Electrum Wallet & Malware Bytes

Recently received these alerts from Malware Bytes while Electrum was running... any ideas?

Quote

-Website Data-
Category: Compromised
Domain:
IP Address: 165.22.98.208
Port: 50002
Type: Outbound
File: C:\Program Files (x86)\Electrum\electrum-4.5.5.exe

Quote

-Website Data-
Category: Compromised
Domain: wallet.blither.io
IP Address: 146.70.83.242
Port: 50002
Type: Outbound
File: C:\Program Files (x86)\Electrum\electrum-4.5.5.exe

It means you connected to IP addresses that have been considered compromised or flagged by malwarebytes.
The IP address might be from an electrum server experiencing issues or compromised
Or could as well be an IP address of a third party Electrum server that has been flagged.

On the domain, there's a likelihood it might be a phishing server since it was flagged.

Check if your electrum wallet is updated and make sure you downloaded electrum from the official site.
It could be your device that's been compromised check for malware (experienced such before).

You can move to this board https://bitcointalk.org/index.php?board=98.0 for better and quicker response.

To move check the bottom left section and you would find move and lock.
Click on Move.

Electrum makes SPV connections to different IP addresses that it sees are running Electrum nodes and so when an anti-virus thinks that the IP address was associated with past malicious activity, it will make this kind of notification and block the connection.

Of course, it doesn't actually affect your ability to use the wallet, because Electrum is making dozens of these connections and it can always use another one if one is blocked for this reason.

You can try to switch to another Electrum server and see will you receive the same warning from Malware Bytes or not.

How to switch to a different Electrum server
Electrum server addresses from which I can not find this one 146.70.83.242 but maybe the Electrum server addresses list does not contain all available servers.

Quote from: Catenaccio on September 15, 2024, 09:25:32 AM

Electrum server addresses from which I can not find this one 146.70.83.242 but maybe the Electrum server addresses list does not contain all available servers.

That list intentionally doesn't include all online Electrum server. See this explanation, https://github.com/spesmilo/electrum/pull/7958#issuecomment-1231581840.

Quote from: radicus on September 15, 2024, 06:26:41 AM

Recently received these alerts from Malware Bytes while Electrum was running... any ideas?

Quote

-Website Data-
Category: Compromised
Domain:
IP Address: 165.22.98.208
Port: 50002
Type: Outbound
File: C:\Program Files (x86)\Electrum\electrum-4.5.5.exe

I have this IP address as "other known servers", but I don't have any warnings. Even when I manually connected to it.
Recently updated to 4.5.5 Electrum version

Quote from: radicus on September 15, 2024, 06:26:41 AM

Quote

-Website Data-
Category: Compromised
Domain: wallet.blither.io
IP Address: 146.70.83.242
Port: 50002
Type: Outbound
File: C:\Program Files (x86)\Electrum\electrum-4.5.5.exe

blither.io is the only domain on this IP address (428 days old) Through a short search, the term "blither io" is associated with online gaming, maybe that's the reason why the domain is blacklisted by Malware Bytes.

This is a false positive. Coin mining malware connects to electrum servers too so that's why anti-malware software goes off when any program connects to an electrum server.

I'e had malwarebytes and I know that it often associates incoming and outgoing connections from software like Electrum with malware, but in most cases it is a false positive, since Electrum makes remote connections to other servers to query transactions and addresses.

To be sure that you have downloaded the legitimate version of Electrum, check the gpg signatures, follow the detailed guide: [GUIDE] How to Safely Download and Verify Electrum [Guide]

Tip: Always double check the wallet software you download on your PC, especially when it comes to btc wallets.

Quote from: radicus on September 15, 2024, 06:26:41 AM

Recently received these alerts from Malware Bytes while Electrum was running... any ideas?

Quote

IP Address: 165.22.98.208
Port: 50002

Quote

Domain: wallet.blither.io
IP Address: 146.70.83.242
Port: 50002

IP above is flagged since it was used in SSH Bruteforce attack in the past.
It might be a good idea to keep it blocked by your AV even though it may have been a False Positive result.
Electrum will work with 1 less public server anyways.

The IP below is flagged as "Coin Mining" IP which is definitely False Positive since it's usually associated with public Electrum servers.
There's no known bug in Electrum that allows the server to perform CPU/GPU mining through the client. You may exclude that if you want.

It is a rather common thing with Anti Viruses and their firewall to detect Electrum servers as suspicious. I've seen reports of different AVs doing it. My own Eset Smart Security does that from time to time.
I don't see any reason why any of those servers could be specifically dangerous (any danger that you aren't already exposed to for being online). The communication is taking place through Electrum and socket that is in its control.
So as @Abdussamad said, this is a false positive.

Quote from: nc50lc on September 16, 2024, 06:24:19 AM

Another thing you can do: Check the Abuse IP DB and search for those IP addresses that appear in Malwarebytes. https://www.abuseipdb.com/

They will contain a history of any attacks they have been used to participate in, if any. And it will also tell you how long ago they happened.

Generally speaking, if the activity was from several months ago, you can safely ignore it as it is likely that the IP address has changed hands by then.

You can add exclusion for electrum (or anything else) in your malwarebytes, but any malware detection software is going to have a bunch of false positives.
If you want to get rid of most problems with malware that I suggest switching from wind0ws to good open source Linux OS, maybe Debian or Fedora.

I wouldn't lose sleep over it if I were you. Some anti-virus and anti-malware software reporting false positives about Electrum is something that has been happening for years. It's even mentioned on the official Electrum website. As long as you have downloaded the real Electrum wallet and verified the signatures, you are good to go.

You can always change the servers you connect to manually if you want. Click on the orb on the bottom right corner when Electrum is running, untick the "Select server automatically" option, and pick a random node from the list. See if you can connect to it and if the wallet syncs properly. If not, find another server.

If you don't trust them, even it's just a false positive detected by malwarebytes, why not manually choose a server that you know is safe?
There are many servers available under tools>network, only select the server that makes you feel secure.

Or for me, better learn to use Electrum offline/cold storage wallet it is far more secure than using Electrum on an online device.

Quote from: BitMaxz on September 20, 2024, 09:24:00 PM

If you don't trust them, even it's just a false positive detected by malwarebytes, why not manually choose a server that you know is safe?
~snip~

No offense to the OP, but how will a beginner know which server is safe and which is not? Anyone can configure as many servers as they want and add them to the list, and how many of all available servers belong to various companies that analyze blockchain/transactions? If you don't have your own server or use someone you trust 100%, everything else is potentially insecure.

Quote from: Lucius on September 21, 2024, 11:06:19 AM

You have a point, beginner can't just determine which one is trustworthy or safe, and I do not know which servers/companies do not analyze/monitor blockchain transactions. Even me, I don't trust all of them 100%.

The only way to stay away from those servers is by having your own server, which requires a lot of resources, and use TOR as your 3rd layer privacy to hide your IP from the server.