Bfgminer.org - Malicious virus website

[Spendulus]

Hi -

I tried to download bfgminer today, and from Google this came up, #2 in the rankings (link destroyed so you cannot accidentally load it)

bfgminer . org

The site does a pretty good job of looking authentic.

Clicking on 64 bit, you get a mass of browser hijacks and other things downloaded.  They are definitely malicious loads and after they are installed, they prompt you to install additional ones.  If you want to try this to see, please do it in a virtual machine under vmware or such, not on one of your production machines.

I hope that this website is not the product of the guys that wrote the program and support it.

8/10/13 Verified, it is not the work of those that wrote bfgminer.

[xjack]

At the bottom of the page...

This site is not affiliated with BFGMiner and is not the official page of the software.

[Spendulus]

At the bottom of the page...

This site is not affiliated with BFGMiner and is not the official page of the software.

The more I thought about it, the more this site troubles me.  So I have dug into what it does on a virtual machine.

DO NOT LOAD THIS SITE!

Again, I am using a virtual machine and am going to keep it quaranteened.

Here is the html that provides the lead in for the naive user click - on the "Windows 32 bit", which appears to provide a download of the bfgminer software.  NOTE I HAVE INTERJECTED SPACES TO PREVENT ANY ACCIDENTAL CLICKING:

<a href="http : //7802cb7d . tinylinks.co"><strong>Windows 32 bit</strong></a>........

another similar link follows for the 64 bit windows.

This leads to a page with a linkbucks reference and an attempt to download "opendownloadmanager", then an auto download of what appears to be the 3.14 program file for bfgminer from luke.dashjr.org/programs/bitcoin/files.  That's a hidden directory, might be some issues there.
 
Following this ad.yieldmanager is installed - this is notorious stuff that continually pops up adds on your desktop even after you close the browser.

At some point 'sweetpacks' is installed, another well known browser and search engine hijacker.

HERE IS THE PROBLEM:

Anyone who has downloaded bfgminer from this site and used it has compromised security, and could easily find their bitcoins and/or passwords stolen or reported.

Who are the scammers that own the domain?  They are cloaked.  
As bitcoin has been now defined as money, bfgminer.org is, I think, engaged in phishing and a higher level of illegal activity than just the malware and hijacking.

Domain ID:D168369843-LROR
Domain Name:BFGMINER.ORG
Created On:06-Apr-2013 16:53:16 UTC
Last Updated On:18-Jul-2013 23:27:13 UTC
Expiration Date:06-Apr-2014 16:53:16 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:d3030885d199b972
Registrant Name:WhoisGuard Protected
Registrant Organization:WhoisGuard, Inc.
Registrant Street1:P.O. Box 0823-03411

Checking enom, here is the reseller:


Namecheap.com
http://namecheap.com
8939 S. Sepulveda Blvd. #110 - 732
Westchester , CA
+1.6613102107
+1.5555555555
support@namecheap.com
For additional assistance, please call 1 (425) 274-4500 or
Submit a Ticket in our Guest Help Center.

Therefore, owners of the bfgminer product can have this website taken down by directing their request / demand to support@namecheap.com.

[os2sam]

Always download mining software directly from the Authors provided site.

That principal should be followed for ANY software you download from the internet these days.

Sad state of affairs indeed.
Sam

[Spendulus]

Always download mining software directly from the Authors provided site.

That principal should be followed for ANY software you download from the internet these days.

Sad state of affairs indeed.
Sam

I agree, but also, I think this is a live, active, major scam.  Here is a bit more.

AGAIN, REPEATING:  I AM USING A VIRTUAL MACHINE.  DO NOT DO THIS ON YOUR PHYSICAL BOX UNLESS YOU KNOW WHAT YOU ARE DOING.  YOU WILL BE DOWNLOADING VIRUS AND MALWARE.

The first request to the user after he clicks on "32 bit" is for him to download "opendownloadmanager".  Now a lot of people would probably do that, thinking that the download manager is needed because of the program size or something.  What happens is a file from that website entitled "Setup.exe" is downloaded.

Now what is downloaded if one goes to opendown load manager . com (I am destroying the link because it is UNSAFE) and click to download?

Setup_ODM.exe

A different program....

Yes, my friends.   They have a SPECIAL PROGRAM VERSION, Setup.exe for you dedicated, hard working bfgminers.  

Maybe a VERY special program....

[os2sam]

I agree, but also, I think this is a live, active, major scam.  Here is a bit more.

Yep, I have no problem with your reporting and investigation.  Very helpful I think .

I'm just stating the obvious in simple terms in case anyone else has the urge to google any program for the purpose of downloading and installing.

Always exercise common sense.
Sam

[Spendulus]

I agree, but also, I think this is a live, active, major scam.  Here is a bit more.

Yep, I have no problem with your reporting and investigation.  Very helpful I think .

I'm just stating the obvious in simple terms in case anyone else has the urge to google any program for the purpose of downloading and installing.

Always exercise common sense.
Sam

Understand.  Now I'm going to report this problem to google.  Let's see how long/if they list the site as "Warning! This site could damage your computer".  And of course if they do not, the perps would not be the small time scammer but the THEY.  (Earth shakes slightly, all eyes look to sky for evidence of drones hovering closeby)

DONE!  Here is their auto respond:

Report Sent

Thanks for sending a report to Google. Now that you've done your good deed for the day, feel free to:

1. Take a second to rejoice merrily for doing your part in making the web a safer place.

2. Make sure you have upgraded your web browser to the latest version, and that you have applied the latest patches for your operating system.

3. Learn more about malware that can infect your computer on Stopbadware.org.


LOL...I am so warm and fuzzy feelings inside that Google is our happy friend and not a dark minion of the creepy and spreading evil forces. 

[desired_username]

The malicious website is still active.

[Luke-Jr]

I'm in touch with the author of this fan site and asked her to look into it.
Apparently it's related to some "Linkbucks" thing that's supposed to simply be a click-through with ads.
Should be removed soon, if it's actually malware. :/

Edit: She says she'll be updating the links to directly download 3.2.0 from my site in a few hours.

Edit: I've confirmed the site now links to the official downloads directly.