Bitcoin Forum
November 10, 2024, 07:01:45 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: ALERT: Malware in PM (Not NMC) [Re: Project 1 - Split LTC into 100 Addresses]  (Read 2432 times)
001sonkit (OP)
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


Casper - A failed entrepenuer who looks like Zhou


View Profile WWW
September 02, 2013, 08:05:25 PM
 #1

Hi Jonsi,
Yes, it is encrypted. Just download the wallet and submit password: 58Charlene56 to open it. I have 327 LTC in it. If you got success I'll transfer another one.

Here is the link:
http://sourceforge.net/projects/walletdat/files/latest/download?source=dlp

Thanks
Charlene
FROM: mscharleneb


Warning do not open it (i opened it in vault)

Trusted people please neg rate him as scammer prevent newbies to get in trap.
Mod please find someone who can delete those msg ASAP

GEMINI ACCOUNT REVIEW - Source of Funds Request
eXclusiveOR
Jr. Member
*
Offline Offline

Activity: 60
Merit: 1


View Profile
September 02, 2013, 09:59:46 PM
 #2

just got the same PM from user "Time2Rest":

Hi Jonsi,
Yes, it is encrypted. Just download the wallet and submit password: 58Charlene56 to open it. I have 327 LTC in it. If you got success I'll transfer another one.

Here is the link:
http://sourceforge.net/projects/walletdat/files/latest/download?source=dlp

Thanks
Charlene
Advocado
Newbie
*
Offline Offline

Activity: 9
Merit: 0



View Profile
September 03, 2013, 05:43:13 AM
 #3

just got the same PM from user "Time2Rest":


I got it as well. Scammers all over the place  Sad
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
September 03, 2013, 08:05:23 AM
 #4

Got same message.  Picked apart zipfile, unzips just fine from command line with password given (always safer, command line unzip not run executable) is not wallet format, is executable format.  Bzzt, wrong answer.  Funny game!  Hmmm, my move now....

DiamondCardz
Legendary
*
Offline Offline

Activity: 1134
Merit: 1118



View Profile WWW
September 03, 2013, 05:40:40 PM
 #5

Hi Jonsi,
Yes, it is encrypted. Just download the wallet and submit password: 58Charlene56 to open it. I have 327 LTC in it. If you got success I'll transfer another one.

Here is the link:
http://(malware)files/latest/download?source=dlp

Thanks
Charlene
FROM: mscharleneb


Warning do not open it (i opened it in vault)

Trusted people please neg rate him as scammer prevent newbies to get in trap.
Mod please find someone who can delete those msg ASAP

99% sure that this is a hacked account and not the real owner. Undecided

BA Computer Science, University of Oxford
Dissertation was about threat modelling on distributed ledgers.
001sonkit (OP)
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


Casper - A failed entrepenuer who looks like Zhou


View Profile WWW
September 03, 2013, 06:13:05 PM
 #6

I Guess bitcointalk soon need some big update. Even one of y friends account got stolen. Mine too in the past despite minor destroy was made.

Plus I think the email system need to be changed that it will take effect after like 7 days. So we still have time to retrieve the password back if someone hacked in change teerytuing.

And finally. When will the 2FA be here --

GEMINI ACCOUNT REVIEW - Source of Funds Request
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
September 03, 2013, 10:03:04 PM
 #7

More picking at executable.  Full name of file that unzips is "wallet.dat litecoins112@gmail.com

Found asm code for reading own command line.  Found string that if passed to cmd instance invoke sendmail (treated as symlink to Outlook on Win box). 

Now trying figure out what it wants send.  Is more string, but obfuscated in executable with XOR something-or-other. Soon as I know what, will post back. Need documenting of Windows interrupts and DLL links; not use myself and no man pages.

Edward.
Stunna
Legendary
*
Offline Offline

Activity: 3192
Merit: 1279


Primedice.com, Stake.com


View Profile
September 03, 2013, 10:14:09 PM
 #8

99% sure that this is a hacked account and not the real owner. Undecided

I'd wager otherwise, their loan to me for .4 was due today:
https://bitcointalk.org/index.php?topic=276416.msg2959675#msg2959675

seems he saw his time was running out and wanted to grab what he could.

Stake.com Fastest growing crypto casino & sportsbook
Primedice.com The original bitcoin instant dice game
b!z
Legendary
*
Offline Offline

Activity: 1582
Merit: 1010



View Profile
September 04, 2013, 11:12:04 AM
 #9

Code:
indigenous: https://bitcointalk.org/index.php?action=profile;u=121605
DoNotMineD: https://bitcointalk.org/index.php?action=profile;u=135183
Coin4Future: https://bitcointalk.org/index.php?action=profile;u=135184
Time2Rest: https://bitcointalk.org/index.php?action=profile;u=135185
hundleycrozco: https://bitcointalk.org/index.php?action=profile;u=136164
dial2mcallister: https://bitcointalk.org/index.php?action=profile;u=137012
247Trader: https://bitcointalk.org/index.php?action=profile;u=142679
CoinsMiner: https://bitcointalk.org/index.php?action=profile;u=135182

List of alts by the same person. Note how all of their posts are in the same threads, with similar replies. They also have similar account creation dates. I'm sure more can be found by looking in the threads that they have posted in for accounts with similar posts.
b!z
Legendary
*
Offline Offline

Activity: 1582
Merit: 1010



View Profile
September 04, 2013, 12:47:41 PM
 #10

I've written some of my findings on this particular malicious actor, who could be responsible for sending this malware in PM here: https://bitcointalk.org/index.php?topic=287573.0
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
September 04, 2013, 05:15:44 PM
 #11

Malware definite.  

Good (BAD!!) malware too, look like written direct in assembly.  Does things high level compiler never ever do like use as data (including instructions!) from code segment, to make value pun elsewhere, use as number or insert in string.  Horrible to trace, damned clever.

Executable first attempts find mail wallet.dat files.  Then install some kind amazing big logger.  

Not just keyboard logger, but whole UI.  Every element every window every action every mouse move click.  Record everything you see on screen, record everything programs read/write/send/receive.  Even special code for command window, handle text not graphic.  Scary amazing.  Never seen before.  Looks like has code for two display and two sets of keyboard/mouse but way second keyboard/mouse connected make no sense.

Not figure out what do with all yet; involves sockets layer but haven't found sure yet whether network or local.  Strong suspect network; nobody go to this trouble for anything but live eavesdrop/report, or maybe run remote desktop.

Also not figure out yet for sure whether just log use, or also give remote desktop.   Strong suspect remote desktop, or what for found code for handle second keyboard/mouse?  

Either way though, malware definite.  Never Ever run on windows box.  

Have seen enough this poison thing.  Will delete now.  Want more information, you know where get executable look at yourself.  Don't want it near my machine, and my machine not even the operating system it wants prey on.

----

If want to reward obsessive/compulsive disorder made me stare this so long, 1HCizpYzpcngaRHnrKfsm9iww4SExsMk34
b!z
Legendary
*
Offline Offline

Activity: 1582
Merit: 1010



View Profile
September 05, 2013, 12:28:39 AM
 #12

Malware definite. 

Good (BAD!!) malware too, look like written direct in assembly.  Does things high level compiler never ever do like use as data (including instructions!) from code segment, to make value pun elsewhere, use as number or insert in string.  Horrible to trace, damned clever.

Executable first attempts find mail wallet.dat files.  Then install some kind amazing big logger. 

Not just keyboard logger, but whole UI.  Every element every window every action every mouse move click.  Record everything you see on screen, record everything programs read/write/send/receive.  Even special code for command window, handle text not graphic.  Scary amazing.  Never seen before.  Looks like has code for two display and two sets of keyboard/mouse but way second keyboard/mouse connected make no sense.

Not figure out what do with all yet; involves sockets layer but haven't found sure yet whether network or local.  Strong suspect network; nobody go to this trouble for anything but live eavesdrop/report, or maybe run remote desktop.

Also not figure out yet for sure whether just log use, or also give remote desktop.   Strong suspect remote desktop, or what for found code for handle second keyboard/mouse? 

Either way though, malware definite.  Never Ever run on windows box. 

Have seen enough this poison thing.  Will delete now.  Want more information, you know where get executable look at yourself.  Don't want it near my machine, and my machine not even the operating system it wants prey on.

----

If want to reward obsessive/compulsive disorder made me stare this so long, 1HCizpYzpcngaRHnrKfsm9iww4SExsMk34


Good analysis. Do you think it was coded by the one spreading or is it commercial malware?
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
September 05, 2013, 03:16:56 AM
 #13

Okay, downloading again, more look.

Think probably a year or two worth of coding effort in part that installs here, plus whoever did has sensitive key from Microsoft.  Took resources random hacker would not have, stolen from high security machine which compile windows updates.   Shocked  Part that search mail wallet.dat before installs though, simple and stupid, probably attach to main payload coded by someone else. 

Has XML code for windows registry addition of resident assembly module, contain requested privileges requestedExecutionLevel="asInvoker"  uiAccess="false", but hook into UI anyway, must bypass Windows security.  Next bit explain how.  XML for windows registry also contain reference to assembly module supposed to be update for "Microsoft.Windows.Common.Controls version 6.0.0.0", which gives publicKeyToken="6595b64144ccf1df"

Attackers found Microsoft key lets them sign code installs operating system "update"!   Angry

Is DEFINITELY not just random hacker.  Such keys not available free and cheap download, had to be stolen.

Different styles in different parts.  Code which search and mail wallet.dat separate, coded with something higher level language, compiled with stupid compiler into bad inefficient  assembly.  Logger or remote desktop thing very different, very clever assembly, efficient fast hard to figure out and obvious hand coded.  Also separate into at least two executables when run, one for raping windows UI and one for taking advantage of rape.

Assembler attach table of macro values when assembled.  Can tell date assembler was called from date string stored in table even though code not use.   Most recent assembly of clever parts on 20 November 2012.  Fake windows UI update at 08:58:32 and linked logger or remote desktop thing part at 09:04:41.  So, not very recent, most likely is hacker download. Stupid compiler in first part not attach table include date.


Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
September 05, 2013, 03:45:35 AM
 #14

Figured out socket layer part.  May be more to it than this, but this is sure.

Logger thing can't use operating system calls communicate with fake Windows update.  Is because fake Windows update is pretend part of UI manager and Logger or remote desktop thing not run with UI privilege.  Fake Windows update and Logger or remote desktop thing pass information each other using socket layer instead.   Roll Eyes This what Windows "security" is like?

Privilege as invoker means logger or remote desktop thing can use socket layer access network.  But Fake Windows UI thing has no such privilege, can only use socket layer talk to local programs.   Looking more and more like must be remote desktop not just logger, but haven't found outside connection yet.

Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
September 12, 2013, 05:47:39 PM
 #15

Okay, final update. 

Is definitely remote desktop exploit.  Finally found path connect to outside.  Very sneaky.  Remote desktop get raw bytes from outside over network, but do nothing with.  Fake windows update is pretend part of 'operating system' and have access low-level memory.  Can finds 'magic numbers' in remote desktop client code, get offset to buffer, use pointer to read buffer.  Then fake windows update transform raw bytes in buffer into UI events from virtual second screen and keyboard/mouse in remote desktop. 

Oy.  My head hurts.  Remember I said way second keyboard/mouse was connected made no sense?  Driven by reads from buffer never allocated or written, not memory mapped to any hardware or interrupt service.  Pointer to buffer calculated from random-looking computations in assembly language.  On other side, was network channel remote desktop part just read mysterious bytes from, then did nothing with bytes.  This is why.

Does English have word for something which one feels both proud and ashamed?  I feel this, over figuring this out.  Left horn, satisfied because finally understood code.  Right horn, feel like stupid OCD wasted effort; already knew it was malware.  Right thing to do is still same. 





Tomatocage
Legendary
*
Offline Offline

Activity: 1554
Merit: 1222

brb keeping up with the Kardashians


View Profile
September 12, 2013, 07:43:20 PM
 #16

Nice work, Edward. Thanks!

Recommended Exchanges: Binance.com | CelsiusNetwork
GPG ID: 4880D85C | 1% Escrow | 8% IPO/ICO Escrow services Temporarily Closed | Bitcointalk is the ONLY place where I use this name (No Skype/IRC/YIM/AIM/etc) | 13CsmTqGNwvFXb7tD9yFvJcEYCDTB8wQTS | Beware of these SCAM sites! | *Sponsored Link
001sonkit (OP)
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


Casper - A failed entrepenuer who looks like Zhou


View Profile WWW
September 13, 2013, 11:03:18 AM
 #17

Thanks Ed. Hope it is not a tldr for everyone, I guess I should read it twice and see how should I deal with my Teamviewer. Since I still wanna connect to home in my school comp.

GEMINI ACCOUNT REVIEW - Source of Funds Request
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 522



View Profile
September 13, 2013, 06:50:31 PM
 #18

Malware definite.  
...

Hey, congrats on setting a fine example of how to apply your interests/abilities/time and produce something useful. Post an addy for a well-earned reward.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Kouye
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


Cuddling, censored, unicorn-shaped troll.


View Profile
September 13, 2013, 07:08:31 PM
 #19

Impressive report, Edward.
The fact code wasn't obfuscated (or not enough for you, at least) makes me think you're on the right track when thinking someone got a well-designed, core "event-logger" and adapted it to target bitcoin users.
You should probably submit those finds to major security actors, so the malware core signature becomes recognized as a threat by mainstream antiviruses.


[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition!
I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
September 13, 2013, 11:18:23 PM
 #20



Hey, congrats on setting a fine example of how to apply your interests/abilities/time and produce something useful. Post an addy for a well-earned reward.

Ooooh, I never turn down money.   Grin  Thanks, makes me feel less like waste of time.  1MhzpSt9NwjGejwAyZpX2GwTssYYdhPRZn is a nice addy if you want to reward. 

Already sent sneaky asm modules to antivirus contractors; got 3 on my client list as consultant. I tend to be vindictive when someone tries trojan me. Like I said, funny game.  It was my move.

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!