Malwarebytes stopping outbound phishing and exploit attempts from Electrum

[TrustyRusty]

Malwarebytes stopped 3 outbound attempts from Electrum

2 phishing going to endthefed.onthewifi(dot)com IP 37(dot)211(dot)78(dot)253

And 1 exploit going to exs.ignorelist(dot)com IP 79(dot)11(dot)31(dot)76


When I downloaded Electrum 3.3.8 I checked signature and fingerprint. Both checked out

All this happened before I even set up the wallet 

I deleted everything and redid the entire process and the same thing happened





What gives? Anyone know what's going on? 

[jackg]

Electrums official website is electrum.org... Nothing else (other than maybe their github)

Scams where a link is genuine can be seen where the user trusts and bookmarks the page and then goes back and downloads an attackers version... Think about it, at the moment people could bookmark it and they can't be reported for being malicious but as soon as they have enough downloads they can change their download applications.

[TrustyRusty]

Electrums official website is electrum.org... Nothing else (other than maybe their github)

Scams where a link is genuine can be seen where the user trusts and bookmarks the page and then goes back and downloads an attackers version... Think about it, at the moment people could bookmark it and they can't be reported for being malicious but as soon as they have enough downloads they can change their download applications.

I checked and double checked that I was on electrum.org. Hell, I quadruple checked the 2nd time

[jackg]

If it was and the signature was right and those nodes listed above are the ones it has found then you can add it as a permenant exception in malwarebytes...

A lot of firewall software has a contingency for not trusting the unknown and this may be one of those occasions.

[crwth]

I think the attacks on the electrum wallet are still ongoing continuously. Maybe your electrum wallet has connected to a malicious node? Upon researching, if you connected to one, your transactions might get intercepted and receive a fake update or something related to that.

Information about Electrum wallets being attacked can be read here. The article was dated April 22, 2019

https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/

[jackg]

I think the attacks on the electrum wallet are still ongoing continuously. Maybe your electrum wallet has connected to a malicious node? Upon researching, if you connected to one, your transactions might get intercepted and receive a fake update or something related to that.

Information about Electrum wallets being attacked can be read here. The article was dated April 22, 2019

https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/

This is ONLY for versions below 3.0.5 and probably isn't the Ops problem (though it may have been why electrum was initially reported)...

[crwth]

This is ONLY for versions below 3.0.5 and probably isn't the Ops problem (though it may have been why electrum was initially reported)...

Oh okay. Maybe the entirety of having a cryptocurrency-related software might be a flag to Malwarebytes already? Like what antivirus software does as well? I think if the OP adds it to the permanent exception list, like what you suggested, he might be paranoid because of those kinds of notifications of outbound connections.

[jackg]

This is ONLY for versions below 3.0.5 and probably isn't the Ops problem (though it may have been why electrum was initially reported)...

Oh okay. Maybe the entirety of having a cryptocurrency-related software might be a flag to Malwarebytes already? Like what antivirus software does as well? I think if the OP adds it to the permanent exception list, like what you suggested, he might be paranoid because of those kinds of notifications of outbound connections.

Yeah a lot of AV goes off community usage and heuristics...

And I haven't used malwarebytes recently but, op, if you get some text next to it that says something like win-gen-2 then it's just a generic report picked up by the heuristic algorithm... If you have issued with trusting the electrum foundation then I'd suggest looking up how to launch a virtual machine on your computer to sandbox it - some AV software can also sandbox it on the current machine in a virtual environment too but this will trade off security a little.

Edit: just the inclusion of "gen" or "generic" in the report is enough to assume it might be a false positive.

[pooya87]

I think the attacks on the electrum wallet are still ongoing continuously. Maybe your electrum wallet has connected to a malicious node? Upon researching, if you connected to one, your transactions might get intercepted and receive a fake update or something related to that.

Information about Electrum wallets being attacked can be read here. The article was dated April 22, 2019

https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/

This is ONLY for versions below 3.0.5 and probably isn't the Ops problem (though it may have been why electrum was initially reported)...

it "definitely" isn't OP's problem because despite what we (humans) say about these nodes being "malicious" their behavior in the eyes of a computer is no different than the behavior of any other Electrum node. they are doing the  same exact communication with the clients as any other Electrum node does and even the "malicious" message looks the same not to mention that it will only be sent to the client when they try to broadcast a transaction not during syncing.

[nc50lc]

What gives? Anyone know what's going on? 

Those are in the list of available Electrum servers when you click on the connection green/red circle icon->sever tab.
You must be connected to one of those servers, then Electrum failed because of your AV then selected the other one.

And you're not the first one to report such incident.
If it didn't happen when you connected to other servers and you don't want to use those servers flagged by your AV,
consider manual server selection:
Open the server tab (same as the above), uncheck "Select server automatically", right click on a server and select "use as server".

[Coin_trader]

I got some warning too using my window defender AV for installing the portable version of electrum yesterday. I seldom used windows version of wallet since I experience an attack last year. I downloaded it on official website electrum.org. I check it multiple times before I download. I import already my recovery seed since I need to do sign message. Only good thing was all funds on my wallet was already move to my local wallet.

Is there a way to force logout all my wallet login. I'm scared that someone will still my balance if ever I deposit some of my BTC on it. I'm using that wallet addy for receiving my signature payment tho.

PS: I thought that warning was normal since I'm installing portable version just like installing crack version software.

[joniboini]

^
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.

[NotATether]

^
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.

If the digital signature (certificate) isn't embedded into an .exe file when it's created, or if there is a certificate but it doesn't have a parent/grandparent/ancestor certificate that's not in Windows' certificate storage, then it's going to display a warning. Maybe electrum doesn't purchase a certificate from a certificate authority and self-signs them, a practice which Windows flags as a warning (which just means that you trust the developer of the program, or you have other means of integrity verification like PGP).

All in all, I wouldn't worry about this as long as the hashes in the PGP match with the program. This just means Windows' alternative verification method failed to verify it.

This explains Windows' signing process called Authenticode:
https://docs.microsoft.com/en-us/archive/blogs/ieinternals/everything-you-need-to-know-about-authenticode-code-signing

[joniboini]

All in all, I wouldn't worry about this as long as the hashes in the PGP match with the program. This just means Windows' alternative verification method failed to verify it.

Maybe my wording is bad, but I was actually referring to the PGP signature and not the Windows one. But yeah, should be okay if OP did verify and the result match.

[Abdussamad]

those are likely electrum servers. it's a false positive. you didn't have to delete everything. install it all again and whitelist electrum

[Coin_trader]

^
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.

I misuse the word installation, Sorry for that, I download portable version so that it will skip installation process since I will be using it for sign message only. The warning from my windows defender pop up suddenly but I neglect it since I downloaded it on official website. I'm just a bit worried since I saw this thread tho. I still have a trauma for my loss ladt year for downloading minex wallet app on official website then suddenly someone access my wallet even though I never use the wallet for a year and I check regularly the balance.

[ranochigo]

^
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.

I misuse the word installation, Sorry for that, I download portable version so that it will skip installation process since I will be using it for sign message only. The warning from my windows defender pop up suddenly but I neglect it since I downloaded it on official website. I'm just a bit worried since I saw this thread tho. I still have a trauma for my loss ladt year for downloading minex wallet app on official website then suddenly someone access my wallet even though I never use the wallet for a year and I check regularly the balance.

You shouldn't rely on "downloading from the official website" as the software being legit. Checking it against the signature is a safer way to verify software as the person signing it would essentially be endorsing it as it being legit. Once you download any malware/fake softwares, your security is as good as gone, no matter whether you delete it or not.

Antivirus seems to be particularly sensitive to the Electrum's build and often tags it as malicious. It's nothing to worry about *IF* you verify the binaries.

[Lucius]

Antivirus seems to be particularly sensitive to the Electrum's build and often tags it as malicious. It's nothing to worry about *IF* you verify the binaries.

As for Electrum, I have been using it for years without any problems by my AV or Malwarebytes Premium. Maybe it’s just that I’ve never used it for MB problematic servers, because how else to explain that the same software causes problems for someone and not for someone else? One explanation is that the OP uses an older version of Malwarebytes, and new version have fix for false positive detection.

[ranochigo]

As for Electrum, I have been using it for years without any problems by my AV or Malwarebytes Premium. Maybe it’s just that I’ve never used it for MB problematic servers, because how else to explain that the same software causes problems for someone and not for someone else? One explanation is that the OP uses an older version of Malwarebytes, and new version have fix for false positive detection.

I've just scanned it with VirusTotal and the detection rate is 11/72. It's not a huge number but it could throw off newbies. IIRC, it started with the use of some component of Python within the program. IIRC, they tried to improve on the detection rate but some of the antivirus still detects it, albeit as riskware.

It's Microsoft Defender btw, better AVs like Malwarebytes are more prudent with their detection.

[DaveF]

Norton 360 at times blocks it too.
Side note but still interesting: I run my own electrum server as a VM on the PC that I have electrum client installed on.
Occasionally I get a warning about outbound connections even though it's talking to itself. So, yeah AV software can be stupid at times.

As everyone above said so long as you checked the signatures of the file you downloaded you should be fine.

Stay safe.

-Dave