'm envisioning low-level tracing of system calls, network accesses, disk accesses, etc, while running it in a VM.
I'm not going to post the malware downloads publicly, but if someone has background to analyze them, or connections that do, I'll be happy to send them. I have both a Windows .exe, and more interestingly (to me) a Linux/ELF "armoryamd64.out".
I am interested at this as well. |
|
|
|
|
|
BlackBison
|
|
November 23, 2013, 11:17:25 PM |
|
Hi etotheipi,
Sorry to change the topic, but any news on when you are going to release the 'lighter' armory client that runs on lower spec (less RAM) pcs?
Keep up the excellent work.
Thanks.
|
|
|
|
etotheipi (OP)
Legendary
Offline
Activity: 1428
Merit: 1093
Core Armory Developer
|
|
November 23, 2013, 11:22:12 PM |
|
Sorry to change the topic, but any news on when you are going to release the 'lighter' armory client that runs on lower spec (less RAM) pcs?
Keep up the excellent work.
The latest testing version is stable and already posted on the website. Just a little bit more polishing and we'll have an official release next week for Windows and Linux (having serious issues with OSX, so that might be a bit longer). If you want to know or discuss it any more, continue over at the RAM-Reduction Thread. |
|
|
|
|
BlackBison
|
|
November 23, 2013, 11:29:40 PM |
|
Brilliant, thanks alot!  |
|
|
|
malevolent
can into space
Legendary
Offline
Activity: 3472
Merit: 1721
|
|
November 23, 2013, 11:54:19 PM |
|
So the btcarmory.org has been suspended and is empty. However I was able to pull off the "installers" using a VM before it was taken down, and currently have them in a tar archive waiting for... something! Anyone have recommendations for how to go about analyzing the executables and figuring out what they do? I'm super interested to know how they decided to "attack" you. Whether it was simple wallet stealing, some kind of trojan, or maybe even unrelated malware that does other things.
I know there's only so much you can do with a compiled binary, but I suspect there are people that know how to properly isolate and monitor the executable while it's running. I'm envisioning low-level tracing of system calls, network accesses, disk accesses, etc, while running it in a VM.
I'm not going to post the malware downloads publicly, but if someone has background to analyze them, or connections that do, I'll be happy to send them. I have both a Windows .exe, and more interestingly (to me) a Linux/ELF "armoryamd64.out".
Remember that it might behave differently under a VM if the author of the malware foresaw people would want to find out how it works under the hood. |
Signature space available for rent.
|
|
|
|
