Malware alert: Listentobitcoins

[Birdy]

According to reddit the website was sold and the new owner put malware in it!

More about this:
http://www.reddit.com/r/Bitcoin/comments/1ia7q2/listen_to_bitcoin_contains_malware/

[1714576721]

1714576721

[1714576721]

1714576721

[1714576721]

1714576721

[coinprize]

Thanks! Can google chrome detects the malware?

[giszmo]

ok, so I was at listentobitcoins.com 2 days ago. what should I expect?

I got to go to bed now but is this bad? According to my analysis of this first some lines It does:
eval("") which looks like the really interesting part is in http://www.justice research institute.org/changer.php

(I first tried to just understand this munged part but then decided to debug it after removing the eval part that I had figured out pretty quickly. At my first attempt my box was online, what I highly regret. Kids, don't do that at home. It's playing with fire. Wish I had a separate box that runs off a CD without HD or something for analyzing Viruses.)

[giszmo]

This changer.php-thing either is not functional or resists to a simple wget. Hope somebody can find out what the threat is or was two days ago.

Here is what I get with changer.php. Redirects to really fishy stuff and then dies, right?

Code:

$ wget http://www.justiceresearchinstitute.org/changer.php
--2013-07-15 00:08:26--  http://www.justiceresearchinstitute.org/changer.php
Resolving www.justiceresearchinstitute.org (www.justiceresearchinstitute.org)... 70.86.182.49
Connecting to www.justiceresearchinstitute.org (www.justiceresearchinstitute.org)|70.86.182.49|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://clisim.memostriamsdays.biz/f2ab0c/meets_weird-justification-telephone/shortest-abuse.php [following]
--2013-07-15 00:08:27--  http://clisim.memostriamsdays.biz/f2ab0c/meets_weird-justification-telephone/shortest-abuse.php
Resolving clisim.memostriamsdays.biz (clisim.memostriamsdays.biz)... 74.63.209.216
Connecting to clisim.memostriamsdays.biz (clisim.memostriamsdays.biz)|74.63.209.216|:80... connected.
HTTP request sent, awaiting response... 502 Bad Gateway
2013-07-15 00:08:28 ERROR 502: Bad Gateway.

[giszmo]

Bump: Hargnah, why doesn't this thread get more attention? It should be linked everywhere but instead there is silence.

[hivewallet]

Bumping for exactly this reason.

[CurbsideProphet]

Reported site to Google Safe Browsing.  Thanks for the heads up.

[giszmo]

So, is it likely I have some key logger with my wallet copied to some evil guy? I run a rather freshly installed debian.

Yeah, I tell all my friends with their Windows problems that there are no Linux-Viruses but with my bitcoins at stake I feel a bit paranoid.

[clearcrystal]

thanks for the heads up

[btcee]

Wow. I was just there two days ago. Thanks for posting this.

[WinVery.com]

That type of shit makes me happy to run a clean tight ship.

[hennessyhemp]

This may be how my Bitcointalk forum account was hacked...I just saw this thread, and considering the guy that hacked my account was clearly a forum member already...this makes some level of sense.  My account was hacked back on July 10th, and I had been using the listen to bitcoins site prior to that at work because I thought it was cool to hear my money becoming worth more with the low tones indicating large purchases.

Thought that mystery would stay a mystery, but I have a strong feeling this is how he got in.  Now if only we could figure out who he is...tar and feathers at the ready men!

[btcinstant]

This may be how my Bitcointalk forum account was hacked...I just saw this thread, and considering the guy that hacked my account was clearly a forum member already...this makes some level of sense.  My account was hacked back on July 10th, and I had been using the listen to bitcoins site prior to that at work because I thought it was cool to hear my money becoming worth more with the low tones indicating large purchases.

Thought that mystery would stay a mystery, but I have a strong feeling this is how he got in.  Now if only we could figure out who he is...tar and feathers at the ready men!

Currently I have a bitcointalk account  that was hacked  and still waiting to get into it.

[uk1]

thanks for the heads up

[hennessyhemp]

This all occurred right around the same time lots of forum members started putting up sock puppets as their picture, as many accounts became sock puppets after passwords became compromised. 

The posts made with my account lead me to believe the hacker was obviously a forum member, and possibly fairly good at coding...or at least using vicious code capable of stealing your shit.  He also appeared to have a fascination with all things gambling.  I'll bet some of the senior members are starting to recognize his poor grammar and continued unpleasant posts.

He also posted on some rather shady threads already on this site...like forum account purchasing threads and debt threads where he talked about getting information illegally. 

If he's capable of doing this to a bunch of bitcoin nerds...lookout real world...cause this bastard is smarter than a malicious person should be.  Probably lacking in the hugs department as a child.

[gacr]

guys stop using ie and opera as main browsers -these two can be exploited and can be infected with a malware or btc stealer and you dont loose only your btc ... you can loose your cc details , passwords , bank accounts etc etc  .... use chrome or firefox ..... cant be exploited by exploit packs . also when you visit some sites you are asked to download updates for flash player or something like that .... if the upgrade is nor from adobe , you can download a malware for sure.

i'm waiting for a mod to tell me where i can open a thread and explain how the malware thing works like.

[hennessyhemp]

Definitely using Chrome at the time.  I don't know how the guy got in exactly...but I had been on this site...and reading about how it was sold to someone who infected it with malware made much more sense than any other thing I've done that might have left me vulnerable.

[MPOE-PR]

guys stop using ie and opera as main browsers -these two can be exploited and can be infected with a malware or btc stealer and you dont loose only your btc ... you can loose your cc details , passwords , bank accounts etc etc  .... use chrome or firefox ..... cant be exploited by exploit packs . also when you visit some sites you are asked to download updates for flash player or something like that .... if the upgrade is nor from adobe , you can download a malware for sure.

i'm waiting for a mod to tell me where i can open a thread and explain how the malware thing works like.

Hey, not a bad post idea. Link us when you find a spot (what's wrong with just putting it in Bitcoin Discussion?).

[b!z]

guys stop using ie and opera as main browsers -these two can be exploited and can be infected with a malware or btc stealer and you dont loose only your btc ... you can loose your cc details , passwords , bank accounts etc etc  .... use chrome or firefox ..... cant be exploited by exploit packs . also when you visit some sites you are asked to download updates for flash player or something like that .... if the upgrade is nor from adobe , you can download a malware for sure.

i'm waiting for a mod to tell me where i can open a thread and explain how the malware thing works like.

Exploit kits do target Firefox. FF hits are much more common than Opera. Where did you get this nonsense from?