Malware writer here, ask your questions.

[bitcointalk3]

I don't have any access to the original thread. http://bitcointalk.org/index.php?topic=73562.0 I wrote the malware. Ask your questions.

All coins captured are sent back.

[1714820890]

1714820890

[1714820890]

1714820890

[1714820890]

1714820890

[1714820890]

1714820890

[John (John K.)]

Is this an experiment?

[bitcointalk3]

Is this an experiment?

Yes

[John (John K.)]

Is the addresses hardcoded in the malware, or the malware generates addresses on-the-fly and the keys sent back via IRC/FTP, or the malware downloads a set of addresses off a server each time?

How does the malware detect the address? By identifying the checksum? Or by using GetWindowTitle and replacing C&P addresses when a predetermined window(client / glbse window) is detected?

[bitcointalk3]

Is the addresses hardcoded in the malware, or the malware generates addresses on-the-fly and the keys sent back via IRC/FTP, or the malware downloads a set of addresses off a server each time?

How does the malware detect the address? By identifying the checksum? Or by using GetWindowTitle and replacing C&P addresses when a predetermined window(client / glbse window) is detected?

The addresses are generated on-the-fly and the keys are encrypted with RSA+custom encryption, and pasted here ( http://yourpaste.net/10173 ) with increasing number since 10173 till this day.

The address is detected by it's length and content. A bitcoin address should contain certain characters only and begins with a 1 or a 3, and has a typical length (required length here is 29 to 40).

----------------------------------------------------
allAreCharacters=true;
for(int i=0; i < cbsize-1; ++i)
      if( !((clipboard>= '1' && clipboard <= '9') || (clipboard>= 'a' && clipboard <= 'z')  ||  (clipboard>= 'A' && clipboard <= 'Z'))
                  || clipboard == 'l' || clipboard == 'I' || clipboard == 'O' || clipboard == '0'){
                  allAreCharacters = false;
                  // ......
}

if(!allAreCharacters || ! (clipboard[0] == '1'|| clipboard[0]=='3'))
      // Not-an-address
-----------------------------------------------------

The clipboard is constantly checked for bitcoin addresses (every 500ms) regardless of the activity of the user, and replaced if the detected address was not put there by the malware. So the instant one copies a bitcoin address, it's replaced with an evil one.

[John (John K.)]

Sounds like a good methodology for this, although a bitcoin address should be 33 chars and below. How are you going to be so sure that all bitcoins are sent back correctly after the experiment?

[bitcointalk3]

Sounds like a good methodology for this, although a bitcoin address should be 33 chars and below. How are you going to be so sure that all bitcoins are sent back correctly after the experiment?

I'll be checking for transactions occasionally till the end of this year, it's done with a few clicks. I send back the coins to where they were sent from (that's the best I can do) when I see a transaction. The distribution of the trojan ended this month --hosting ended--, so there should not be any new victims unless someone else spreads it for some reason; it is hard to edit it to make a custom version of it, it should just not work then.

[hoo]

You should be glad no one can reach you to strangle the soul out of you.
did you also send extra to compensate for the time you held them ransom?
You exemplify why bitcoin is such a piece of shit.

someday soon you will have to hide in sewers.

[bitcointalk3]

You should be glad no one can reach you to strangle the soul out of you.
did you also send extra to compensate for the time you held them ransom?
You exemplify why bitcoin is such a piece of shit.

someday soon you will have to hide in sewers.

I do not have any coins besides the captured ones.

[finway]

I send back the coins to where they were sent from (that's the best I can do) when I see a transaction.

Not a good idea, many people use online wallet, who can't receive coins from the address where they sent.

[bitcointalk3]

I send back the coins to where they were sent from (that's the best I can do) when I see a transaction.

Not a good idea, many people use online wallet, who can't receive coins from the address where they sent.

Indeed. That might be solved in some cases, like in the thread linked in the OP where the online wallet provider is aware of the situation (the costumer's story) and have gotten the coins back. Most incoming transactions has been small ones, like 0.10 btc. Huge transactions (50-1000+) might take some consideration and communication first from my side.

[Kluge]

What did you learn from your experiment?

How many coins were taken? Do you have any data on the people whose coins you took? Or was it just, "could I do it? Would they really download it?"

[bitcointalk3]

What did you learn from your experiment?

How many coins were taken? Do you have any data on the people whose coins you took? Or was it just, "could I do it? Would they really download it?"

"Can I do it?" was the question. What would the result be? I thought, "is it really that easy?". In about 3 months since the "release", a total of maybe 110 btc has passed me (while I'm doing absolutely nothing), with the trojan "lightly" advertised here and there. The trojan was uploaded to a temporary host (which automatically would be inactivated after 3 months without login). Anybody could do it.

I was certain that people would download it. Dangerous "security threat" indeed.

I learned that "projects" like this is a waste of time. I learned that even smart people can be really curious about something being advertised. I learned that scammers must live a sh**ty life (that's what I felt overall).

I also learned that there are insecure fields to harvest from though, with not that much effort, by those with that sh**ty life. The attacker wouldn't have to do more than creating his trojan and mass-spreading and mass-advertising it on more stable places. I did some light advertising and a not too sophisticated trojan, and 3 months later, I still "harvest".

[payb.tc]

I was certain that people would download it.

download what exactly? what was the trojan advertised as?

[phelix]

you should keep 5% as tuition 

[John (John K.)]

I was certain that people would download it.

download what exactly? what was the trojan advertised as?

+1. And I've helped you to link this thread in the original post, so the parties involved can take a look too.

[abbeytim]

i am the one that got scammed ask nefario

i lost 26.23 and 6.63 and no i was never paid back the coins were sent from btc-e
and they use a different address to send them than my bitcoin adress that i deposit too
plz next time if you scam them talk to them if you would have talked to nefario he would have told you to talk to me

thx for becoming honest though now i have to go talk to btc-e and see if they can find them

[worldinacoin]

With such talents why don't you help the bitcoin community be a more secure place?  I think the bitcoin project definitely need capable people like you. 

[bitcointalk3]

I was certain that people would download it.

download what exactly? what was the trojan advertised as?

As a bitcoin wallet stealer, and as a miner.

i am the one that got scammed ask nefario

i lost 26.23 and 6.63 and no i was never paid back the coins were sent from btc-e
and they use a different address to send them than my bitcoin adress that i deposit too
plz next time if you scam them talk to them if you would have talked to nefario he would have told you to talk to me

thx for becoming honest though now i have to go talk to btc-e and see if they can find them

I sent them back to where they came from. Nefario should be able to follow them back to his system.

[payb.tc]

With such talents why don't you help the bitcoin community be a more secure place?

i believe he has just done that, by making a few people more cautious of malware.