YaCoin Investigation

[VelvetLeaf]

Claim
There are reports from various people, that YAcoin has built in wallet stealer.

What you can do
It's a common feature for malware to activate its main task on random date, and add a mark to the computer so it doesn't do the same thing twice (like uploading the stolen wallet.dat twice after your wallet is already uploaded, it's a waste of resource).
Since you can't be too safe, if you have run YAcoin's client or modified minerd.exe and don't encrypt your wallet, make sure you install Bitcoin in another clean computer and send your bitcoin there.
Make sure you password protected your wallet on that new computer.

Does YACoin really have malware module in it ?
Who knows, it's possible that it's a joke, someone wants to drop YAC's price on orderbook.
Or, it's the real deal. The attackers want people to believe that all of the various malware report that we receive now is a joke, and further report will be ignored once the real attack is really launched.
Hence, the investigation.

Investigation
I'll list what I found here :

List of YACoin related binary

yacoin-qt-2013-05-08.zip (yacoin's main client, uploaded during YACoin launch)
https://mega.co.nz/#!UowEmZYS!AAK7DVwYoTqy96oTRzUaLCS0UMsAfosJiRQmBn1jzcA
Detection ratio : 0 / 46 https://www.virustotal.com/en/file/7381b3ea8e872d860cf8279b98cb74a01cd21ecebaa1af7e537a040b6c5ad1e7/analysis/1368286925/

yacoin-qt-2013-05-09.zip (yacoin's main client, updated binary)
https://mega.co.nz/#!5wgDnKyZ!QLfWTXNRMRTwmb60rfpuFgzH48BCl4fpwb8paeAaqRs
Detection ratio : 0 / 46 https://www.virustotal.com/en/file/8c1b9dcc90e163a357b3861c10d8cec67c351a928e0b5e1e0dcf74d65d4a4b76/analysis/

cpuminer-scrypt-jane-win32.zip (modified minerd to mine yacoin on multiple computer)
hxxp://mega.co.nz/#!IJRziTBD!ZCAKGC7fqYkyXsEDi9GB1RYiqIUqj2S9bEm6UI2y1no
Detection ratio : 6 / 46 https://www.virustotal.com/en/file/2b7e630cfb2d173eb14e4dd88a7879527f5c52cbc77ace0c0742942aad46faec/analysis/1368286565/

"antivirus friendly" version of minerd (don't download this, very suspicious)
hxxp://mega.co.nz/#!shoxkb5b!DjiCAQBQ627TaW0oet1C7mvqM7Q2-2u-g4kDRHbniU4
From : https://bitcointalk.org/index.php?topic=201050.0
Detection ratio : 16 / 46 https://www.virustotal.com/en/file/0ffa2116bf1027019ad94e9bf8e2340be427d6efbc9563e185096cf8550b4c3a/analysis/1368287421/

minerd_scrypt_jane.ZIP (another modified minerd to mine yacoin on multiple computer)
https://mega.co.nz/#!pUMBkbbY!cMJYcFqPCMr1idZBr30VsFw0tLY7y63J0N4RVNYMUBc
Detection ratio : 0 / 46 https://www.virustotal.com/en/file/01a79a608d33d1db4eb9382db029e89e581f6e0017ddb566e7826b45370596fd/analysis/

All investigation should be done in clean Virtual Machine, otherwise, it's useless since it's possible that your computer is already marked and the malware won't run wallet stealing routine twice.

"Victim" List - Alternate cryptocurrency section

FreeTibet / Jr. Member / Posts: 11 / DO NOT DOWNLOAD YACOIN - SENDS WALLET.DAT TO http://bitcoin-ticker.netne.net/u.p

Don't download yacoin Windows binary.. it sends your bitcoin wallet.dat to this page: http://bitcoin-ticker.netne.net/u.php

I observed it with Fiddler. Stay safe, compile the code yourself!

Lewies Man / Jr Member / Posts: 45 / 2.374 bitcoins stolen after downloading yacoin

2.374 bitcoins stolen .. anyone can help?? the last thing I did on this computer was install yacoin..

i didn't have passphrase set but i do have now. yacoin has virus? stole my coins

Brewins / Jr. Member / Posts: 69 / Yacoin developer stole more than 256 BTC!

My coins were sent to this address:

https://blockchain.info/address/1Ay1fS9b6TZbXEEeihGCLo1oG7zpSiChSf

If you see this transaction more than 256 btc has being stolen https://blockchain.info/tx/11b3704b041ebfc8772f43116b69dc70345f1a6c4a873774e6d087a5f6e6691d

D35TR0Y3R / Full Member / Posts: 108 / WARNING: YACOIN HAS A VIRUS BITCOIN STEALER

I HAVE LOST MY BITCOINS IT HAS BEING SENT TO https://blockchain.info/address/1RPrtamTACe1TcqkX2FmWVtRzmQJ6CfRx

UNINSTALL AND DON'T RUN YACOIN

nocompare / Jr. Member / Posts: 14 / yacoin developers are a bunch of crooks, steals 900 BTC

https://blockchain.info/address/1RPrtamTACe1TcqkX2FmWVtRzmQJ6CfRx

I am quitting bitcoin.. Lost bitcoin in bitcoin 24.. lost bitcoin in blockbet.. NOW SOMEONE HACK MY WALLET

"Victim List" - Newbie section

moneytronics / Posts: 1 / YACOIN STEALS YOUR WALLET DO NOT USE

BITCOINS GONE!

TX ID 11b3704b041ebfc8772f43116b69dc70345f1a6c4a873774e6d087a5f6e6691d

DO NOT USE

jebwizoscar /  Posts: 5 / yacoin trojan

yacoin is sending my coins

danieljoseph /  Posts: 1 / yacoin stole my 14.25 btc

What do I do now? I downloaded Yacoin which had a wallet stealer in it. Can I get my coins back? Should I file a police report?

SquishySquish /  Posts: 6 / bitcoin sent from my wallet?

my bitcoins have being sent from my wallet

is it the alt coins I downloaded?

netne.net Whois

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: NETNE.NET
Created on: 19-Mar-09
Expires on: 19-Mar-14
Last Updated on: 20-Mar-13

Registrant:
Hostinger International Ltd.

61 Lordou Vyronos
Larnaca, 6023
Cyprus

Administrative Contact:
Kyriako, Kyriakos hostmaster@hostinger.com
Hostinger International Ltd.
61 Lordou Vyronos
Larnaca, 6023
Cyprus
+357.24030130

Technical Contact:
Kyriakos, Kyriako abuse@main-hosting.com
Hostinger International Ltd.
61 Lordou Vyronos
Larnaca, 6023
Cyprus
+357.24030130

Domain servers in listed order:
NS1.000WEBHOST.COM
NS2.000WEBHOST.COM


Registry Status: clientDeleteProhibited
Registry Status: clientRenewProhibited
Registry Status: clientTransferProhibited
Registry Status: clientUpdateProhibited

If you find this is helpful, any donation would be welcome :
YAcj1cSecVtCZkPpcPnb2raXdJfb3vzine

[1714007989]

1714007989

[1714007989]

1714007989

[1714007989]

1714007989

[1714007989]

1714007989

[1714007989]

1714007989

[Fernandez]

cpuminer-scrypt-jane-win32.zip
https://mega.co.nz/#!IJRziTBD!ZCAKGC7fqYkyXsEDi9GB1RYiqIUqj2S9bEm6UI2y1no

If there is indeed a scam my money is on this.

Where can we place bets?

[skull88]

I tried these and they look clean:

yacoin-qt-2013-05-09.zip
https://mega.co.nz/#!5wgDnKyZ!QLfWTXNRMRTwmb60rfpuFgzH48BCl4fpwb8paeAaqRs

minerd_scrypt_jane.ZIP
https://mega.co.nz/#!pUMBkbbY!cMJYcFqPCMr1idZBr30VsFw0tLY7y63J0N4RVNYMUBc


Installed yesterday on a windows pc to test, had an unencrypted old bitcoin wallet on it with a small amount of bitcoins, no suspicious activity.

[seleme]

I don't think there is even need for this. To be honest first few post made me bit worried as I hold nice amount of YAC but come on, what sane man would believe in this after 5 people reported it and hundreds or thousands of them have it on their pc's...

It's lame, lame attempt from some low lifes.. maybe even coming from one or max. two persons as posting style and english was pretty similar... line of fuck offs, line of scam, line of steals, line of caps locks coupled with artificial and fake "buying 300k of other alt" thread.

[alex_fun]

Yes its simply FUD I use official QT and its all fine.

[syn999]

I don't think there is even need for this. To be honest first few post made me bit worried as I hold nice amount of YAC but come on, what sane man would believe in this after 5 people reported it and hundreds or thousands of them have it on their pc's...

It's lame, lame attempt from some low lifes.. maybe even coming from one or max. two persons as posting style and english was pretty similar... line of fuck offs, line of scam, line of steals, line of caps locks.

could casue everyone panic and sell their at lower price

[Kruncha]

You missed a binary in your investigation, the minerd 64bit one https://bitcointalk.org/index.php?topic=201027.0

K.

[anonynonanony]

if i was a betting man, i'd put my money on the oversized "antivirus free" minerd.

[seleme]

I don't think there is even need for this. To be honest first few post made me bit worried as I hold nice amount of YAC but come on, what sane man would believe in this after 5 people reported it and hundreds or thousands of them have it on their pc's...

It's lame, lame attempt from some low lifes.. maybe even coming from one or max. two persons as posting style and english was pretty similar... line of fuck offs, line of scam, line of steals, line of caps locks.

could casue everyone panic and sell their at lower price

That or to promote other coin(s) with royalcoin being first on my suspecting list (nothing against the coin, alt as alt, but people).

Was pretty stupid attempt to be honest, executed very amateurish.

[TheSwede75]

Totally uninterested in whether it happened or not. The problem here is 10.000 morons downloading pre-compiled code and running it without the developers having a shred of credibility. Even if it's fine THIS time it's bound to happen very soon considering all you have to do is announce a new 'coin' and post a link and BAM, you got 10k people installing your virus and thanking you for it.

[kgains]

@VelvetLeaf

Just downloaded all three and checked their size and SHA-1:
yacoin-qt-2013-05-08.zip (uploaded during YACoin launch) (8,956,974 bytes)
SHA-1:   19b609e227944287a2c96cfbda79c3bb7459ef5c

yacoin-qt-2013-05-09.zip (updated binary) (8,957,000 bytes)
SHA-1:   b5886f224afed6a5705e080494d03f1789d3dc51

cpuminer-scrypt-jane-win32.zip (cpuminer-scrypt-jane-win32.zip)
SHA-1:   9acacfbb7c5c0861b3b2147d96c9dde35d12b0ae

I would have though it a standard thing for anyone making claims etc. to at least pin point where they got their EXE, its size and checksum. Otherwise everything is a bit hearsay.

[jimhsu]

Site bitcoin-ticker.netne.net has been redirected to 127.0.0.1 in my hosts list.

I would suggest doing that, then backing every wallet in your system and transferring to a new wallet if you believe you have been compromised. Common sense.

And yes having an unencrypted bitcoin wallet (or any wallet) with substantial funds is stupid. Double facepalm worthy.

[Fernandez]

if i was a betting man, i'd put my money on the oversized "antivirus free" minerd.

Betting on irony?

[MrWizard]

Totally uninterested in whether it happened or not. The problem here is 10.000 morons downloading pre-compiled code and running it without the developers having a shred of credibility. Even if it's fine THIS time it's bound to happen very soon considering all you have to do is announce a new 'coin' and post a link and BAM, you got 10k people installing your virus and thanking you for it.

Completely agree with you here.  I have been having the same thought for the past few days.

[nullbitspectre1848]

Site bitcoin-ticker.netne.net has been redirected to 127.0.0.1 in my hosts list.

I would suggest doing that, then backing every wallet in your system and transferring to a new wallet if you believe you have been compromised. Common sense.

And yes having an unencrypted bitcoin wallet (or any wallet) with substantial funds is stupid. Double facepalm worthy.

Could you please tell me how I go about redirecting a url to my localhost?

[rick2718]

For what it is worth:

from this page:  https://bitcointalk.org/index.php?topic=201027.0
this link: https://mega.co.nz/#!pUMBkbbY!cMJYcFqPCMr1idZBr30VsFw0tLY7y63J0N4RVNYMUBc


$ sum *.exe
03133   350 minerd_scrypt_jane_x64_avx.exe
45517   351 minerd_scrypt_jane_x64_ssse3.exe

$ md5sum *.exe
9e8878a529978dcbc943e93ccb65aa33 *minerd_scrypt_jane_x64_avx.exe
1b5a6331149a462e15498909c1462754 *minerd_scrypt_jane_x64_ssse3.exe


run as:

./minerd_scrypt_jane_x64_avx.exe -a scrypt-jane -o http://mineyac2.dontmine.me:8080 -O myuser



made only these connections over the course of 8 hours.
  TCP    192.168.1.27:57598     54.215.7.83:8080       ESTABLISHED
  TCP    192.168.1.27:57599     54.215.7.83:8080       ESTABLISHED

stat(2) appears to not show any of bitcoin, litecoin, terracoin wallets touched
(as in stat'ing continuously from another process in case of touch'ing back)


Shrill claims from either side are pretty useless.

Compiling from source increases the comfort factor, but it is no guarantee unless you read and
understand all the code first. To do that you have to be both capable and (a priori) interested enough.

[anonynonanony]

if i was a betting man, i'd put my money on the oversized "antivirus free" minerd.

Betting on irony?

betting on the minerd that is more than doubled in size.

[sugarwhale]

maybe antivirus friendly minerd

[txmasut]

THIS IS NOT REAL.  Not one legitimate person has shown any proof. I've looked at every host file, data source, etc.. and there is nothing malicious about the YAC files from when they were released.  If you downloaded from somewhere else than that might be different.  The original links are perfectly fine.  STOP LYING.

[shaal]

THIS IS NOT REAL.  Not one legitimate person has shown any proof. I've looked at every host file, data source, etc.. and there is nothing malicious about the YAC files from when they were released.  If you downloaded from somewhere else than that might be different.  The original links are perfectly fine.  STOP LYING.

+1, only 1 screenshot was posted and that only showed that there was 'something' detected. No one has given any screenshots of transactions out of any of there wallets.

I think this was just a well orchestrated FUD against YAK