XXXNEWCOIN TROJAN

[jubalix]

At what point will someone relaase as "new coin" that is easily mined, but contains a trojan/virii of some sort that get you keys if not air gaped, or does something to your control of you computer....


eg...terracoins? has anyone even looked at he source code??

people just install this stuff hopign to get lots of coins early....



its going to happen at some point

[Mike Christ]

I keep thinking the same.  But I'm more worried a BTC client will have a backdoor.  Always use open source

[jubalix]

I keep thinking the same.  But I'm more worried a BTC client will have a backdoor.  Always use open source

are there enough people checking the open source though, i mean bitcoin qt yeah

but what about multibit (think probably)

terracoin nope I doubt it

setting a mining right up is one thing, but being a good programmer is another

being a good C++/Java programmer with crypto background to really take the time to look at the code, very few people here.

hmmm.....terra coin website screams doggey to me.

(disclosure I purchased a few 100 TC on VIR)

so I am talking myself down here

[Severian]

Or a fake wallet.

sourceforge.net/projects/bitboom/

I'm glad to see 0 downloads anyway.

[jubalix]

Or a fake wallet.

sourceforge.net/projects/bitboom/

I'm glad to see 0 downloads anyway.

wow yeah!!!!

[Nicolai]

Bitboom:

Virustotal analysis:
 * Detection ratio: 7 / 43

Sandbox analysis:
 * Create auto-startup entry (so it run every time you start your computer)
 * Connects to bekiap3332424.sytes.net (85.107.169.23 = TurkTelecom) port 1604 (this is the malwares C&C)

Reverse Engineering:
 * Program has two embed resources: windows.rtf ("buffer") and windows1.rtf ("rawAssembly") which is copied to memory and the decompressed (this is a common trick to avoid AV detection)

This is clearly malware

[Offthechain]

Nice detective work there!

[Nicolai]

Small update regarding "Bitboom"

Decompiling shows the malware is: "DarkComet" which has been 'cryptet' with some crappy C# "crypter" two times.

I have submittet all samples to virustotal (so all AV-companys can add detection to this malware)

If anyone have the time/desire, then please contact TurkTelecom and tell them that the IP "85.107.169.23" spread malware.
Also please help me getting this malware removed from sourceforge, by using the Report Abuse function: https://sourceforge.net/projects/bitboom/report_inappropriate

The malware was uploaded to SF by someone called "iakovl". Googling this name and you find a similar stackoverflow profile, looking at the questions he have made, and you'll see that his a C# developer: http://stackoverflow.com/users/501160/iakovl?tab=questions (just like the "wrapper" of the malware was written in).

Feel free to (ab)use this info. See below, however the TurkTelecom IP is most likely some random hacked computer in Turkey.

[Severian]

You are awesome, Nicolai. Thanks.

[dust]

I'm surprised that no one has released an altcoin with malware in the binaries, but clean source on github.  I always build altcoins from source, and perform a quick audit of the commits on top of bitcoin to check if there is anything fishy.

[jubalix]

I'm surprised that no one has released an altcoin with malware in the binaries, but clean source on github.  I always build altcoins from source, and perform a quick audit of the commits on top of bitcoin to check if there is anything fishy.

we probably should have some sort of pure bin. file checker or something

[iakovl]

Small update regarding "Bitboom"

Feel free to (ab)use this info.

thank you for accusing me and doing a hell of a job framing someone

the ip is TurkTelecom... i on the other hand am from israel, not the same area in the world
i do develop C# a bit (see the QA on stackoverflow, not on the level of making malware)
would really appreciate if you remove the links and my name...

i don't use bitcoin, nor do am i involved in anything like "this" so be kind and don't point fingers on people with your crap "detective" work
ip = TurkTelecom, my stackoverflow profile = israel... not to hard to know the two apart