jukka (OP)
|
|
May 09, 2014, 05:51:46 PM |
|
Why not? the program takes multiple files from the user's computer, and uploads to a remote FTP, that seems pretty malicious to me, or at least warrants a BIG RED warning to the user: "This program will try to upload your files to a remote FTP, if this is not the desired behavior, don't fucking run it".
So, any software that has libraries to access FTP (browsers, ftp clients, file uploaders, dropbox clones, html editors) will be detected as virii? This is social engineering, only an human can detect it Next time the OP will install a good firewall like this http://www.sphinx-soft.com/Vista/order.html or run unknown software in a virtual machine But applications which upload wallets could be at least be warned! It is not normal that applications upload wallet files! If AV cannot detect this how can anybody trust in a single wallet? Regarding the FW is free version enough for a regular user?
|
|
|
|
Forexperiments
|
|
May 09, 2014, 05:58:36 PM |
|
But applications which upload wallets could be at least be warned!
From a computer point of view, the wallet it's just a file Suppose you want to copy the wallet to another computer, is this a legitimate action, or is a virus? How can an antivirus do such decisions? What an AV does is to just compare it to a known list of malware. Or detect something suspicious, like editing critical files/place itself in autorun
|
|
|
|
xux99
|
|
May 09, 2014, 06:08:19 PM |
|
For those who would like to examine the virus, here is a link of the original file. Please don't run the CoinGen.exe
|
|
|
|
jukka (OP)
|
|
May 09, 2014, 06:14:39 PM |
|
when i scanned it with virustotal, it reported 1 red flag
Well that goes to show that you cannot trust virus total. Last time I trust that bitch. vt is junk. upload to malwr and you would have seen very clearly. common sense would have been best defense though. Tested this and here is the result, so that could not helped either! Error: Analysis failed: The package "modules.packages.exe" start function raised an error: Unable to execute initial process, analysis aborted File Details File Name CoinGen.exe File Size 500736 bytes File Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows MD5 c2ab580d501cbc47d5cebd920abb2e84 SHA1 bf990585b666e8dc0084aa6ef079e14c747e002e SHA256 dab61b5f3270ca9b72540a29b1f7777e147fb543a4e87cc33378dafcafb20ccf SHA512 6fbe68e3c64e81029bfa1de8beaefed9cca7b6a5c735ec339419b5addac9363773cd159b325d317 b3c94bade9d4b834844872bdf6cd2fb3b08b863897bb89778 CRC32 B5DA53E1 Ssdeep 12288:gzn45Ov0iZJxBy18nBHhfivB8HGEBzkSyD2k/kwHlbjaqOwr4b9JBQ2Y6MCIaZf2:5 Yara None matched
|
|
|
|
jukka (OP)
|
|
May 09, 2014, 06:28:40 PM |
|
But applications which upload wallets could be at least be warned!
From a computer point of view, the wallet it's just a file Suppose you want to copy the wallet to another computer, is this a legitimate action, or is a virus? How can an antivirus do such decisions? What an AV does is to just compare it to a known list of malware. Or detect something suspicious, like editing critical files/place itself in autorun Ok, I (CLEARLY) am not expert in this area What about this other question I had regarding the product you proposed: Regarding the FW is free version enough for a regular user?
|
|
|
|
Amph
Legendary
Offline
Activity: 3206
Merit: 1069
|
|
May 09, 2014, 06:29:38 PM |
|
I'll never understand these morons. He did all that work for 1 Litecoin. If he actually directed his energy towards something good, he could've made way more money with those programming skills. And now he's going to hell, if there is a hell.
he can just make another aka and create client with wallet stealer, which is even worse
|
|
|
|
jukka (OP)
|
|
May 09, 2014, 06:43:17 PM |
|
I'll never understand these morons. He did all that work for 1 Litecoin. If he actually directed his energy towards something good, he could've made way more money with those programming skills. And now he's going to hell, if there is a hell.
Hey! It was my precious litecoin you are now talking! But honestly, he could have more if he would not had become greedy and asked BTC for the application, and yes, I also like to think that maby I helped somebody by telling about this and decompiling the code. However, some people, even in this thread, have been attacking me for opening this thread (and yes, also requesting a little donation (havent got anything though)). It looks like that in this forum it is ok, to just beg coins in some thread but not ask donation if you have lost something and by doing that maybe helping others! It really makes me sad!
|
|
|
|
Xelpherpolis
|
|
May 09, 2014, 07:06:13 PM |
|
I think the FTP password changed sadly, would be interesting to see what is stored on the scammers account.
|
|
|
|
jukka (OP)
|
|
May 09, 2014, 07:11:39 PM |
|
I think the FTP password changed sadly, would be interesting to see what is stored on the scammers account.
I know the LTC addres the fucker is using but I think that I will keep that as my little secret. God damn, a whole pint of beer! That is robbery!
|
|
|
|
drippx
|
|
May 09, 2014, 07:29:44 PM |
|
when i scanned it with virustotal, it reported 1 red flag
Well that goes to show that you cannot trust virus total. Last time I trust that bitch. You do know that virus total is scanned with 52 virus software engines, so if you cant trust virustotal you cant trust all virus protection softwares made Best to use new shady softwares on a computer separate from your main system
|
|
|
|
var53
|
|
May 09, 2014, 07:34:43 PM |
|
For those who would like to examine the virus, here is a link of the original file. Please don't run the CoinGen.exe Thanks for uploading this file so we can have a look at it for ourselves.
|
|
|
|
Forexperiments
|
|
May 10, 2014, 07:11:58 AM |
|
What about this other question I had regarding the product you proposed:
Regarding the FW is free version enough for a regular user?
yes it will ask you permission to access the internet for ANY application on your pc (hence, for the first two weeks is extremely annoying, as it wil ask for ANY app, even system apps)
|
|
|
|
bodiun
Newbie
Offline
Activity: 28
Merit: 0
|
|
May 10, 2014, 07:29:04 AM |
|
Thank you for reminding me. I will be away from this coin, thank you.
|
|
|
|
jukka (OP)
|
|
May 10, 2014, 07:34:02 PM |
|
What about this other question I had regarding the product you proposed:
Regarding the FW is free version enough for a regular user?
yes it will ask you permission to access the internet for ANY application on your pc (hence, for the first two weeks is extremely annoying, as it wil ask for ANY app, even system apps) Ok, I will check that! Thanks!
|
|
|
|
PereguineBerty
Member
Offline
Activity: 109
Merit: 35
|
|
May 10, 2014, 09:25:05 PM |
|
jukka - gotta say you've done a great job with exposing this fraudster.
A lot of people wouldn't have been able to notice what you did and you've likely saved many people from losing a lot of money. Credit where credit is due!!!
|
|
|
|
jukka (OP)
|
|
May 11, 2014, 02:40:14 PM |
|
jukka - gotta say you've done a great job with exposing this fraudster.
A lot of people wouldn't have been able to notice what you did and you've likely saved many people from losing a lot of money. Credit where credit is due!!!
Thank you! I really appreciate it!
|
|
|
|
milly6
Legendary
Offline
Activity: 1632
Merit: 1010
|
|
May 11, 2014, 03:05:53 PM |
|
The funny part is that people come and post "these scumbags!" and stuff, but in reality at least 1 of these people commenting is a thief too, if not more.
|
|
|
|
kokojie
Legendary
Offline
Activity: 1806
Merit: 1003
|
|
May 16, 2014, 01:13:58 AM |
|
Why not? the program takes multiple files from the user's computer, and uploads to a remote FTP, that seems pretty malicious to me, or at least warrants a BIG RED warning to the user: "This program will try to upload your files to a remote FTP, if this is not the desired behavior, don't fucking run it".
So, any software that has libraries to access FTP (browsers, ftp clients, file uploaders, dropbox clones, html editors) will be detected as virii? This is social engineering, only an human can detect it Next time the OP will install a good firewall like this http://www.sphinx-soft.com/Vista/order.html or run unknown software in a virtual machine Not detected as virus, but just popup a warning, then the user will know if the program is doing what it suppose to do. Firewall is basically the same thing, it will popup a warning when the program first trying to upload something. The downside to firewall is that it only works when the program has already ran, and firewall could fail to work. While scanning can be done without executing the program.
|
btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
|
|
|
Forexperiments
|
|
May 16, 2014, 08:02:54 AM |
|
While scanning can be done without executing the program.
Did you see the code? With such a simple code, the antivirus would report as suspicious 95% of software, and the users will click "run anyway" without reading. About warnings, since he is using Windows, OP totally ignored the microsoft smartscreen warning saying that this is an untrusted app from the internet. Do you think that another warning, that would appear by running almost every app downloaded from the net would have been more effective? And also, don't forget that the app is compiled, would you accept a delay of 3-4 seconds in opening every app because the AV has to check if the decompiled code is "safe"? (and also must check in the future, against tamperings)
|
|
|
|
kokojie
Legendary
Offline
Activity: 1806
Merit: 1003
|
|
May 16, 2014, 02:17:18 PM |
|
While scanning can be done without executing the program.
Did you see the code? With such a simple code, the antivirus would report as suspicious 95% of software, and the users will click "run anyway" without reading. About warnings, since he is using Windows, OP totally ignored the microsoft smartscreen warning saying that this is an untrusted app from the internet. Do you think that another warning, that would appear by running almost every app downloaded from the net would have been more effective? And also, don't forget that the app is compiled, would you accept a delay of 3-4 seconds in opening every app because the AV has to check if the decompiled code is "safe"? (and also must check in the future, against tamperings) 95% of software do not upload your local files to a remote FTP, so they won't trigger this warning. I was talking about scanning the file without executing it. The "run time scanner" don't have to be this thorough, but there's no reason for the regular scanner not able to spend the time to decompile and warn. I think most people would depend on the "regular scanner" to scan unknown files, they don't usually just execute unknown files from Internet and pray the "run time scanner" can intercept bad things.
|
btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
|
|
|
|