podyx (OP)
Legendary
Offline
Activity: 2338
Merit: 1035
|
|
April 06, 2014, 02:57:31 PM |
|
Hey, I scanned computer with avast anti virus today and found a virus in C:\users\myname\AppData\Roaming\bitcoin\chainstate\701137.sst\
It says the gravitygrade is high and the status is "Threat: BV:Akuma-A" Avast says it can't find the file when I try to delete it and I can't find it manually either
What is this and should I be worried?
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
April 06, 2014, 03:29:23 PM |
|
No that's fine. The blockchain has random data in it that can trigger av.
|
|
|
|
podyx (OP)
Legendary
Offline
Activity: 2338
Merit: 1035
|
|
April 06, 2014, 03:43:20 PM |
|
No that's fine. The blockchain has random data in it that can trigger av.
i've never found it before when scanning
|
|
|
|
poyke
|
|
April 06, 2014, 03:44:11 PM |
|
No that's fine. The blockchain has random data in it that can trigger av.
i've never found it before when scanning Now we know the source for the contamination
|
|
|
|
ksteve96
Full Member
Offline
Activity: 624
Merit: 125
alcedoplatform.com
|
|
April 06, 2014, 03:45:53 PM |
|
That should be fine.
If you really want to have fun run combofix, that one also treats bitcoin-qt as a virus and deletes the entire directory, including the wallet.
|
|
|
|
podyx (OP)
Legendary
Offline
Activity: 2338
Merit: 1035
|
|
April 06, 2014, 03:52:05 PM |
|
No that's fine. The blockchain has random data in it that can trigger av.
i've never found it before when scanning Now we know the source for the contamination what u talking about??
|
|
|
|
zolace
|
|
April 06, 2014, 04:02:14 PM |
|
Akuma was the dark one in the Street Fighter series, sounds bad. where did u get ur wallet?
|
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
|
|
|
ArticMine
Legendary
Offline
Activity: 2282
Merit: 1050
Monero Core Team
|
|
April 06, 2014, 04:02:26 PM |
|
That should be fine.
If you really want to have fun run combofix, that one also treats bitcoin-qt as a virus and deletes the entire directory, including the wallet.
... and irreversibly loose my Bitcoin. No thanks. I would stay well away from Microsoft Windows when it comes to Bitcoin. GNU/Linux is far safer.
|
|
|
|
veyp0r
Newbie
Offline
Activity: 11
Merit: 0
|
|
April 06, 2014, 04:10:14 PM |
|
There was a pastebin fairly recently that suggested exploiting the fact you can attach short amounts of data to the blockchain by spamming the network with transactions that contain signatures for random viruses. Thus being flagged by tons of AV software, and potentially causing a loss of coins. http://pastebin.com/ct2WHUK5The good news is that you can't really create a virus via the blockchain. Messages are limited in size (20 bytes? I think), and there's really no room to create an exploit since the format is so well-defined.
|
|
|
|
zolace
|
|
April 06, 2014, 04:15:51 PM |
|
Yeah I heard that most OS can be compromised and that might have vunerlablilties, so yes Linux is safe for cold wallets
|
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
|
|
|
btcpay86
|
|
April 06, 2014, 04:16:52 PM |
|
it's not a virus. i think so,too.
|
1. Jeunesse, Redefining YOUTH. 婕斯,重新定义年轻。| 该生病而不生病,该老化却很年轻,正是婕斯“沛泉菁华”的奥秘所在。 为了大家实现财务自由的梦想,敬请关注婕斯全球直销网站: http://haccp.jeunesseglobal.com2. 捐赠 Donations: BTC - 12QSDXfUq6B2ywer8xJeQYbiV7A7E8yB3H
|
|
|
skooter
Member
Offline
Activity: 70
Merit: 10
|
|
April 06, 2014, 05:45:03 PM |
|
There was a pastebin fairly recently that suggested exploiting the fact you can attach short amounts of data to the blockchain by spamming the network with transactions that contain signatures for random viruses. Thus being flagged by tons of AV software, and potentially causing a loss of coins. http://pastebin.com/ct2WHUK5The good news is that you can't really create a virus via the blockchain. Messages are limited in size (20 bytes? I think), and there's really no room to create an exploit since the format is so well-defined. Is this info legit? If so, sounds like fun. I quit running antivirus years ago because of issues like exactly this. It causes more problems then it solves. I run my web browsers either sandboxed or in a virtual machine. Run any suspicious software (like keygens) sandboxed or in a VM, and only download software that I'm relatively sure is safe.
|
|
|
|
BunsenBurner
|
|
April 06, 2014, 06:03:49 PM |
|
If you really want to have fun run combofix, that one also treats bitcoin-qt as a virus and deletes the entire directory, including the wallet.
I haven't used it before, but it sounds really bad if it delete the "virus" automatically.
|
|
|
|
veyp0r
Newbie
Offline
Activity: 11
Merit: 0
|
|
April 06, 2014, 06:46:55 PM |
|
Is this info legit?
If so, sounds like fun.
I quit running antivirus years ago because of issues like exactly this. It causes more problems then it solves.
I run my web browsers either sandboxed or in a virtual machine. Run any suspicious software (like keygens) sandboxed or in a VM, and only download software that I'm relatively sure is safe.
I haven't tested it, because I don't run antivirus software (On Linux at the moment, usually running some flavor of Unix), and I don't feel like spinning up a VM. Lots of AntiVirus's basically scan for known byte-patterns of malware, at least when doing a basic static scan. Smarter ones might check where the "signature" resides to try to determine if its actually malicious, others will flag it regardless of the signature position. So, at least theoretically, it should work against a few AV's.
|
|
|
|
skooter
Member
Offline
Activity: 70
Merit: 10
|
|
April 06, 2014, 07:14:20 PM |
|
Is this info legit?
If so, sounds like fun.
I quit running antivirus years ago because of issues like exactly this. It causes more problems then it solves.
I run my web browsers either sandboxed or in a virtual machine. Run any suspicious software (like keygens) sandboxed or in a VM, and only download software that I'm relatively sure is safe.
I haven't tested it, because I don't run antivirus software (On Linux at the moment, usually running some flavor of Unix), and I don't feel like spinning up a VM. Lots of AntiVirus's basically scan for known byte-patterns of malware, at least when doing a basic static scan. Smarter ones might check where the "signature" resides to try to determine if its actually malicious, others will flag it regardless of the signature position. So, at least theoretically, it should work against a few AV's. Hmm. how are messages attached to a transaction in the blockchain? And how are they stored? And where would I get a list of known virus signatures?
|
|
|
|
WetSeals
Newbie
Offline
Activity: 42
Merit: 0
|
|
April 06, 2014, 07:16:12 PM |
|
Should send me your wallet, so I can make sure it is safe for you to use, lol.
Obviously joking, never send your wallet to anyone.
|
|
|
|
veyp0r
Newbie
Offline
Activity: 11
Merit: 0
|
|
April 06, 2014, 09:12:02 PM |
|
Is this info legit?
If so, sounds like fun.
I quit running antivirus years ago because of issues like exactly this. It causes more problems then it solves.
I run my web browsers either sandboxed or in a virtual machine. Run any suspicious software (like keygens) sandboxed or in a VM, and only download software that I'm relatively sure is safe.
I haven't tested it, because I don't run antivirus software (On Linux at the moment, usually running some flavor of Unix), and I don't feel like spinning up a VM. Lots of AntiVirus's basically scan for known byte-patterns of malware, at least when doing a basic static scan. Smarter ones might check where the "signature" resides to try to determine if its actually malicious, others will flag it regardless of the signature position. So, at least theoretically, it should work against a few AV's. Hmm. how are messages attached to a transaction in the blockchain? And how are they stored? And where would I get a list of known virus signatures? From the PasteBin post: You can inject an arbitrary raw 20 byte binary string into the database files (forever) because of that by setting the target address of a transaction to a wanted value (more or less). A bitcoin address (the intended receiver of any amount of coins) consists of 25 bytes. The first one equals 1 by default and is uninteresting. The following 20 bytes identifies the intended receiver and can be set to exactly anything. The following 25 bytes is just a hash of the former 21 bytes. A bitcoin transaktion contains such an address and is stored on each and every bitcoin-client forever. If you delete the database from one bitcoin-client (or has a fresh install), your client will synchronize with the rest of the network.
You're essentially creating a transaction with a fake recipient address which matches some virus signature. I'm not too sure where to get virus signatures that in use by AV products. I doubt they're publicly available (other than the EICAR test string (which Im not sure will fit here anyway) ). You'd probably have to do some reverse engineering to actually get them. EDIT:I should mention that I have no idea whether such a transaction will actually get propagated and stored in the blockchain (invalid address), or if would simply be dropped/ignored, someone with more experience with the raw protocol would have to chime in. If you brute-forced an address that was a valid virus-signature and sent some bitcoin to that, then it should work regardless.
|
|
|
|
Brangdon
|
|
April 06, 2014, 10:21:52 PM |
|
There was a pastebin fairly recently that suggested exploiting the fact you can attach short amounts of data to the blockchain by spamming the network with transactions that contain signatures for random viruses. Thus being flagged by tons of AV software, and potentially causing a loss of coins. Although it can't actually cause loss of coins. It can only cause problems for local clients, and I think the pastebin over-states the effect. My Win8.1 PC reported a virus detected in the Bitcoin database today. I just marked it as "Allowed" and then told it to ignore the Bitcoin directory there-after. If I'd picked the default action of "Quarantine" instead, I imagine I'd have been able to unquarantine it later, or else just download the block again. As it is, not only am I fine, but I can re-broadcast the block to anyone else who needs it. As long as one person has a copy, we're fine. The crypto means the block can't be forged. No coins are going to be lost.
|
Bitcoin: 1BrangfWu2YGJ8W6xNM7u66K4YNj2mie3t Nxt: NXT-XZQ9-GRW7-7STD-ES4DB
|
|
|
roslinpl
Legendary
Offline
Activity: 2212
Merit: 1199
|
|
April 06, 2014, 10:33:35 PM |
|
Hey, I scanned computer with avast anti virus today and found a virus in C:\users\myname\AppData\Roaming\bitcoin\chainstate\701137.sst\
It says the gravitygrade is high and the status is "Threat: BV:Akuma-A" Avast says it can't find the file when I try to delete it and I can't find it manually either
What is this and should I be worried?
does anyone use Avast and issue same problem? This is probalby not a virus ... but we should check it. What kind of Avast do you use?
|
|
|
|
quakefiend420
Legendary
Offline
Activity: 784
Merit: 1000
|
|
April 06, 2014, 10:43:14 PM |
|
Since people are beginning to mark the data folder as ignored in antivirus, I wonder how long it will be before real virii begin to reside there, infections from other attack vectors...
|
|
|
|
|