Bitcoin Forum
November 11, 2024, 10:21:56 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Clipboard Hijacker Malware Monitors 2.3 Million Bitcoin Addresses  (Read 391 times)
Lafu (OP)
Legendary
*
Offline Offline

Activity: 3150
Merit: 3226



View Profile
July 04, 2018, 11:26:44 PM
Last edit: July 05, 2018, 10:02:33 PM by Lafu
Merited by dbshck (5), tyz (2), vapourminer (1), The Cryptovator (1), TheBeardedBaby (1)
 #1

Found something interesting !

While cryptocurrency has seen tremendous growth over the past year, sending cryptocoins still requires users to send the coins to long and hard to remember addresses.
Due to this, when sending cryptocoins, many users will simply copy the address into memory from one application and paste it into another application that they are using to send the coins.

Attackers recognize that users are copying and pasting the addresses and have created malware to take advantage of this.
This type of malware, called CryptoCurrency Clipboard Hijackers, works by monitoring the Windows clipboard for cryptocurrency addresses,
and if one is detected, will swap it out with an address that they control.
Unless a user double-checks the address after they paste it, the sent coins will go to an address under the attackers control instead the intended recipient.

While we have covered cryptocurrency clipboard hijackers in the past and they are not new, most of the previous samples monitored for 400-600 thousand cryptocurrency addresses.
This week BleepingComputer noticed a sample of this type of malware that monitors for a over 2.3 million cryptocurrency addresses!

2.3 million cryptocurrency addresses being monitor by malware


How the infection loads

This infection was spotted as part of the All-Radio 4.27 Portable malware package that was distributed this week.
When installed, a DLL named d3dx11_31.dll will be downloaded to the Windows Temp folder and an autorun called "DirectX 11" will be created to run the DLL when a user logs into the computer.
This DLL will be executed using rundll32.exe with the "rundll32 C:\Users\[user-name]\AppData\Local\Temp\d3dx11_31.dll,includes_func_runnded" command.



Rundll32.exe launching the infection


Protecting yourself from clipboard hijackers


As malware like this runs in the background with no indication that it is even running, is it not easy to spot that you are infected.
Therefore it is important to always have a updated antivirus solution installed to protect you from these types of threats.
It is also very important that all cryptocurrency users to double-check any addresses that they are sending cryptocoins to before they actually send them.
This way you can spot whether an address has been replaced with a different one than is intended.


vnck25
Member
**
Offline Offline

Activity: 392
Merit: 11


View Profile
July 04, 2018, 11:41:41 PM
 #2

Wow thank you for this information, I have heard many experts in cryptocurrencies advising and educating newcomers to always double check their sending bitcoin and other cryptocoin addresses before actually sending the funds.  But it seems like many do not double check after pasting the BTC address. Do you know if this malware can attack other operating systems like Mac OS and Linux? Again thank you for sharing this valuable information.
Lafu (OP)
Legendary
*
Offline Offline

Activity: 3150
Merit: 3226



View Profile
July 05, 2018, 12:04:53 AM
 #3

Do you know if this malware can attack other operating systems like Mac OS and Linux? 

Dont know at the moment but im looking for to get maybe more Information about all this !

sabine80
Member
**
Offline Offline

Activity: 728
Merit: 14


View Profile
July 05, 2018, 01:24:12 AM
 #4

thanks for this warning. until just now i did not know that there is such a thing. can i infect my system with it when i visit a website or do i have to download something for that?
RGBKey
Hero Member
*****
Offline Offline

Activity: 854
Merit: 658


rgbkey.github.io/pgp.txt


View Profile WWW
July 05, 2018, 01:38:08 AM
 #5

Do you know if this malware can attack other operating systems like Mac OS and Linux? 

Dont know at the moment but im looking for to get maybe more Information about all this !

Most malware creators usually target Windows as it's more vulnerable, more hosts run it, and people that run it aren't as security conscious. It's usually not worth their time to target other OSes.
nonconformist
Full Member
***
Offline Offline

Activity: 386
Merit: 104


IDENA.IO - Proof-Of-Person Blockchain


View Profile
July 05, 2018, 01:43:46 AM
 #6

Thanks for the heads up mate. I knew nothing about this kind of malware until now. And this is rather alarming. Hackers are making cleverer and cleverer ways of getting all your cryptocoins as much as possible so it depends to us to not to be complacent and always double check everything and make sure our antivirus is always updated.

odolvlobo
Legendary
*
Offline Offline

Activity: 4494
Merit: 3408



View Profile
July 05, 2018, 02:33:19 AM
Merited by Lafu (1)
 #7

You neglected to include the URL of the original article: https://www.bleepingcomputer.com/news/security/clipboard-hijacker-malware-monitors-23-million-bitcoin-addresses/

Join an anti-signature campaign: Click ignore on the members of signature campaigns.
PGP Fingerprint: 6B6BC26599EC24EF7E29A405EAF050539D0B2925 Signing address: 13GAVJo8YaAuenj6keiEykwxWUZ7jMoSLt
pooya87
Legendary
*
Offline Offline

Activity: 3626
Merit: 11029


Crypto Swap Exchange


View Profile
July 05, 2018, 02:40:16 AM
 #8

i don't understand 1 thing though. why is it saying "monitors addresses"? does it have a database that matches the address you copy because that would be silly! the way these malware work is that they monitor your clipboard and when something enters it they just check to see whether it is a bitcoin address or not and it is very simple since the text has to be a valid base58 (and now Bech32) encoded string.

having a database for that is like having a database of 2.3 million numbers to check whether an input like 235513314955 is a number or not!

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Lafu (OP)
Legendary
*
Offline Offline

Activity: 3150
Merit: 3226



View Profile
July 05, 2018, 04:14:04 AM
Last edit: July 05, 2018, 07:30:24 PM by Lafu
 #9


Edited  

Thank you for remind , forgot it sorry  !

Welsh
Staff
Legendary
*
Offline Offline

Activity: 3304
Merit: 4115


View Profile
July 05, 2018, 05:21:56 AM
Merited by Lafu (1)
 #10

Thanks for the heads up mate. I knew nothing about this kind of malware until now. And this is rather alarming. Hackers are making cleverer and cleverer ways of getting all your cryptocoins as much as possible so it depends to us to not to be complacent and always double check everything and make sure our antivirus is always updated.
This malware has always existed. Plus, anti virus is generally useless, and only picks up things that they already have in their database. Any new malware will not be picked up. Just don't download dodgy shit, and you will be fine. If you have to download a client that you don't trust then download it within a virtual machine.
i don't understand 1 thing though. why is it saying "monitors addresses"? does it have a database that matches the address you copy because that would be silly! the way these malware work is that they monitor your clipboard and when something enters it they just check to see whether it is a bitcoin address or not and it is very simple since the text has to be a valid base58 (and now Bech32) encoded string.

having a database for that is like having a database of 2.3 million numbers to check whether an input like 235513314955 is a number or not!
Could be referring to checking addresses to see if they have any value in them or not. It's very unlikely that they have a database they can check.
ajuelnah akun
Newbie
*
Offline Offline

Activity: 140
Merit: 0


View Profile
July 05, 2018, 06:37:04 AM
 #11

I think most anti-virus software is not working properly, the anti virus only cleans the built-in app from a computer or phone but can not clean up viruses contained in new applications that have been downloaded on your computer or phone.
As with any virus that attacks the Messenger facebook app, even if you have anti virus on your computer or mobile phone, facebook still has to go in to clean it yourself.
doraemon_33766
Newbie
*
Offline Offline

Activity: 71
Merit: 0


View Profile
July 05, 2018, 07:47:28 AM
 #12

This is really terrific. Thanks for your warning about it. Many will be aware after seeing this post and I will request all to be very careful while dealing with the bitcoin address. Double and triple check it. Else you may fall a victim to this malware.
Welsh
Staff
Legendary
*
Offline Offline

Activity: 3304
Merit: 4115


View Profile
July 05, 2018, 10:48:41 PM
 #13

I think most anti-virus software is not working properly, the anti virus only cleans the built-in app from a computer or phone but can not clean up viruses contained in new applications that have been downloaded on your computer or phone.
As with any virus that attacks the Messenger facebook app, even if you have anti virus on your computer or mobile phone, facebook still has to go in to clean it yourself.
They are working properly, but people expect things from them which aren't possible. For example, like I mentioned above they only collect information from their known database, and check whether that application has been submitted as malware within their database. If it hasn't then they don't flag it, but if it does exist in their database they flag it.

Anti virus software doesn't have special permissions where it can take a look at a applications source code, and determine whether it's safe or not. It's a glorified spreadsheet with known extensions/applications that are malware. If you use common sense you can get away with using a anti virus.
8count
Full Member
***
Offline Offline

Activity: 448
Merit: 102


View Profile
July 06, 2018, 12:16:08 AM
 #14

Thanks for the heads up mate. I do usually double and triple check my address before sending, but there has been times I have been lazy or in a rush and just copy & pasted and sent. I'll be triple checking every time from now on.
blockaid.net
Jr. Member
*
Offline Offline

Activity: 76
Merit: 1


View Profile
July 06, 2018, 12:25:21 AM
 #15

thanks for sharing this important info to crypto users here. we will be more alert in dealing with our crypto transactions and be vigilant on how we do things in the internet.
Remainder
Hero Member
*****
Offline Offline

Activity: 949
Merit: 517



View Profile
July 06, 2018, 12:27:22 AM
 #16

I was thinking before that this kind of malware will come out soon because we all do copy and paste of our bitcoin wallet and keys in order to access our account and someone just created it, this is so alarming and thanks for helpful information, we now be more careful on what we install on our pc units.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!