Bitcoin Forum
November 05, 2024, 08:02:40 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [WARNING] Malicious Armory Website Clone Found  (Read 2025 times)
etotheipi (OP)
Legendary
*
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
November 19, 2013, 05:32:59 PM
 #1

Please only download Armory Bitcoin Wallet from https://bitcoinarmory.com

We have identified a clone website which provides malicious download links for our software.   All software and communications by Armory Technologies, Inc, will happen via the domain bitcoinarmory.com.  There are no other domains under which we operate!   We use the following [offline] GPG key to sign all software releases, and sign all employees' GPG keys:
 
Armory "Offline Signing Key": 0x98832223

(please do not use this key for encrypting email to us -- only for authenticating software and employees!)



Armory is a tool for advanced users, holding serious quantities of money -- please make sure you download the correct version and verify hashes & signatures before installing it!    There are instructions at the bottom of our downloads page that describe how to verify the signatures in Linux.  Windows is a bit harder, but possible if you install gpg4win and verify the SHA256 hashes file


P.S. - I am not posting the link to the malicious site here, because it's unnecessary and I'd prefer people only be exposed to the good domain.  If you have a reason for it (such as doing a security investigation), please contact me.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
etotheipi (OP)
Legendary
*
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
November 20, 2013, 05:57:34 AM
 #2

Amazing!  I didn't think it would be this easy!  We were told this would be difficult to deal with, but apparently it doesn't have to be hard.

Our email:

Quote
To:  abuse@internet.bs
Subject:  Suspend Service/Takedown Notice: Trademark Violation

Good afternoon,

The website "www.btcarmory.org" is currently a registered domain of internet.bs.

I'm writing to issue a Suspend Service and Takedown notification for (www.btcarmory.org) that is in violation of Trademark law.  These individuals have cloned the website listed at www.bitcoinarmory.com and are using it illegally.  I have attached a copy of the original www.bitcoinarmory.com website.  We're requesting immediate revocation and takedown action at this time.  Please acknowledge receipt of this correspondence and advise with any questions.  Thank You.

Reply:
Quote
Dear Armory Technologies, Inc.,

We have suspended it.

Best regards,
--
Internet.bs Corp. - Support Team
ICANN Registrar
http://www.INTERNET.bs

The malicious website is already offline.  I wonder if they will attempt to fight the suspension...

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
Mike Christ
aka snapsunny
Legendary
*
Offline Offline

Activity: 1078
Merit: 1003



View Profile
November 20, 2013, 06:13:21 AM
 #3

I was wondering why there were two websites for armory; I guess I got lucky!

etotheipi (OP)
Legendary
*
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
November 23, 2013, 11:11:26 PM
 #4

So the btcarmory.org has been suspended and is empty.  However I was able to pull off the "installers" using a VM before it was taken down, and currently have them in a tar archive waiting for... something!  Anyone have recommendations for how to go about analyzing the executables and figuring out what they do?  I'm super interested to know how they decided to "attack" you.  Whether it was simple wallet stealing, some kind of trojan, or maybe even unrelated malware that does other things.

I know there's only so much you can do with a compiled binary, but I suspect there are people that know how to properly isolate and monitor the executable while it's running.  I'm envisioning low-level tracing of system calls, network accesses, disk accesses, etc, while running it in a VM. 

I'm not going to post the malware downloads publicly, but if someone has background to analyze them, or connections that do, I'll be happy to send them.  I have both a Windows .exe, and more interestingly (to me) a Linux/ELF "armoryamd64.out". 

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
Moebius327
Hero Member
*****
Offline Offline

Activity: 770
Merit: 500



View Profile
November 23, 2013, 11:15:39 PM
 #5

So the btcarmory.org has been suspended and is empty.  However I was able to pull off the "installers" using a VM before it was taken down, and currently have them in a tar archive waiting for... something!  Anyone have recommendations for how to go about analyzing the executables and figuring out what they do?  I'm super interested to know how they decided to "attack" you.  Whether it was simple wallet stealing, some kind of trojan, or maybe even unrelated malware that does other things.

I know there's only so much you can do with a compiled binary, but I suspect there are people that know how to properly isolate and monitor the executable while it's running.  I'm envisioning low-level tracing of system calls, network accesses, disk accesses, etc, while running it in a VM. 

I'm not going to post the malware downloads publicly, but if someone has background to analyze them, or connections that do, I'll be happy to send them.  I have both a Windows .exe, and more interestingly (to me) a Linux/ELF "armoryamd64.out". 

I am interested at this as well.

BlackBison
Sr. Member
****
Offline Offline

Activity: 250
Merit: 250



View Profile
November 23, 2013, 11:17:25 PM
 #6

Hi etotheipi,

Sorry to change the topic, but any news on when you are going to release the 'lighter' armory client that runs on lower spec (less RAM) pcs?

Keep up the excellent work.

Thanks.

etotheipi (OP)
Legendary
*
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
November 23, 2013, 11:22:12 PM
 #7

Sorry to change the topic, but any news on when you are going to release the 'lighter' armory client that runs on lower spec (less RAM) pcs?

Keep up the excellent work.

The latest testing version is stable and already posted on the website.  Just a little bit more polishing and we'll have an official release next week for Windows and Linux (having serious issues with OSX, so that might be a bit longer).  If you want to know or discuss it any more, continue over at the RAM-Reduction Thread.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
BlackBison
Sr. Member
****
Offline Offline

Activity: 250
Merit: 250



View Profile
November 23, 2013, 11:29:40 PM
 #8

Brilliant, thanks alot!  Grin

malevolent
can into space
Legendary
*
Offline Offline

Activity: 3472
Merit: 1724



View Profile
November 23, 2013, 11:54:19 PM
 #9

So the btcarmory.org has been suspended and is empty.  However I was able to pull off the "installers" using a VM before it was taken down, and currently have them in a tar archive waiting for... something!  Anyone have recommendations for how to go about analyzing the executables and figuring out what they do?  I'm super interested to know how they decided to "attack" you.  Whether it was simple wallet stealing, some kind of trojan, or maybe even unrelated malware that does other things.

I know there's only so much you can do with a compiled binary, but I suspect there are people that know how to properly isolate and monitor the executable while it's running.  I'm envisioning low-level tracing of system calls, network accesses, disk accesses, etc, while running it in a VM. 

I'm not going to post the malware downloads publicly, but if someone has background to analyze them, or connections that do, I'll be happy to send them.  I have both a Windows .exe, and more interestingly (to me) a Linux/ELF "armoryamd64.out". 

Remember that it might behave differently under a VM if the author of the malware foresaw people would want to find out how it works under the hood.

Signature space available for rent.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!