MtGox2014Leak.zip

[itsunderstood]

[..]

The thought of Mt. Gox not using a revision control system is so absurd that I find it hard to believe.  I'm inclined to think that this is another bullshit story and feeble attempt to make people believe that they are more incompetent than they actually are.

So true that it pays to play dumb.  And interesting gambit to release crapcode as smokescreen to cover cointheft.  Much to ponder, thanks a lot because also, most programs suck ass and are swiss cheese.  Your efforts to help are appreciated.

[1715556069]

1715556069

[1715556069]

1715556069

[1715556069]

1715556069

[SmokeTooMuch]

The TibanneBackOffice.exe executable is wallet stealing malware and here is decompiled proof

[elebit]

Mod note: be careful with the executable, run it only on an isolated virtual machine

Don't even run untrusted executables in a virtual machine! There have been several ways of breaking out of one, and there certainly will be more!

Why in the name of Satoshi would you run it at all?

You decompile untrusted executables, you don't run them.

Apparently the wallet stealer was some sort of super simple interpreted code this time and would only look for wallet.dat and upload it to the thieves this time, but next time it could very be much more advanced malware. Do not take stupid risks.

[razorfishsl]

Yep…….
Let us not forget that even inside a VM any  virus/exploit is already BEHIND your main defense and can easily access the ip addresses of any computers on your internal network(not to mention default passwords/access on your router!!)
Including the machine the VM is being hosted on…(not much point in having a DMZ, if you are going to put shit inside it…)
and that is before we even consider the capability to  crash 'out' of a VM.

This is the result of teaching liberal arts at school…. many people seem incapable of thinking more than one move ahead.

[justusranvier]

Let us not forget that even inside a VM any  virus/exploit is already BEHIND your main defense and can easily access the ip addresses of any computers on your internal network(not to mention default passwords/access on your router!!)
Including the machine the VM is being hosted on…(not much point in having a DMZ, if you are going to put shit inside it…)
and that is before we even consider the capability to  crash 'out' of a VM.

You're assuming the most simplistic possible implementation of virtualized networking.

Also, using off the shelf routers is a really bad idea. All that shit's rooted.

[kostagr33k]

But I don't think your truly explaining the reason to use checksums: A trusted person releases a file to the wild, and states this is my files checksum. The problem here is the person who created this file is not trusted.

Just want to make that clear for people that are not engineers or coders or tech savvy to understand when to be using a checksum.


Since this file was released by an untrusted source checksums become useless and could give someone false hope.


Kosta

Not sure how a checksum helps here ... Checksums ONLY work when you trust the party that constructed the file + checksum. Did someone trusted create the file + checksum linked above?

Kosta

A file which does not checksum will have different contents (or be corrupt) which is a give away that someone has monkeyed with it.  Almost certainly such a thing would indicate the inclusion of contents with exploits.

When I wrote that, it was unknown whether the 'original' contained exploits or not.  Reports now seem to indicate that it is full of them.  (Who could have seen that coming?)

Checksums are basic and simple things that have been in use for decades.  For good reason.  Using checksums in a situation like this one can help identify a very likely class of theft attempts.  There is no reason but utter ignorance and laziness not to use them...except to attempt to perpetrate a theft that is.

[malevolent]

Mod note: be careful with the executable, run it only on an isolated virtual machine

Don't even run untrusted executables in a virtual machine! There have been several ways of breaking out of one, and there certainly will be more!

Why in the name of Satoshi would you run it at all?

You decompile untrusted executables, you don't run them.

Apparently the wallet stealer was some sort of super simple interpreted code this time and would only look for wallet.dat and upload it to the thieves this time, but next time it could very be much more advanced malware. Do not take stupid risks.

That's why I wrote "isolated" (no shared folders, preferably on a separate physical machine, guest additions disabled, etc.).

[RodeoX]

Anyone who downloads this is fuckin crazy. What a crock of crap. I love how it is labeled "leak".  
Is that supposed to remind Mark that he leaked it to himself?

[AT101ET]

Guys, word of advice, do NOT open any links or files that you aren't entirely aware of.
They may compromise your wallets or install a key logger on your PC recording your passwords.
Be careful!

[SmokeTooMuch]

You're not "fuckin crazy" just because you are smart enough to understand how to look at text files. My personal opinion is that you are extremely stupid if you seriously believe that unzipping a file and looking at plain text files will harm you in any way.

Assuming you can be 100% sure that the software you are using to open these files (or to unzip them) is absolutely secure and there are no exploits for them known to mankind. Which you can't.

[RodeoX]

You're not "fuckin crazy" just because you are smart enough to understand how to look at text files. My personal opinion is that you are extremely stupid if you seriously believe that unzipping a file and looking at plain text files will harm you in any way.

Assuming you can be 100% sure that the software you are using to open these files (or to unzip them) is absolutely secure and there are no exploits for them known to mankind. Which you can't.

+1 Why would I even bother to take the risk? To see a supposed secret leaked document?  I know what the risks are, I've been on the internet and into computing for over 20 years now. I also worked on a farm and learned the smell of bullshit IRL. 

[nagnagnag2]

I can concur that 'mtgox_balances' is accurate and well up to date. I was able to verify myself with the correct balance.

[SmokeTooMuch]

Assuming you can be 100% sure that the software you are using to open these files (or to unzip them) is absolutely secure and there are no exploits for them known to mankind. Which you can't.

Yes Yes like zlib has a exploit that only these fancypants hackers know about. Sure. That's so likely.

Feel free to show us where in the zlib source code this exploit you imagine exists. I'm sure a zillion people would like to know.

Ever heard of 0-day exploits? I don't have to prove anything here. All I'm saying is, that there is a risk you should not be willing to take if you don't know exactly what you are doing.
Files handed to you by cybercriminals can not be trusted.

[tvbcof]

But I don't think your truly explaining the reason to use checksums: A trusted person releases a file to the wild, and states this is my files checksum. The problem here is the person who created this file is not trusted.

Just want to make that clear for people that are not engineers or coders or tech savvy to understand when to be using a checksum.

Since this file was released by an untrusted source checksums become useless and could give someone false hope.

Kosta

If it is simply a question about whether there are multiple files called exactly 'MtGox2014Leak.zip' floating around, checksums are anything but useless.  They are in fact mandatory.

Knowing whether there are multiple different files with that name being distributed would be terrific information to know as early as possible.

If you want to trust someone you should be looking for a PGP sig.  Checksums only speak to the integrity of a file contents...they say nothing about the content (other than it differs from some other variant.)

Your point about danger of checksum hashes giving (lazy, ignorant, naive) people a false sense of security is a good one however.  The same can be said of PGP sigs and a lot of other otherwise useful constructs.  That is not really a good excuse not to use these tools however.

[one4many]

In another thread someone said they had decompiled it and had posted the code, and that there was some suspicious code. I don't know if that was here or another forum though.

The .pdf contains the evil JavaScript.

Hmm ... I analyzed the PDF and there is no JS inside. It looks like the real deal, I mean it has been created with a very old version of OpenOffice

Code:

PDFiD 0.1.2 CV-Mark_Karpeles_20100325.pdf
 PDF Header: %PDF-1.4
 obj                   41
 endobj                41
 stream                14
 endstream             14
 xref                   1
 trailer                1
 startxref              1
 /Page                  2
 /Encrypt               0
 /ObjStm                0
 /JS                    0
 /JavaScript            0
 /AA                    0
 /OpenAction            1
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /EmbeddedFile          0
 /XFA                   0
 /Colors > 2^24         0

So the important bits are "/JS 0", "/JavaScript 0" and  "/OpenAction 1". 0 means there is nothing 1 (or more) means there is something. So evidently there is no Javascript embedded. However there is a OpenAction command. A little research reveals that it opens the following object: "/OpenAction [1 0 R /XYZ null null 0]". This means object 1 0 is going to be executed.

This object looks like this:

Code:

%PDF-1.4
1 0 obj
/pdftk_PageNum 1
/Resources 2 0 R
/Contents 3 0 R
/Parent 4 0 R
/Type /Page
/MediaBox [0 0 612 792]
/Group
/CS /DeviceRGB
/I true
/S /Transparency
endobj

This is the standard (at least at that time around the 2000s) OpenOffice page header. Which gets sometimes mistaken as malware by some crap scanners.
If anybody finds anything different let me know, I would be very much interested in this.

Cheers

    one4many

[SmokeTooMuch]

Checksums only speak to the integrity of a file contents...they say nothing about the content (other than it differs from some other variant.)

Just a quick addendum: You also have to be able to trust the source of the checksums, which in reality is harder than it sounds.
http://noncombatant.org/2014/03/03/downloading-software-safely-is-nearly-impossible/

EDIT:

If anybody finds anything different let me know, I would be very much interested in this.

Here's the link to the decompiled code of the TibanneBackOffice.exe done by a kind redditor:
https://3d3.ca/ijKOh.vbs#eV7i3HIliI93y+UR

[itsunderstood]

If there was cooperation, then the smart and gutsy "I'll run this in a sandbox" people, can help the fearful "I don't know how it works" crew.  And it seems like this is kinda happening, as helpful users are doing.

But, you took your biggest risk trusting Gox, so don't get all preachy now about being safe.  Fear is what you stepped over, to invest at Gox.  Fear is what you now relent to, because you got Goxxed.

But, fearing programs and computers, is not the place to be emotionally.  Just learn how notepad works and go from there.

[tvbcof]

Checksums only speak to the integrity of a file contents...they say nothing about the content (other than it differs from some other variant.)

Just a quick addendum: You also have to be able to trust the source of the checksums, which in reality is harder than it sounds.

http://noncombatant.org/2014/03/03/downloading-software-safely-is-nearly-impossible/

The author describes the difficulty of being rigorous in solving a somewhat different problem.  Rigor against sophisticated, motivated, and well funded attackers is damn difficult.  To bad that putty doesn't make it more practical since this is one of the few pieces of software where it is really necessary in some cases.

For the item under discussion here, we are mostly concerned about non-sophisticated parties doing cheap hacks.  The possibility that some Bulgarian hacker will be able to distributed a modified version of sha256 which will recognize his crafted mtgox.zip and give false info is remote.  Similarly, the possibility that an attacker would be able to do DPI and modify all values of the checksum which a user sees and thus fool them is also remote.

By sharing checksums on a forum such as this, people are acting as a community and attacks which are otherwise possible (if difficult) become effectively impossible.  A few people producing the checksums that they have could reliably uncover an effort to distributed multiple variants of a file which would be very valuable to know about.

My concern was that the original would be found to be benign but there would evolve toxic variants and people would be fooled in this way.  The simple act of looking at a checksum would halt that problem.  As it is, it looks like the file was full of attacks from the get-go.

[SmokeTooMuch]

I don't see the point of a checksum of a file, published by a cybercriminal, that has proven to contain malware.
But in general, I agree with you.

[tvbcof]

I don't see the point of a checksum of a file, published by a cybercriminal, that has proven to contain malware.
But in general, I agree with you.

At the time I suggested it, it was not clear whether or not the archive contained trojans.

It is good practice to document a checksum for distributed files no matter what.  If the file is mirrored, this can produce a very high reliability indicator of file integrity and serves as a tip-off for subversion.  Indeed, we saw the file in question mirrored to multiple places very quickly.

Again, checksums are also useful to track versions over time.  If you get the same file from the same place, but it has a different checksum the next day, this is a very reliable indication that it has been screwed with.

Pretty much everyone, I think, was suspicious of the original file.  Had it been looked at by professionals and blessed as clean it would be critical to be able to verify that a copy that one might find in their possession was the same thing that was analyzed by competent parties.

Nobody is saying that checksums, and in particular simple ones like md5 or sha256, are the key to solving every crime worldwide.  Nor is it something with take the place of one's brain in assessing attack scenarios.  It is, however, a simple and reliable tool which can significantly reduce an attack surface.