Bitcoin Forum
November 19, 2024, 10:53:59 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Security warning: trojan stealing coins, swapping C&P addresses  (Read 3256 times)
Nefario (OP)
Hero Member
*****
Offline Offline

Activity: 602
Merit: 513


GLBSE Support support@glbse.com


View Profile WWW
March 22, 2012, 06:28:02 PM
 #1

I'm after being in contact with one of GLBSE's users who's funds have didn't seem to show up. After more investigation we discovered that he has a trojan/malware.

The malware recognises any bitcoin addresses that are copied, and replaces them with a new address, when you copy an address from your service you're using (GLBSE.com, Intersango.com) to your bitcoin client to transfer your coins, the malware replaces them with the scam address, so that your coins are sent to the hacker.

When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.

I believe that this is a windows only vulnerability.

Nefairo

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Remember remember the 5th of November
Legendary
*
Offline Offline

Activity: 1862
Merit: 1011

Reverse engineer from time to time


View Profile
March 22, 2012, 06:35:43 PM
 #2

I'm after being in contact with one of GLBSE's users who's funds have didn't seem to show up. After more investigation we discovered that he has a trojan/malware.

The malware recognises any bitcoin addresses that are copied, and replaces them with a new address, when you copy an address from your service you're using (GLBSE.com, Intersango.com) to your bitcoin client to transfer your coins, the malware replaces them with the scam address, so that your coins are sent to the hacker.

When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.

I believe that this is a windows only vulnerability.

Nefairo

Figures, Linux is not nearly exploitable.

BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
RodeoX
Legendary
*
Offline Offline

Activity: 3066
Merit: 1147


The revolution will be monetized!


View Profile
March 22, 2012, 06:38:55 PM
 #3

So am I correct in assuming that a countermeasure could be verifying the address before sending? Or does it make the change in a way that is not visible to the user?

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf
Free bitcoin in ? - Stay tuned for this years Bitcoin hunt!
Kaos
Member
**
Offline Offline

Activity: 64
Merit: 10



View Profile
March 22, 2012, 06:45:56 PM
 #4

what's the dodgy bitcoin address? Is it static or does it change every time?!
Nefario (OP)
Hero Member
*****
Offline Offline

Activity: 602
Merit: 513


GLBSE Support support@glbse.com


View Profile WWW
March 22, 2012, 06:48:59 PM
 #5

Quote
any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now

From the user.

It's a new address each time.

I believe that visually verifying the address will protect against this.

The addresses so far:
17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd
14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
March 22, 2012, 07:04:09 PM
 #6

I mean that sucks but on the other hand I got to say awesome to the malware writer.  Get the user to send coins to the wrong address.  No need to keylog, hack the client, look for wallet.dat, spoof RPC, etc.  Just get the user to send you money.

Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
March 22, 2012, 07:04:58 PM
 #7

When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.

I believe that this is a windows only vulnerability.

Possibly related:
 - http://stackoverflow.com/questions/400212/how-to-copy-to-the-clipboard-in-javascript

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


MysteryMiner
Legendary
*
Offline Offline

Activity: 1512
Merit: 1049


Death to enemies!


View Profile
March 22, 2012, 10:52:58 PM
 #8

Trojan that replaces the filled data for bank transfers was around at least 4 years ago. Adopting such system for Bitcoin is no brainer.

I was looking for exploit to copy address to clipboard using javascript but it did not work with FireFox without user intervention. I abandoned the idea.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
foggyb
Legendary
*
Offline Offline

Activity: 1736
Merit: 1006


View Profile
March 22, 2012, 11:25:17 PM
 #9

I mean that sucks but on the other hand I got to say awesome to the malware writer.  Get the user to send coins to the wrong address.  No need to keylog, hack the client, look for wallet.dat, spoof RPC, etc.  Just get the user to send you money.



I've been WONDERING when the first hacker would do this. Its so obvious.

Hey everyone! 🎉 Dive into the excitement with the Gamble Games Eggdrop game! Not only is it a fun and easy-to-play mobile experience, you can now stake your winnings and accumulate $WinG token, which has a finite supply of 200 million tokens. Sign up now using this exclusive referral link! Start staking, playing, and winning today! 🎲🐣
drakahn
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
March 22, 2012, 11:27:32 PM
 #10

Quote
any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now

From the user.

It's a new address each time.

I believe that visually verifying the address will protect against this.

The addresses so far:
17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd
14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ

Any info what the optimised miner was? or a link to the thread?

14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
Nefario (OP)
Hero Member
*****
Offline Offline

Activity: 602
Merit: 513


GLBSE Support support@glbse.com


View Profile WWW
March 22, 2012, 11:47:11 PM
 #11

No I've not heard back.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
foggyb
Legendary
*
Offline Offline

Activity: 1736
Merit: 1006


View Profile
March 23, 2012, 12:09:35 AM
 #12

Quote
any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now

From the user.

It's a new address each time.

I believe that visually verifying the address will protect against this.

The addresses so far:
17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd
14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ

Is it possible for malicious code to detect a <mousebutton-down> event on a send dialog box, then insert the hackers address a millisecond later? In such a case, visual verification may not thwart the attack.

A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel).

Hey everyone! 🎉 Dive into the excitement with the Gamble Games Eggdrop game! Not only is it a fun and easy-to-play mobile experience, you can now stake your winnings and accumulate $WinG token, which has a finite supply of 200 million tokens. Sign up now using this exclusive referral link! Start staking, playing, and winning today! 🎲🐣
payb.tc
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1000



View Profile
March 23, 2012, 12:25:48 AM
 #13

A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel).

or just a regular confirmation dialog... Are you sure you want to send 1 million bitcoins to 1ffjfitetwrexjf...? YES / NO
marked
Full Member
***
Offline Offline

Activity: 168
Merit: 100



View Profile
March 23, 2012, 12:27:46 AM
 #14


Any info what the optimised miner was? or a link to the thread?

neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat.

marked
drakahn
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
March 23, 2012, 12:29:04 AM
 #15


Any info what the optimised miner was? or a link to the thread?

neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat.

marked

i know... i'm the one discussing, lol

http://xml.ssdsandbox.net/view/91c66258f4294c95a77a6aaa8ef3ec39

it reads your wallet.dat as well, so if you notice this make sure to make a new wallet for your coins

14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
Nefario (OP)
Hero Member
*****
Offline Offline

Activity: 602
Merit: 513


GLBSE Support support@glbse.com


View Profile WWW
March 23, 2012, 12:37:27 AM
 #16


Any info what the optimised miner was? or a link to the thread?

neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat.

marked
Thats funny, the affected user was sent to me from btc-e.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
marked
Full Member
***
Offline Offline

Activity: 168
Merit: 100



View Profile
March 23, 2012, 01:01:27 AM
 #17

i know... i'm the one discussing, lol

http://xml.ssdsandbox.net/view/91c66258f4294c95a77a6aaa8ef3ec39

it reads your wallet.dat as well, so if you notice this make sure to make a new wallet for your coins

oops, didn't see far enough back to see you were already there talking about it.

marked
finway
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500


View Profile
March 23, 2012, 03:48:33 AM
 #18

Check address.

CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
March 23, 2012, 04:00:59 AM
 #19

A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel).

or just a regular confirmation dialog... Are you sure you want to send 1 million bitcoins to 1ffjfitetwrexjf...? YES / NO


Unfortunately it's fairly easy to write software to send a Yes/No the instant the confirmation dialog appears (I built a tool for doing this in order to get around some shareware nags years ago).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
dayfall
Sr. Member
****
Offline Offline

Activity: 312
Merit: 250



View Profile
March 23, 2012, 04:44:21 AM
 #20

Perhaps someone could code vhash into their webpage and into a client.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!