Malware Bytes Reports Bitcointalk as Malicious Website. False Positive?

BitcoinFX

legendary

Activity: 2646

Merit: 1722

https://youtu.be/DsAVx0u9Cw4 ... Dr. WHO < KLF

Quote from: theymos on November 20, 2013, 10:38:36 PM

Quote from: r3wt on November 20, 2013, 10:33:53 PM

Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.

Quote from: BitcoinFX on November 22, 2013, 01:39:16 PM

I've just scanned bitcointalk.org

http://sitecheck.sucuri.net/scanner/ - Clean

https://www.virustotal.com/en/url/7354af8427d7b8d4236356d0bca680ad3186fce415cb51971f3793cee59e4291/analysis/1385144339/ - Clean

However, I found that hpHosts is currently listing bitcointalk.org - i.e. 'Malwarebytes'.

See: http://hosts-file.net/?s=bitcointalk.org this is probably an error and the admin. should contact 'Request removal' for more info.

Not 100% sure how ads are being served here, but it might be to do with temporarily hijacked 3rd party content and/or in relation to linked content.

This report, I suspect is actually a 'false positive'.

Probably

newbie

Activity: 56

Merit: 0

https://forums.malwarebytes.org/index.php?showtopic=136963 I reported this earlier as well. Same boat, this just started happening today.

r3wt

hero member

Activity: 686

Merit: 504

always the student, never the master.

Quote from: theymos on November 20, 2013, 10:38:36 PM

Quote from: r3wt on November 20, 2013, 10:33:53 PM

Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.

Been using it for years, and this is the first time its occured at bitcointalk. Additionally, i searched malware bytes ip database and bitcointalk is not on the list of hosts. I accept that it could be a false positive, but to brush it off without investigation is lazy.

papaminer

sr. member

Activity: 462

Merit: 250

Free World

I see it has been reported already..

Anyway... theymos explanation does answer why is it being blocked NOW?

I have been MBAMPRO user for more than a few years... and it only blocked the forum THIS MORNING? Just when BTC went OVER $500/USD?

anyway... here is my log... just incase... some one who really cares...

Quote

2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54730, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54732, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54734, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54736, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54737, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54738, Process: firefox.exe)
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   Stopping IP protection
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   IP Protection stopped successfully
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   Starting IP protection
2013/11/20 19:44:16 -0800   admin-PC   admin   MESSAGE   IP Protection started successfully

scintill

sr. member

Activity: 448

Merit: 254

Quote from: r3wt on November 20, 2013, 10:33:53 PM

atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

I'm trying not to be too hostile here, but I'm really skeptical and feel like you're deliberately being vague. What "issue"? All you've really done is claim there's an infection, speculate on its motives, and give some sort of log without much description of what it is.

So, at least could you say what the log is? Something has blocked outgoing connections from chrome.exe to bitcointalk.org (109.201.133.195)? What do the columns mean? What software produced this log? Are the port numbers listed from your side or bitcointalk's? It would indeed be unusual for Chrome to be connecting to high-numbered ports of bitcointalk, but not unusual for high-numbered ports to be the originating port from Chrome as a client.

Sounds like theymos has debunked the log as an overactive general blacklist, not an indication of a new, specific infection on bitcointalk.

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: r3wt on November 20, 2013, 10:33:53 PM

Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.

r3wt

hero member

Activity: 686

Merit: 504

always the student, never the master.

Quote from: theymos on November 20, 2013, 10:31:52 PM

If there is actually a problem with the forum, MalwareBytes can collect a substantial bounty. But they're probably just wrong. Anti-malware companies make money by scaring users into thinking that everything around them is dangerous. The forum has previously been blocked by anti-malware software because you can find download links to stealth mining software here.

Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

theymos

administrator

Activity: 5222

Merit: 13032

If there is actually a problem with the forum, MalwareBytes can collect a substantial bounty. But they're probably just wrong. Anti-malware companies make money by scaring users into thinking that everything around them is dangerous. The forum has previously been blocked by anti-malware software because you can find download links to stealth mining software here.

r3wt

hero member

Activity: 686

Merit: 504

always the student, never the master.

Quote from: scintill on November 20, 2013, 10:25:28 PM

Quote from: anti-scam on November 20, 2013, 10:14:33 PM

How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.

Yeah, I see nothing about where it is supposedly "inserted into Bitcointalk", how users can protect themselves, how the forum can clean it...

You're welcome. I expect theymos or someone else to handle it now.

scintill

sr. member

Activity: 448

Merit: 254

Quote from: anti-scam on November 20, 2013, 10:14:33 PM

How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.

Yeah, I see nothing about where it is supposedly "inserted into Bitcointalk", how users can protect themselves, how the forum can clean it...

anti-scam

sr. member

Activity: 476

Merit: 251

COINECT

How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.

r3wt

hero member

Activity: 686

Merit: 504

always the student, never the master.

Looks like malware distribution to Windows users. I've spoken with one individual who unfortunately was infected. the signature of the bot shows up as "bitcoinminer"(like the false positive in cgminer) and infected paint.exe. upon investigation, i was able to T/V in and determine that it is indeed not a false positive. the malware escalates privilege, opens svc host. unfortunately the bot owner caught wind of my snooping and terminated team viewer. Windows users, be careful.

Download MBAR(Malware Bytes Anti Rootkit) and check your machine out immediately. Seems like the botowner has chosen the forum as a distribution point for an upcoming Ddos attack, a complex layer 7 attack where botnets are used to circumvent convential ddos filters and detection protocols(fits timing, and mo of Person behind a previous attack of this nature on a website i won't disclose.)

Of course, it could just be an attempt to steal the wallets of BCT users. Cheesy

Code:

2013/11/20 13:10:17 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50537, Process: chrome.exe)
2013/11/20 13:30:19 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 51720, Process: chrome.exe)
2013/11/20 13:50:14 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 52942, Process: chrome.exe)
2013/11/20 14:10:17 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54343, Process: chrome.exe)
2013/11/20 14:30:20 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 55592, Process: chrome.exe)
2013/11/20 14:50:23 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 56784, Process: chrome.exe)
2013/11/20 15:10:18 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 57917, Process: chrome.exe)
2013/11/20 15:30:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 59123, Process: chrome.exe)
2013/11/20 15:50:16 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 60394, Process: chrome.exe)
2013/11/20 16:10:19 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 61690, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62478, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62484, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62485, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62486, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62487, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62488, Process: chrome.exe)
2013/11/20 16:19:57 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62491, Process: chrome.exe)
2013/11/20 16:19:57 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62492, Process: chrome.exe)
2013/11/20 16:25:50 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 63281, Process: chrome.exe)
2013/11/20 16:25:50 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 63282, Process: chrome.exe)
2013/11/20 17:07:48 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49392, Process: chrome.exe)
2013/11/20 17:16:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49914, Process: chrome.exe)
2013/11/20 17:16:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49915, Process: chrome.exe)
2013/11/20 17:16:46 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49960, Process: chrome.exe)
2013/11/20 17:16:46 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49961, Process: chrome.exe)
2013/11/20 17:30:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50879, Process: chrome.exe)
2013/11/20 17:30:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50880, Process: chrome.exe)
2013/11/20 18:43:54 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 55526, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62244, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62245, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62246, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62247, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62313, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62314, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62315, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62316, Process: chrome.exe)

Topic: Malware Bytes Reports Bitcointalk as Malicious Website. False Positive? (Read 1520 times)