Be careful what you're running! - .Jar instant stealer

ergofobe

newbie

Activity: 29

Merit: 0

Quote from: MagicBit15 on June 02, 2013, 06:31:46 PM

Quote from: exxe on June 02, 2013, 06:14:08 PM

I can confirm this. The email even contained some social engineering Roll Eyes

Quote

From: Alforakh Exchange <[email protected]>
Reply-To: Alforakh Exchange <[email protected]>
Subject: Deposit
To: "[email protected]" <[email protected]>

---1370164771-1127361565-1370026907=:14869
Content-Type: text/plain; charset=us-ascii

Hello,

Please find attached receipt for my deposit. As usual, send me a confirmation when the money hit your account.

Best

Content-Type: application/java-archive; name="DSC34.jar"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="DSC34.jar"
[...]

Hmmmm, who specifically is being targeted with the emails. Also, Was that the full email? If so thank you.

I just got one of these as well. Targeting PanamaBitcoins.com. Of course, I don't read my email on any machine that could touch my Bitcoin, so at least I don't have to worry about that.

Bataleon

newbie

Activity: 8

Merit: 0

I would suggest using Armory in offline mode if you don't have a need to send a lot of transactions.

https://bitcoinarmory.com/

r.freeman

newbie

Activity: 42

Merit: 0

Quote from: ?? on ??

Quote from: escrow.ms on May 31, 2013, 03:37:07 PM

That's why i don't use JAVA..

Same here.
I don't have any program on my PC that requires it.

Actually java itself can be quite good.
It's the damn buggy java PLUGINS mostly.

deadp00l

member

Activity: 72

Merit: 10

Lot of good suggestions in this thread. Might be kind of a novelty to have an application running that watched for attempts to access wallet.dat and sent a pop up alert. Assuming this would be useful as a honeypot to track wallet stealing attempts and not a real form of protection. Could be possible to write a signature for something like Clam AV? Again I don't see it having much value and it would be more of a novelty than anything.

exxe

full member

Activity: 187

Merit: 100

Quote from: MagicBit15 on June 02, 2013, 06:31:46 PM

Hmmmm, who specifically is being targeted with the emails. Also, Was that the full email? If so thank you.

Target = 1broker.com support.

Yes that's the full email.

MagicBit15

sr. member

Activity: 294

Merit: 250

Let's Start a Cryptolution!!

Quote from: exxe on June 02, 2013, 06:14:08 PM

I can confirm this. The email even contained some social engineering Roll Eyes

Quote

From: Alforakh Exchange <[email protected]>
Reply-To: Alforakh Exchange <[email protected]>
Subject: Deposit
To: "[email protected]" <[email protected]>

---1370164771-1127361565-1370026907=:14869
Content-Type: text/plain; charset=us-ascii

Hello,

Please find attached receipt for my deposit. As usual, send me a confirmation when the money hit your account.

Best

Content-Type: application/java-archive; name="DSC34.jar"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="DSC34.jar"
[...]

Hmmmm, who specifically is being targeted with the emails. Also, Was that the full email? If so thank you.

MagicBit15

sr. member

Activity: 294

Merit: 250

Let's Start a Cryptolution!!

Quote from: chris267 on June 02, 2013, 05:19:09 PM

Hi sir, I take it you're not fully aware of remote administration tools? If you.....

Quote from: chris267

You don't quite understand what a RAT is. It is an illegal method for hackers to gain unpriviledged access to ones PC, gaining full access doing everything possibly bad that you could think of. You don't give someone access to a RAT, rather they gain without your permission.

Hi Sir, I think you should learn first to choose your words carefully. A Remote Access Tool or (RAT), is typically associated with malicious software that gives access to hackers or other cyber-criminals to information on your computer without your knowledge. Which I believe you are speaking of. Remote Administration for the most part is associated with a large majority of legitimate and legal uses. I am quite aware of the differences in the IT world, since I work in it.... (Someone really needs to edit that wikipedia page BTW)

Remote Access Tools for the most part are all malicious and are extremely dangerous. People need to take severe caution. However, I would say, as you have also stated, Prevention is better than a Cure.

The number one way that a Trojan is installed onto a computer, is by novice users doing it themselves. Usually being completely unaware. In, I would say, 90% of cases. Typically, if there is something out there that is specific and new, that is when it becomes trouble.

exxe

full member

Activity: 187

Merit: 100

I can confirm this. The email even contained some social engineering Roll Eyes

Quote

From: Alforakh Exchange <[email protected]>
Reply-To: Alforakh Exchange <[email protected]>
Subject: Deposit
To: "[email protected]" <[email protected]>

---1370164771-1127361565-1370026907=:14869
Content-Type: text/plain; charset=us-ascii

Hello,

Please find attached receipt for my deposit. As usual, send me a confirmation when the money hit your account.

Best

Content-Type: application/java-archive; name="DSC34.jar"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="DSC34.jar"
[...]

chris267

newbie

Activity: 32

Merit: 0

Quote from: MagicBit15 on June 02, 2013, 05:14:51 PM

Quote from: chris267 on May 31, 2013, 04:53:46 PM

Quote from: h3x on May 31, 2013, 03:33:13 PM

My 2 cents (as an experienced systems administrator and bitcoin newbie):

Nothing will help better than safe browsing practices and an up to date anti-virus solution. The cat and mouse game of the virus creators and the anti-virus companies will always be an issue. That virus creator only has to be right once to get his hands on your important data.

I have a blockchain.info account but I keep my main wallet on a Windows 7 Virtual Machine. The VM has full disk encryption (truecrypt), all Microsoft security patches are installed, and it is turned off when not in use. It only runs armory, bitcoin-qt and anti-virus. Only downside is it usually only takes about 30-60 minutes to sync back up with the blockchain after being turned off for a few days

I also plan on setting up a completely offline wallet using ubuntu on an older netbook that I can stash in a safe.

I don't have too much money in bitcoin right now but I hope to see my mining and monthly deposits reach some serious worth.

I like to think I am very security conscious but maybe I am just paranoid

Hi sir, I take it you're not fully aware of remote administration tools? If you are sorry..

Ok, an up to date anti-virus will be near to nothing when it comes to being effective against a virus. Those who create viruses are also aware of how to change variables and methods of injecting a file so that the anti-virus will not pick up any data, this can vary from simply changing icon to binding a program so that when virus is ran a fake program is ran too.

My point is that you can still be infected if you have up to date antivirus.

On the discussion of a remote administration tool, it gains unathorised access to your whole computer, meaning the hacker can scavage throughout all your files, and search for files which the hacker may deem valuable, in this case wallet.dat or whatever other crypto-currency data files you may have. Your idea of keeping the wallet offline is the only true method of being 100% protected, where the computer doesn't have an internet connection it is more likely to remain safe.

Yeah, but it is very unlikely unless you are constantly using remote administration tools and happen to give someone access accidentally. Which in that case I would not keep any source of bitcoin on that computer regardless. Even something as simple as letting someone you know use teamviewer or even they just have your network password. Usually it is the USER that puts themselves in that spot to begin with. Not always, but most the time in that kind of scenario.

You don't quite understand what a RAT is. It is an illegal method for hackers to gain unpriviledged access to ones PC, gaining full access doing everything possibly bad that you could think of. You don't give someone access to a RAT, rather they gain without your permission.

MagicBit15

sr. member

Activity: 294

Merit: 250

Let's Start a Cryptolution!!

Quote from: chris267 on May 31, 2013, 04:53:46 PM

Quote from: h3x on May 31, 2013, 03:33:13 PM

My 2 cents (as an experienced systems administrator and bitcoin newbie):

Nothing will help better than safe browsing practices and an up to date anti-virus solution. The cat and mouse game of the virus creators and the anti-virus companies will always be an issue. That virus creator only has to be right once to get his hands on your important data.

I have a blockchain.info account but I keep my main wallet on a Windows 7 Virtual Machine. The VM has full disk encryption (truecrypt), all Microsoft security patches are installed, and it is turned off when not in use. It only runs armory, bitcoin-qt and anti-virus. Only downside is it usually only takes about 30-60 minutes to sync back up with the blockchain after being turned off for a few days

I also plan on setting up a completely offline wallet using ubuntu on an older netbook that I can stash in a safe.

I don't have too much money in bitcoin right now but I hope to see my mining and monthly deposits reach some serious worth.

I like to think I am very security conscious but maybe I am just paranoid

Hi sir, I take it you're not fully aware of remote administration tools? If you are sorry..

Ok, an up to date anti-virus will be near to nothing when it comes to being effective against a virus. Those who create viruses are also aware of how to change variables and methods of injecting a file so that the anti-virus will not pick up any data, this can vary from simply changing icon to binding a program so that when virus is ran a fake program is ran too.

My point is that you can still be infected if you have up to date antivirus.

On the discussion of a remote administration tool, it gains unathorised access to your whole computer, meaning the hacker can scavage throughout all your files, and search for files which the hacker may deem valuable, in this case wallet.dat or whatever other crypto-currency data files you may have. Your idea of keeping the wallet offline is the only true method of being 100% protected, where the computer doesn't have an internet connection it is more likely to remain safe.

Yeah, but it is very unlikely unless you are constantly using remote administration tools and happen to give someone access accidentally. Which in that case I would not keep any source of bitcoin on that computer regardless. Even something as simple as letting someone you know use teamviewer or even they just have your network password. Usually it is the USER that puts themselves in that spot to begin with. Not always, but most the time in that kind of scenario.

chris267

newbie

Activity: 32

Merit: 0

Quote from: g.mcfough on June 01, 2013, 07:48:18 PM

So what you're saying is that running noscript wouldn't be enough to defend against this?

No not necessarily, noscript functions by blocking javascript/java/flash and only allowing it on a list of trusted websites. Malware (especially RAT's) can spread many other ways, whether this be through simply inserting your USB into an infected computer and then inserting that same USB into a non-infected computer and at the same time infecting the computer which was clean before. There's many ways such files can be spreaded, even through being binded onto real applications which would lower suspicions drastically. It's a hard game trying to be protected when such malware exists, but it is you as an individual's responsibility to ensure you take sufficient steps into preventing such attacks onto your computer.

g.mcfough

newbie

Activity: 9

Merit: 0

So what you're saying is that running noscript wouldn't be enough to defend against this?

ig0r.v

newbie

Activity: 20

Merit: 0

thank you for this useful info

BTCsckr

newbie

Activity: 11

Merit: 0

Thanks for the advice

JSMill

newbie

Activity: 56

Merit: 0

Thanks for the heads up!

samo

newbie

Activity: 46

Merit: 0

I also use sandboxie so if by chance any crap has a chance to get onto my pc its stuck in a sandbox and not my pc unless i give it permission to.

h3x

newbie

Activity: 7

Merit: 0

Quote from: chris267 on May 31, 2013, 04:53:46 PM

Quote from: h3x on May 31, 2013, 03:33:13 PM

My 2 cents (as an experienced systems administrator and bitcoin newbie):

Nothing will help better than safe browsing practices and an up to date anti-virus solution. The cat and mouse game of the virus creators and the anti-virus companies will always be an issue. That virus creator only has to be right once to get his hands on your important data.

I have a blockchain.info account but I keep my main wallet on a Windows 7 Virtual Machine. The VM has full disk encryption (truecrypt), all Microsoft security patches are installed, and it is turned off when not in use. It only runs armory, bitcoin-qt and anti-virus. Only downside is it usually only takes about 30-60 minutes to sync back up with the blockchain after being turned off for a few days

I also plan on setting up a completely offline wallet using ubuntu on an older netbook that I can stash in a safe.

I don't have too much money in bitcoin right now but I hope to see my mining and monthly deposits reach some serious worth.

I like to think I am very security conscious but maybe I am just paranoid

Hi sir, I take it you're not fully aware of remote administration tools? If you are sorry..

Ok, an up to date anti-virus will be near to nothing when it comes to being effective against a virus. Those who create viruses are also aware of how to change variables and methods of injecting a file so that the anti-virus will not pick up any data, this can vary from simply changing icon to binding a program so that when virus is ran a fake program is ran too.

My point is that you can still be infected if you have up to date antivirus.

On the discussion of a remote administration tool, it gains unathorised access to your whole computer, meaning the hacker can scavage throughout all your files, and search for files which the hacker may deem valuable, in this case wallet.dat or whatever other crypto-currency data files you may have. Your idea of keeping the wallet offline is the only true method of being 100% protected, where the computer doesn't have an internet connection it is more likely to remain safe.

Thanks for your reply. I completely agree that an offline wallet is the safest thing.

I am also very aware of RATs though. My point was that by not using this system for anything other than hosting my wallet there I am greatly reducing my risk of such an infection. Someone would have to find a way to exploit the Armory or Bitcoin-qt through the open sockets it uses to communicate to drop such a RAT onto my wallet system. This risk is greatly lessened because both applications are open source so their code can be scrutinized. Or I suppose they could use a zero day to exploit the operating system itself, but keeping the system fulling patched and not running unnecessary Windows services further mitigates this risk. Not to mention the system is off most of the time so it has no attack surface in that state.

Except maybe if someone were to gain access to the system hosting the VM and copy the VM files to their own system. In this case the truecrypt encryption protecting the entire hard drive on the machine would prevent someone from firing it up and attacking it that way.

The anti-virus is just best practice for any Windows operating system and will help with known threats.

escrow.ms

legendary

Activity: 1274

Merit: 1004

Quote from: ?? on ??

I received this in an email today! Undecided

can you please forward it to me at my email [email protected] for analysis.

chris267

newbie

Activity: 32

Merit: 0

Quote from: ?? on ??

Quote from: chris267 on May 31, 2013, 04:58:56 PM

Quote from: rashly on May 31, 2013, 04:55:40 PM

Make sure to encrypt your wallet with a very long, complex password.

Makes no difference if you encrypted your wallet with the password Password1 or encrypted your wallet with the Password vutHAspaSPaf3#J A keylogger records all strokes and thus the hacker if gains remote access can not only steal your wallet but also know your encryption password.

Thanks

Bit of a noob question, but when I have to enter a password I tend to create it by cutting/pasting/rearranging from existing text. Am I wasting my time or does this help to throw keyloggers?

Hi since keyloggers only record keystrokes, what you're doing is a very good idea, something I do myself too. Also, I tend to use on-screen keyboard which can be found on all computers running windows. It prevents any keyloggers from recording precious data, I only use this when entering passwords (obviously)

This may seem a bit over the top.. but remote administration tools can view your whole computer screen, a few youtube searches of RAT's will reveal to you just how powerful they are once hackers have access to your computer. So cutting and pasting there's still that risk thrown in

chris267

newbie

Activity: 32

Merit: 0

Quote from: rashly on May 31, 2013, 04:55:40 PM

Make sure to encrypt your wallet with a very long, complex password.

Makes no difference if you encrypted your wallet with the password Password1 or encrypted your wallet with the Password vutHAspaSPaf3#J A keylogger records all strokes and thus the hacker if gains remote access can not only steal your wallet but also know your encryption password.

Thanks

Topic: Be careful what you're running! - .Jar instant stealer (Read 3689 times)