Bitcoin Forum
December 04, 2016, 10:29:47 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Malware writer here, ask your questions.  (Read 2576 times)
bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
March 31, 2012, 02:39:39 AM
 #1

I don't have any access to the original thread. http://bitcointalk.org/index.php?topic=73562.0 I wrote the malware. Ask your questions.

All coins captured are sent back.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
March 31, 2012, 03:05:27 AM
 #2

Is this an experiment?

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
March 31, 2012, 03:16:32 AM
 #3

Is this an experiment?

Yes
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
March 31, 2012, 03:25:23 AM
 #4

Is the addresses hardcoded in the malware, or the malware generates addresses on-the-fly and the keys sent back via IRC/FTP, or the malware downloads a set of addresses off a server each time?

How does the malware detect the address? By identifying the checksum? Or by using GetWindowTitle and replacing C&P addresses when a predetermined window(client / glbse window) is detected?

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
March 31, 2012, 05:09:17 AM
 #5

Is the addresses hardcoded in the malware, or the malware generates addresses on-the-fly and the keys sent back via IRC/FTP, or the malware downloads a set of addresses off a server each time?

How does the malware detect the address? By identifying the checksum? Or by using GetWindowTitle and replacing C&P addresses when a predetermined window(client / glbse window) is detected?

The addresses are generated on-the-fly and the keys are encrypted with RSA+custom encryption, and pasted here ( http://yourpaste.net/10173 ) with increasing number since 10173 till this day.

The address is detected by it's length and content. A bitcoin address should contain certain characters only and begins with a 1 or a 3, and has a typical length (required length here is 29 to 40).

----------------------------------------------------
allAreCharacters=true;
for(int i=0; i < cbsize-1; ++i)
      if( !((clipboard>= '1' && clipboard <= '9') || (clipboard>= 'a' && clipboard <= 'z')  ||  (clipboard>= 'A' && clipboard <= 'Z'))
                  || clipboard == 'l' || clipboard == 'I' || clipboard == 'O' || clipboard == '0'){
                  allAreCharacters = false;
                  // ......
}

if(!allAreCharacters || ! (clipboard[0] == '1'|| clipboard[0]=='3'))
      // Not-an-address
-----------------------------------------------------

The clipboard is constantly checked for bitcoin addresses (every 500ms) regardless of the activity of the user, and replaced if the detected address was not put there by the malware. So the instant one copies a bitcoin address, it's replaced with an evil one.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
March 31, 2012, 05:53:38 AM
 #6

Sounds like a good methodology for this, although a bitcoin address should be 33 chars and below. How are you going to be so sure that all bitcoins are sent back correctly after the experiment?

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
March 31, 2012, 06:55:44 AM
 #7

Sounds like a good methodology for this, although a bitcoin address should be 33 chars and below. How are you going to be so sure that all bitcoins are sent back correctly after the experiment?

I'll be checking for transactions occasionally till the end of this year, it's done with a few clicks. I send back the coins to where they were sent from (that's the best I can do) when I see a transaction. The distribution of the trojan ended this month --hosting ended--, so there should not be any new victims unless someone else spreads it for some reason; it is hard to edit it to make a custom version of it, it should just not work then.
hoo
Member
**
Offline Offline

Activity: 89


View Profile WWW
March 31, 2012, 07:19:42 AM
 #8

You should be glad no one can reach you to strangle the soul out of you.
did you also send extra to compensate for the time you held them ransom?
You exemplify why bitcoin is such a piece of shit.

someday soon you will have to hide in sewers.


bitcoin, 2nd most popular currency used by criminals.
bitcoin, 2nd most popular currency used by criminals.
bitcoin, 2nd most popular currency used by criminals.
bitcoin, 2nd most popular currency used by criminals.
bitcoin, 2nd most popular currency used by criminals.
The probability that you too are a criminal, is very high.
bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
March 31, 2012, 07:31:21 AM
 #9

You should be glad no one can reach you to strangle the soul out of you.
did you also send extra to compensate for the time you held them ransom?
You exemplify why bitcoin is such a piece of shit.

someday soon you will have to hide in sewers.

I do not have any coins besides the captured ones.
finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
March 31, 2012, 07:44:59 AM
 #10


I send back the coins to where they were sent from (that's the best I can do) when I see a transaction.

Not a good idea, many people use online wallet, who can't receive coins from the address where they sent.

bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
March 31, 2012, 08:06:40 AM
 #11


I send back the coins to where they were sent from (that's the best I can do) when I see a transaction.

Not a good idea, many people use online wallet, who can't receive coins from the address where they sent.

Indeed. That might be solved in some cases, like in the thread linked in the OP where the online wallet provider is aware of the situation (the costumer's story) and have gotten the coins back. Most incoming transactions has been small ones, like 0.10 btc. Huge transactions (50-1000+) might take some consideration and communication first from my side.
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218


Michael, send me some coins before I hitman you


View Profile
March 31, 2012, 08:30:09 AM
 #12

What did you learn from your experiment?

How many coins were taken? Do you have any data on the people whose coins you took? Or was it just, "could I do it? Would they really download it?"

Don't mix your coins someone said isn't legal
bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
March 31, 2012, 09:23:21 AM
 #13

What did you learn from your experiment?

How many coins were taken? Do you have any data on the people whose coins you took? Or was it just, "could I do it? Would they really download it?"

"Can I do it?" was the question. What would the result be? I thought, "is it really that easy?". In about 3 months since the "release", a total of maybe 110 btc has passed me (while I'm doing absolutely nothing), with the trojan "lightly" advertised here and there. The trojan was uploaded to a temporary host (which automatically would be inactivated after 3 months without login). Anybody could do it.

I was certain that people would download it. Dangerous "security threat" indeed.

I learned that "projects" like this is a waste of time. I learned that even smart people can be really curious about something being advertised. I learned that scammers must live a sh**ty life (that's what I felt overall).

I also learned that there are insecure fields to harvest from though, with not that much effort, by those with that sh**ty life. The attacker wouldn't have to do more than creating his trojan and mass-spreading and mass-advertising it on more stable places. I did some light advertising and a not too sophisticated trojan, and 3 months later, I still "harvest".
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
March 31, 2012, 09:37:14 AM
 #14

I was certain that people would download it.

download what exactly? what was the trojan advertised as?
phelix
Legendary
*
Offline Offline

Activity: 1680


nmc:id/phelix


View Profile
March 31, 2012, 09:40:21 AM
 #15

you should keep 5% as tuition  Grin

blockchained.com ■ bitcointalk top posts
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
March 31, 2012, 09:41:50 AM
 #16

I was certain that people would download it.

download what exactly? what was the trojan advertised as?

+1. And I've helped you to link this thread in the original post, so the parties involved can take a look too.

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

abbeytim
Sr. Member
****
Offline Offline

Activity: 333


View Profile
March 31, 2012, 09:42:34 AM
 #17

i am the one that got scammed ask nefario

i lost 26.23 and 6.63 and no i was never paid back the coins were sent from btc-e
and they use a different address to send them than my bitcoin adress that i deposit too
plz next time if you scam them talk to them if you would have talked to nefario he would have told you to talk to me

thx for becoming honest though now i have to go talk to btc-e and see if they can find them
worldinacoin
Hero Member
*****
Offline Offline

Activity: 658



View Profile WWW
March 31, 2012, 09:53:13 AM
 #18

With such talents why don't you help the bitcoin community be a more secure place?  I think the bitcoin project definitely need capable people like you. 
bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
March 31, 2012, 09:54:47 AM
 #19

I was certain that people would download it.

download what exactly? what was the trojan advertised as?


As a bitcoin wallet stealer, and as a miner.

i am the one that got scammed ask nefario

i lost 26.23 and 6.63 and no i was never paid back the coins were sent from btc-e
and they use a different address to send them than my bitcoin adress that i deposit too
plz next time if you scam them talk to them if you would have talked to nefario he would have told you to talk to me

thx for becoming honest though now i have to go talk to btc-e and see if they can find them

I sent them back to where they came from. Nefario should be able to follow them back to his system.
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
March 31, 2012, 09:55:15 AM
 #20

With such talents why don't you help the bitcoin community be a more secure place?

i believe he has just done that, by making a few people more cautious of malware.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!