Author

Topic: Malware Bytes Reports Bitcointalk as Malicious Website. False Positive? (Read 1525 times)

legendary
Activity: 2646
Merit: 1722
https://youtu.be/DsAVx0u9Cw4 ... Dr. WHO < KLF
Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.

I've just scanned bitcointalk.org

http://sitecheck.sucuri.net/scanner/ - Clean

https://www.virustotal.com/en/url/7354af8427d7b8d4236356d0bca680ad3186fce415cb51971f3793cee59e4291/analysis/1385144339/ - Clean

However, I found that hpHosts is currently listing bitcointalk.org - i.e. 'Malwarebytes'.

See: http://hosts-file.net/?s=bitcointalk.org this is probably an error and the admin. should contact 'Request removal' for more info.

Not 100% sure how ads are being served here, but it might be to do with temporarily hijacked 3rd party content and/or in relation to linked content.

This report, I suspect is actually a 'false positive'.
newbie
Activity: 56
Merit: 0
https://forums.malwarebytes.org/index.php?showtopic=136963 I reported this earlier as well. Same boat, this just started happening today.

hero member
Activity: 686
Merit: 504
always the student, never the master.
Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.

Been using it for years, and this is the first time its occured at bitcointalk. Additionally, i searched malware bytes ip database and bitcointalk is not on the list of hosts. I accept that it could be a false positive, but to brush it off without investigation is lazy.
sr. member
Activity: 462
Merit: 250
Free World
I see it has been reported already..

Anyway... theymos explanation does answer why is it being blocked NOW?

I have been MBAMPRO user for more than a few years... and it only blocked the forum THIS MORNING? Just when BTC went OVER $500/USD?


anyway... here is my log... just incase... some one who really cares...

Quote
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54730, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54732, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54734, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54736, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54737, Process: firefox.exe)
2013/11/20 19:44:09 -0800   admin-PC   admin   IP-BLOCK   109.201.133.195 (Type: outgoing, Port: 54738, Process: firefox.exe)
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   Stopping IP protection
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   IP Protection stopped successfully
2013/11/20 19:44:15 -0800   admin-PC   admin   MESSAGE   Starting IP protection
2013/11/20 19:44:16 -0800   admin-PC   admin   MESSAGE   IP Protection started successfully
sr. member
Activity: 448
Merit: 254
atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

I'm trying not to be too hostile here, but I'm really skeptical and feel like you're deliberately being vague.  What "issue"?  All you've really done is claim there's an infection, speculate on its motives, and give some sort of log without much description of what it is.

So, at least could you say what the log is?  Something has blocked outgoing connections from chrome.exe to bitcointalk.org (109.201.133.195)?  What do the columns mean?  What software produced this log?  Are the port numbers listed from your side or bitcointalk's?  It would indeed be unusual for Chrome to be connecting to high-numbered ports of bitcointalk, but not unusual for high-numbered ports to be the originating port from Chrome as a client.

Sounds like theymos has debunked the log as an overactive general blacklist, not an indication of a new, specific infection on bitcointalk.
administrator
Activity: 5222
Merit: 13032
Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.

You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.
hero member
Activity: 686
Merit: 504
always the student, never the master.
If there is actually a problem with the forum, MalwareBytes can collect a substantial bounty. But they're probably just wrong. Anti-malware companies make money by scaring users into thinking that everything around them is dangerous. The forum has previously been blocked by anti-malware software because you can find download links to stealth mining software here.

Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.
administrator
Activity: 5222
Merit: 13032
If there is actually a problem with the forum, MalwareBytes can collect a substantial bounty. But they're probably just wrong. Anti-malware companies make money by scaring users into thinking that everything around them is dangerous. The forum has previously been blocked by anti-malware software because you can find download links to stealth mining software here.
hero member
Activity: 686
Merit: 504
always the student, never the master.
How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.

Yeah, I see nothing about where it is supposedly "inserted into Bitcointalk", how users can protect themselves, how the forum can clean it...

You're welcome. I expect theymos or someone else to handle it now.
sr. member
Activity: 448
Merit: 254
How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.

Yeah, I see nothing about where it is supposedly "inserted into Bitcointalk", how users can protect themselves, how the forum can clean it...
sr. member
Activity: 476
Merit: 251
COINECT
How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.
hero member
Activity: 686
Merit: 504
always the student, never the master.
Looks like malware distribution to Windows users. I've spoken with one individual who unfortunately was infected. the signature of the bot shows up as "bitcoinminer"(like the false positive in cgminer) and infected paint.exe. upon investigation, i was able to T/V in and determine that it is indeed not a false positive. the malware escalates privilege, opens svc host. unfortunately the bot owner caught wind of my snooping and terminated team viewer. Windows users, be careful.

Download MBAR(Malware Bytes Anti Rootkit) and check your machine out immediately. Seems like the botowner has chosen the forum as a distribution point for an upcoming Ddos attack, a complex layer 7 attack where botnets are used to circumvent convential ddos filters and detection protocols(fits timing, and mo of Person behind a previous attack of this nature on a website i won't disclose.)

Of course, it could just be an attempt to steal the wallets of BCT users.  Cheesy





Code:
2013/11/20 13:10:17 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50537, Process: chrome.exe)
2013/11/20 13:30:19 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 51720, Process: chrome.exe)
2013/11/20 13:50:14 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 52942, Process: chrome.exe)
2013/11/20 14:10:17 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54343, Process: chrome.exe)
2013/11/20 14:30:20 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 55592, Process: chrome.exe)
2013/11/20 14:50:23 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 56784, Process: chrome.exe)
2013/11/20 15:10:18 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 57917, Process: chrome.exe)
2013/11/20 15:30:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 59123, Process: chrome.exe)
2013/11/20 15:50:16 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 60394, Process: chrome.exe)
2013/11/20 16:10:19 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 61690, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62478, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62484, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62485, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62486, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62487, Process: chrome.exe)
2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62488, Process: chrome.exe)
2013/11/20 16:19:57 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62491, Process: chrome.exe)
2013/11/20 16:19:57 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62492, Process: chrome.exe)
2013/11/20 16:25:50 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 63281, Process: chrome.exe)
2013/11/20 16:25:50 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 63282, Process: chrome.exe)
2013/11/20 17:07:48 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49392, Process: chrome.exe)
2013/11/20 17:16:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49914, Process: chrome.exe)
2013/11/20 17:16:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49915, Process: chrome.exe)
2013/11/20 17:16:46 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49960, Process: chrome.exe)
2013/11/20 17:16:46 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49961, Process: chrome.exe)
2013/11/20 17:30:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50879, Process: chrome.exe)
2013/11/20 17:30:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50880, Process: chrome.exe)
2013/11/20 18:43:54 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 55526, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62244, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62245, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62246, Process: chrome.exe)
2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62247, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62313, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62314, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62315, Process: chrome.exe)
2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62316, Process: chrome.exe)
Jump to: