Bitcoin Forum
December 13, 2024, 01:47:06 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Malware Bytes Reports Bitcointalk as Malicious Website. False Positive?  (Read 1523 times)
r3wt (OP)
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
November 21, 2013, 02:42:41 AM
Last edit: November 21, 2013, 03:54:40 AM by r3wt
 #1

Looks like malware distribution to Windows users. I've spoken with one individual who unfortunately was infected. the signature of the bot shows up as "bitcoinminer"(like the false positive in cgminer) and infected paint.exe. upon investigation, i was able to T/V in and determine that it is indeed not a false positive. the malware escalates privilege, opens svc host. unfortunately the bot owner caught wind of my snooping and terminated team viewer. Windows users, be careful.

Download MBAR(Malware Bytes Anti Rootkit) and check your machine out immediately. Seems like the botowner has chosen the forum as a distribution point for an upcoming Ddos attack, a complex layer 7 attack where botnets are used to circumvent convential ddos filters and detection protocols(fits timing, and mo of Person behind a previous attack of this nature on a website i won't disclose.)

Of course, it could just be an attempt to steal the wallets of BCT users.  Cheesy

<!-- this concludes the Tinfoil Hat Report-->

<!--my logs for bitcointalk.org-->

Code:
2013/11/20 13:10:17 -0600	GN0DE	r3wt	IP-BLOCK	109.201.133.195 (Type: outgoing, Port: 50537, Process: chrome.exe)
2013/11/20 13:30:19 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 51720, Process: chrome.exe)
2013/11/20 13:50:14 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 52942, Process: chrome.exe)
2013/11/20 14:10:17 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54343, Process: chrome.exe)
2013/11/20 14:30:20 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 55592, Process: chrome.exe)
2013/11/20 14:50:23 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 56784, Process: chrome.exe)
2013/11/20 15:10:18 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 57917, Process: chrome.exe)
2013/11/20 15:30:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 59123, Process: chrome.exe)
2013/11/20 15:50:16 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 60394, Process: chrome.exe)
2013/11/20 16:10:19 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 61690, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62478, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62484, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62485, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62486, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62487, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62488, Process: chrome.exe)
2013/11/20 16:19:57 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62491, Process: chrome.exe)
2013/11/20 16:19:57 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62492, Process: chrome.exe)
2013/11/20 16:25:50 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 63281, Process: chrome.exe)
2013/11/20 16:25:50 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 63282, Process: chrome.exe)
2013/11/20 17:07:48 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49392, Process: chrome.exe)
2013/11/20 17:16:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49914, Process: chrome.exe)
2013/11/20 17:16:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49915, Process: chrome.exe)
2013/11/20 17:16:46 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49960, Process: chrome.exe)
2013/11/20 17:16:46 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49961, Process: chrome.exe)
2013/11/20 17:30:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50879, Process: chrome.exe)
2013/11/20 17:30:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50880, Process: chrome.exe)
2013/11/20 18:43:54 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 55526, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62244, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62245, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62246, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62247, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62313, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62314, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62315, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62316, Process: chrome.exe)

My negative trust rating is reflective of a personal vendetta by someone on default trust.
anti-scam
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


COINECT


View Profile
November 21, 2013, 03:14:33 AM
 #2

How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.

.
                ▄▄▓▓▄▄   ▄▓▓▓▄
            ▄▄▓▓▀    ▀▓▓▓▀   ▀▓▓▓▄
         ▄▓▓▀▀        ▐▓         ▀▓▓▓
         ▓▓   ░▓▓▒    ▐▓     ▓▓░   ▐▓
         ▓▓    ░▀▓▓   ▐▓   ░▓▀▀    ▐▓
      ▄▓▓▓▓▓▓▓░  ▓▓   ▐▓   ░▓   ▒▓▓▓▓▓▓▄
    ▓▓▀     ▀▀   ▓▓   ▐▓   ░▓▄   ▀▀    ▀▓▓░
    ▓▓        ▓▓▓░    ▐▓     ▀▓▓▄        ▓░
    ▓▓▄▄▄    ▐▓░   ▄▓▄▓▓▒▄▓▄   ▓▓░   ▄▄▄▄▓░
    ▓▓▀▀▀    ▐▓░   ▀▀▀▓▓▒▀▀    ▓▓░   ▀▀▀▒▓░
    ▓▓        ▀▓▓▓▄   ▐▓    ▄▓▓▓▀       ░▓░
    ▀▓▓▄▄  ▄▓▄   ▓▓   ▐▓   ▐▓▒   ▓▄   ▄▓▓▓░
        ▀▓▓▓▀▀   ▓▓   ▐▓   ▐▓░   ▀▀▓▓▓▀░
         ▓▓    ▄▓▓▓   ▐▓    ▓▓▄░   ▐▓░░
         ▀▓▄   ▀▓     ▐▓     ▀▀   ▄▓▓░
           ▀▓▓▓▄      ▓▓░      ▄▓▓▀░
               ▀▓▓▓▓▓▓▀░▓▓▓▄▓▓▓░
.
COINECT
██
██
██
██
██
██
██
AI-based decentralized
arbitrage trading system
██
██
██
██
██
██
██
.

 
                              ▄████▄
                        ▄▄█████▀▀███
                    ▄▄████▀▀     ███
              ▄▄▄████▀▀    ▄▄   ▐██
          ▄▄█████▀       ▄█▀    ██▌
     ▄▄████▀▀▀       ▄███▀      ██▌
    ████▀        ▄▄████▀       ▐██
     ██████▄▄  ▄█████▀         ██▌
          ▀████████           ▐██
            ▀████▌            ███
             ▀███  ▄██▄▄     ▐██▀
              ███▄███▀███▄   ███
              ▀███▀▀   ▀▀███▄██▌
                          ▀▀█▀▀
.

▄▀▀▀▀▀▀▀▀▀▀▀▄
█   ▄▄▄▄▄▄   ██▄
█  ▓▓▓▓▓▓▓▌  ████▄
█  ▓▓▓▓▓▓▓▌  ███████▄
█  ▓▓▓▓▓▓▓▌  ▐▓███████▄
█              ▀▀▀▀▀▀▀▀█
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█                      █
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  █
█                      █
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█                      █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
██
██
██
██
██
██
██
scintill
Sr. Member
****
Offline Offline

Activity: 448
Merit: 254


View Profile WWW
November 21, 2013, 03:25:28 AM
 #3

How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.

Yeah, I see nothing about where it is supposedly "inserted into Bitcointalk", how users can protect themselves, how the forum can clean it...

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
r3wt (OP)
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
November 21, 2013, 03:29:16 AM
 #4

How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.

Yeah, I see nothing about where it is supposedly "inserted into Bitcointalk", how users can protect themselves, how the forum can clean it...

You're welcome. I expect theymos or someone else to handle it now.

My negative trust rating is reflective of a personal vendetta by someone on default trust.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5404
Merit: 13498


View Profile
November 21, 2013, 03:31:52 AM
 #5

If there is actually a problem with the forum, MalwareBytes can collect a substantial bounty. But they're probably just wrong. Anti-malware companies make money by scaring users into thinking that everything around them is dangerous. The forum has previously been blocked by anti-malware software because you can find download links to stealth mining software here.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
r3wt (OP)
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
November 21, 2013, 03:33:53 AM
 #6

If there is actually a problem with the forum, MalwareBytes can collect a substantial bounty. But they're probably just wrong. Anti-malware companies make money by scaring users into thinking that everything around them is dangerous. The forum has previously been blocked by anti-malware software because you can find download links to stealth mining software here.

Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

My negative trust rating is reflective of a personal vendetta by someone on default trust.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5404
Merit: 13498


View Profile
November 21, 2013, 03:38:36 AM
 #7

Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
scintill
Sr. Member
****
Offline Offline

Activity: 448
Merit: 254


View Profile WWW
November 21, 2013, 03:43:24 AM
 #8

atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

I'm trying not to be too hostile here, but I'm really skeptical and feel like you're deliberately being vague.  What "issue"?  All you've really done is claim there's an infection, speculate on its motives, and give some sort of log without much description of what it is.

So, at least could you say what the log is?  Something has blocked outgoing connections from chrome.exe to bitcointalk.org (109.201.133.195)?  What do the columns mean?  What software produced this log?  Are the port numbers listed from your side or bitcointalk's?  It would indeed be unusual for Chrome to be connecting to high-numbered ports of bitcointalk, but not unusual for high-numbered ports to be the originating port from Chrome as a client.

Sounds like theymos has debunked the log as an overactive general blacklist, not an indication of a new, specific infection on bitcointalk.

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
papaminer
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


Free World


View Profile WWW
November 21, 2013, 03:53:43 AM
 #9

I see it has been reported already..

Anyway... theymos explanation does answer why is it being blocked NOW?

I have been MBAMPRO user for more than a few years... and it only blocked the forum THIS MORNING? Just when BTC went OVER $500/USD?


anyway... here is my log... just incase... some one who really cares...

Quote
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54730, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54732, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54734, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54736, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54737, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54738, Process: firefox.exe)
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   Stopping IP protection
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   IP Protection stopped successfully
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   Starting IP protection
2013/11/20 19:44:16 -0800   admin-PC   admin   MESSAGE   IP Protection started successfully

฿: 1L7dSte4Rs4KyyxRCgrqSWYtkXdAb4Gy1z

MORE INFO ABOUT ME: BTC
r3wt (OP)
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
November 21, 2013, 03:56:49 AM
 #10

Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.

Been using it for years, and this is the first time its occured at bitcointalk. Additionally, i searched malware bytes ip database and bitcointalk is not on the list of hosts. I accept that it could be a false positive, but to brush it off without investigation is lazy.

My negative trust rating is reflective of a personal vendetta by someone on default trust.
Probably
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
November 21, 2013, 05:42:27 AM
 #11

https://forums.malwarebytes.org/index.php?showtopic=136963 I reported this earlier as well. Same boat, this just started happening today.

BitcoinFX
Legendary
*
Offline Offline

Activity: 2646
Merit: 1722


https://youtu.be/DsAVx0u9Cw4 ... Dr. WHO < KLF


View Profile WWW
November 22, 2013, 06:51:59 PM
 #12

Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.

I've just scanned bitcointalk.org

http://sitecheck.sucuri.net/scanner/ - Clean

https://www.virustotal.com/en/url/7354af8427d7b8d4236356d0bca680ad3186fce415cb51971f3793cee59e4291/analysis/1385144339/ - Clean

However, I found that hpHosts is currently listing bitcointalk.org - i.e. 'Malwarebytes'.

See: http://hosts-file.net/?s=bitcointalk.org this is probably an error and the admin. should contact 'Request removal' for more info.

Not 100% sure how ads are being served here, but it might be to do with temporarily hijacked 3rd party content and/or in relation to linked content.

This report, I suspect is actually a 'false positive'.

"Bitcoin OG" 1JXFXUBGs2ZtEDAQMdZ3tkCKo38nT2XSEp | Bitcoin logo™ Enforcer? | Bitcoin is BTC | CSW is NOT Satoshi Nakamoto | I Mine BTC, LTC, ZEC, XMR and GAP | BTC on Tor addnodes Project | Media enquiries : Wu Ming | Enjoy The Money Machine | "You cannot compete with Open Source" and "Cryptography != Banana" | BSV and BCH are COUNTERFEIT.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!