Bitcoin Forum
December 03, 2016, 12:38:57 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Malware writer here, ask your questions.  (Read 2575 times)
bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
March 31, 2012, 09:59:22 AM
 #21

With such talents why don't you help the bitcoin community be a more secure place?  I think the bitcoin project definitely need capable people like you. 

Thought about it. But sure! Not sure how much I'll be able to help. But I will try to make a list of some potential "exploits" and potential solutions eventually, and tip the developers.
1480725537
Hero Member
*
Offline Offline

Posts: 1480725537

View Profile Personal Message (Offline)

Ignore
1480725537
Reply with quote  #2

1480725537
Report to moderator
1480725537
Hero Member
*
Offline Offline

Posts: 1480725537

View Profile Personal Message (Offline)

Ignore
1480725537
Reply with quote  #2

1480725537
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480725537
Hero Member
*
Offline Offline

Posts: 1480725537

View Profile Personal Message (Offline)

Ignore
1480725537
Reply with quote  #2

1480725537
Report to moderator
1480725537
Hero Member
*
Offline Offline

Posts: 1480725537

View Profile Personal Message (Offline)

Ignore
1480725537
Reply with quote  #2

1480725537
Report to moderator
1480725537
Hero Member
*
Offline Offline

Posts: 1480725537

View Profile Personal Message (Offline)

Ignore
1480725537
Reply with quote  #2

1480725537
Report to moderator
abbeytim
Sr. Member
****
Offline Offline

Activity: 333


View Profile
March 31, 2012, 10:11:42 AM
 #22

they never got to nefarios system i was sending coins to glbse and copied th glbse deposit address and pasted to withdraw from the btc-e.com address and it changed the address i didnt pay attention and sent i had copied and pasted btc addresses before and never second checked
so they were sent back to btc-e but btc uses a different external address to send coins than my personal deposit address
RaggedMonk
Sr. Member
****
Offline Offline

Activity: 308



View Profile
March 31, 2012, 10:23:19 AM
 #23

watching.
Gabi
Legendary
*
Offline Offline

Activity: 1050


View Profile
March 31, 2012, 10:53:51 AM
 #24

With such talents why don't you help the bitcoin community be a more secure place?  I think the bitcoin project definitely need capable people like you. 
Wake up, he helped much more in that way

If it take such simple things to write a working malware and actually steal bitcoins, what can happen with a more concerted effort?
bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
March 31, 2012, 11:35:35 AM
 #25


A question : are you an actual blackhat doing this type of things to make a living, or did you just pull of a nice hack for the heck of it ?

If the former, a follow-up question: as far as you know, how is
bitcoin viewed/perceived in the blackhat community (other than
an easy way to scam folks, that is).

In particular, is it perceived as something useful to the community
itself ?


Usually don't do this. Wanted to try it just because it seemed so easy (something that anyone can do), to see what would happen. A little test.

With such talents why don't you help the bitcoin community be a more secure place?  I think the bitcoin project definitely need capable people like you.  
Wake up, he helped much more in that way

If it take such simple things to write a working malware and actually steal bitcoins, what can happen with a more concerted effort?

A lot. The wallet is easily accessed by a trojan, and all the keys are there ready to be used. The wallet doesn't even have to shift owner; the malware could spend the money there right away.

In "my" case, only the intended amount of btc (by the victim, thus limited) to be sent are captured, and the [intended] coins are only captured when the victim actually sends anything.

A trojan made with more effort could simply just use the keys in the wallet and spend all the coins right away. A password for the wallet could be cracked firsthand on the victim's computer, and/or the passphrase could simply be captured from the keyboard/bitcoin software directly whenever it's used (which it eventually will).

Even if the wallet is stored somewhere else than the default place, for example in a truecrypt file, whenever the wallet is loaded into the bitcoin client, the wallet can be read directly from the bitcoin client's working memory.

abbeytim
Sr. Member
****
Offline Offline

Activity: 333


View Profile
March 31, 2012, 11:54:56 AM
 #26

well ive been talking to btc-e and they never reveived them  back heres our conversation




support: abbeytim, I checked on the base of the purse bitcoin

abbeytim: ok

abbeytim: k

support: abbeytim, btc means not gone

abbeytim: and the block chain says they were sent back to look bottom there http://blockexplorer.com/address/19C16JK7tup7rnCvgY7nwAEXCPHFjans75

abbeytim: none of those are btc-e adresses??

support: abbeytim, I checked 30 and March 31, 2012

abbeytim: k thanks

support: abbeytim, http://blockexplorer.com/tx/2392adbd8784dc8ab16600f10be874c02c37886fd7b09fe0989b9144868973d0

support: 17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd -6.63 BTC -0.001 BTC 1399 blockexplorer 11:25 22.03.12

abbeytim: so does that mean he still has them ??

abbeytim: or he sent them to wrong address

support: abbeytim, Кому: 14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ -26.23 BTC 0 BTC 1575 blockexplorer 09:53 21.03.12

support: http://blockexplorer.com/tx/fcf078588cc961e6af4a5aa8faab559a3d7b5867c16bbf38dfccc4d4f90ea19a

support: abbeytim, btc on our accounts were written off

abbeytim: and we never recieved them back right??

abbeytim: we meaning btc-e

support: abbeytim, and as we get them back?

abbeytim: l well thx for your time


see if you guys can figure out what happened
jake262144
Full Member
***
Offline Offline

Activity: 210


View Profile
March 31, 2012, 11:55:42 AM
 #27

If it take such simple things to write a working malware and actually steal bitcoins, what can happen with a more concerted effort?

As long as users are foolish enough to install software laden with trojans and run it with root privileges they will suffer the dire consequences.

Did you read this post in Bitcoin discussion?
The security-imbecile fell for some "optimized miner" mumbo-jumbo, installed this crap and when it -apparently- failed to work he instantly forgot about the whole matter!

Congrats bitcointalk3, you have proven there are fools aplenty.
If you really merely wanted to test your abilities have you perhaps set some TTL value (e.g. 30 days) after which the malware goes inactive?
That's the responsible thing to do, you know.
abbeytim
Sr. Member
****
Offline Offline

Activity: 333


View Profile
March 31, 2012, 12:01:45 PM
 #28

sorry some of us are fools either way i learned from my mistake

i guess thats whats important even though i lost 32+ bitcoins
abbeytim
Sr. Member
****
Offline Offline

Activity: 333


View Profile
March 31, 2012, 12:26:09 PM
 #29

and if anyone feels bad for me send some btc here

                                                                     148PmRLnHj4K89CcQajhz3dZQt7E66d53W
abbeytim
Sr. Member
****
Offline Offline

Activity: 333


View Profile
March 31, 2012, 01:36:15 PM
 #30

btc-e just got my coins back too me thx Smiley
waspoza
Hero Member
*****
Offline Offline

Activity: 602


Firstbits: 1waspoza


View Profile
March 31, 2012, 02:39:50 PM
 #31

and if anyone feels bad for me send some btc here

                                                                     148PmRLnHj4K89CcQajhz3dZQt7E66d53W

Are you sure its good address this time?  Wink
marked
Full Member
***
Offline Offline

Activity: 168



View Profile
March 31, 2012, 03:53:23 PM
 #32


Are you sure its good address this time?  Wink
He typed it in 1 bit at a time just to be sure, took him ages too, as the line noise on the morse code tapper was just terrible.

marked
Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
March 31, 2012, 04:15:56 PM
 #33

The trojan was uploaded to a temporary host (which automatically would be inactivated after 3 months without login). Anybody could do it.

I was certain that people would download it. Dangerous "security threat" indeed.

[...]

The attacker wouldn't have to do more than creating his trojan and mass-spreading and mass-advertising it on more stable places. I did some light advertising and a not too sophisticated trojan, and 3 months later, I still "harvest".

Do current anti-virus security providers (e.g., AVG, Avast, McAfee, etc.) detect the download as being malware now?   Or is this likely occurring from those who either don't have anti-virus or don't keep it current  (and do dumb stuff like downloading and installing .exes from untrusted sources).

John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
March 31, 2012, 04:37:23 PM
 #34

The trojan was uploaded to a temporary host (which automatically would be inactivated after 3 months without login). Anybody could do it.

I was certain that people would download it. Dangerous "security threat" indeed.

[...]

The attacker wouldn't have to do more than creating his trojan and mass-spreading and mass-advertising it on more stable places. I did some light advertising and a not too sophisticated trojan, and 3 months later, I still "harvest".

Do current anti-virus security providers (e.g., AVG, Avast, McAfee, etc.) detect the download as being malware now?   Or is this likely occurring from those who either don't have anti-virus or don't keep it current  (and do dumb stuff like downloading and installing .exes from untrusted sources).
Antiviruses doesn't do good for Dday releases like this one is, unless the heuristics pick it up.
OP has a point there - most Windows users are too moronic to check their downloads, and this is why botnets are so abundant nowadays.

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

bitcointalk3
Newbie
*
Offline Offline

Activity: 11


View Profile
April 01, 2012, 01:03:10 AM
 #35

well ive been talking to btc-e and they never reveived them  back heres our conversation


http://blockchain.info/address/19C16JK7tup7rnCvgY7nwAEXCPHFjans75

the 2392adbd8784dc8ab16600f10be874c02c37886fd7b09fe0989b9144868973d0 transaction is when the coins got to me,
7303bb4534c085b05e09af9bfa89a90f2a2674e58552594f0ea7cf84fd4d1194 is the transaction from when I sent the coins back to btc-e or where they came from, to address 19C16JK7tup7rnCvgY7nwAEXCPHFjans75  . Those 6.63 coins (which I then lost control over) were then transferred to 1GzrUY3HpBBpbtxgZbDMcokLQTQXQdAiqc , which I suppose is part of btc-e's (or any other online service's) system.

The trojan is easy to remove. CTRL+ALT+DEL and kill a process named mcfar*. It is then easy to remove it manually from autostart by running the command (trough the run command, WINDOWSBUTTON+R) msconfig. Click the autostart tab and uncheck the one called Avast7*, filename mcfar*(begins with mcfar*). The trojan can manually be removed from "c:\windows\mcfar*.exe". I don't have the source code right here, but that's what I'm really sure about.

Congrats bitcointalk3, you have proven there are fools aplenty.
If you really merely wanted to test your abilities have you perhaps set some TTL value (e.g. 30 days) after which the malware goes inactive?
That's the responsible thing to do, you know.

All the pages are down, and they did also have a limited traffic threshold. I didn't think about giving it a TTL value, I thought about it afterwards. A mistake from my side (well, doing this was a mistake to begin with, it could just have warned the user that he/she'd be hacked now).

There's one source left, tricking pure ped*****es. I didn't bother giving that page a TTL (and I couldn't). Though that host will not be up forever.
alexbishops
Newbie
*
Offline Offline

Activity: 23


View Profile
April 01, 2012, 09:43:24 PM
 #36

I take it noscript for firefox would protect you from this sort of attack?

http://noscript.net/

Have I been polite and helpful? Please show your appreciation: 1PxWTUmhiK4SnqLepJjYNUVfZj3YaYvBrk
Dabs
Staff
Legendary
*
Offline Offline

Activity: 1512


64blocks.com


View Profile WWW
April 04, 2012, 02:00:10 AM
 #37

I think as long as you downloaded and ran the exe, you are sort of doomed until you get it out. I made something like this about 15 years ago for another popular software, and it was even programmed in VB. Disclaimer: I didn't make anything (money) out of it, except give people head aches, and it was 15 years ago.

Whitelisting software like Anti-executable or something similar would work, up to the point that it asks "Are you sure you want to run optimizedminer.exe?" and you still click Yes, on a live machine (not virtual, not sand boxed, not protected or whatever.)

The fundamentals of conning people have not changed, and social engineering can still be done today, the same way it has been done 20 to 30 years ago, because a lot of people are simply ... ... they don't know any better.

In fact, I'm pretty sure someone can or has come up with malware that gets your credit card number from the clipboard.

Geez, I paste almost all my passwords from the clipboard from notepad.......... better check my own system now.

64blocks.com Social Multiplayer Dice (Gambling) - Escrow Service (Services) - GPG ID: 32AD7565, OTC ID: Dabs
All messages concerning escrow or with bitcoin addresses are GPG signed. Please verify.
CompTIA A+, Microsoft Certified Professional, MCSA: Windows 10; Windows Server 2012, MCSE: Cloud Platform and Infrastructure; Productivity; Messaging
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
April 04, 2012, 02:17:35 AM
 #38

I take it noscript for firefox would protect you from this sort of attack?

http://noscript.net/
no

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

ryu-fk
Jr. Member
*
Offline Offline

Activity: 51



View Profile
April 04, 2012, 05:04:11 PM
 #39

With such talents why don't you help the bitcoin community be a more secure place?

i believe he has just done that, by making a few people more cautious of malware.



Or more probable they will stop using bitcoin

Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!