Pages:
Author

Topic: SCAM alert! The coin creator software by Xevox is a wallet stealer! (Read 3701 times)

sr. member
Activity: 259
Merit: 250
I just noticed that someone has sent me a tip and coverd my losses (several days ago)! I dont know who you are, but I want to thank you! This was a huge surprise to me!

It was my first time I opened my LTC wallet after I deleted the old one and created this new one, just to notice there are some great people in this forum!
sr. member
Activity: 259
Merit: 250
some years ago I tried an av from kasperky that would ask me confirmation for ANY suspicious event
"do you want to allow this registry write?"
"X wants to read the registry"
"Y wants to access the internet"

it was totally unbearable, after a few days I got rid of it, because I was blindly allowing everything
sr. member
Activity: 259
Merit: 250
do you have any idea on how incredibly laggy would become your computer if the AV starts to decompile EVERY SINGLE EXECUTABLE to see if there's malicious intent?
What real time protection does, is comparing the executable to a known list of malware.
And then, even if such an antivirus would exist (but nobody would ever buy it), virus writers simply encrypt/obfuscate their app and that would be useless.

A firewall could have stopped the ftp uploading process, but the average user would have dismissed the "are you sure to allow..." dialog in a heartbeat, without even read it
legendary
Activity: 1806
Merit: 1003
While scanning can be done without executing the program.

Did you see the code? With such a simple code, the antivirus would report as suspicious 95% of software, and the users will click "run anyway" without reading.
About warnings, since he is using Windows, OP totally ignored the microsoft smartscreen warning saying that this is an untrusted app from the internet.
Do you think that another warning, that would appear by running almost every app downloaded from the net would have been more effective?

And also, don't forget that the app is compiled, would you accept a delay of 3-4 seconds in opening every app because the AV has to check if the decompiled code is "safe"? (and also must check in the future, against tamperings)

95% of software do not upload your local files to a remote FTP, so they won't trigger this warning.

I was talking about scanning the file without executing it. The "run time scanner" don't have to be this thorough, but there's no reason for the regular scanner not able to spend the time to decompile and warn. I think most people would depend on the "regular scanner" to scan unknown files, they don't usually just execute unknown files from Internet and pray the "run time scanner" can intercept bad things.
sr. member
Activity: 259
Merit: 250
While scanning can be done without executing the program.

Did you see the code? With such a simple code, the antivirus would report as suspicious 95% of software, and the users will click "run anyway" without reading.
About warnings, since he is using Windows, OP totally ignored the microsoft smartscreen warning saying that this is an untrusted app from the internet.
Do you think that another warning, that would appear by running almost every app downloaded from the net would have been more effective?

And also, don't forget that the app is compiled, would you accept a delay of 3-4 seconds in opening every app because the AV has to check if the decompiled code is "safe"? (and also must check in the future, against tamperings)
legendary
Activity: 1806
Merit: 1003
Why not? the program takes multiple files from the user's computer, and uploads to a remote FTP, that seems pretty malicious to me, or at least warrants a BIG RED warning to the user:
"This program will try to upload your files to a remote FTP, if this is not the desired behavior, don't fucking run it".

So, any software that has libraries to access FTP (browsers, ftp clients, file uploaders, dropbox clones, html editors) will be detected as virii?
This is social engineering, only an human can detect it
Next time the OP will install a good firewall like this http://www.sphinx-soft.com/Vista/order.html or run unknown software in a virtual machine

Not detected as virus, but just popup a warning, then the user will know if the program is doing what it suppose to do. Firewall is basically the same thing, it will popup a warning when the program first trying to upload something. The downside to firewall is that it only works when the program has already ran, and firewall could fail to work. While scanning can be done without executing the program.
legendary
Activity: 1632
Merit: 1010
The funny part is that people come and post "these scumbags!" and stuff, but in reality at least 1 of these people commenting is a thief too, if not more.
sr. member
Activity: 259
Merit: 250
jukka - gotta say you've done a great job with exposing this fraudster.

A lot of people wouldn't have been able to notice what you did and you've likely saved many people from losing a lot of money. Credit where credit is due!!!



Thank you! I really appreciate it!
member
Activity: 109
Merit: 35
jukka - gotta say you've done a great job with exposing this fraudster.

A lot of people wouldn't have been able to notice what you did and you've likely saved many people from losing a lot of money. Credit where credit is due!!!

sr. member
Activity: 259
Merit: 250
What about this other question I had regarding the product you proposed:

Regarding the FW is free version enough for a regular user?

yes
it will ask you permission to access the internet for ANY application on your pc (hence, for the first two weeks is extremely annoying, as it wil ask for ANY app, even system apps)

Ok, I will check that! Thanks!
newbie
Activity: 28
Merit: 0
Thank you for reminding me.
I will be away from this coin, thank you.
sr. member
Activity: 259
Merit: 250
What about this other question I had regarding the product you proposed:

Regarding the FW is free version enough for a regular user?

yes
it will ask you permission to access the internet for ANY application on your pc (hence, for the first two weeks is extremely annoying, as it wil ask for ANY app, even system apps)
sr. member
Activity: 345
Merit: 250
For those who would like to examine the virus, here is a link of the original file. Please don't run the CoinGen.exe

Thanks for uploading this file so we can have a look at it for ourselves.
sr. member
Activity: 539
Merit: 250
when i scanned it with virustotal, it reported 1 red flag

Well that goes to show that you cannot trust virus total. Last time I trust that bitch.

You do know that virus total is scanned with 52 virus software engines, so if you cant trust virustotal you cant trust all virus protection softwares made

Best to use new shady softwares on a computer separate from your main system
sr. member
Activity: 259
Merit: 250
I think the FTP password changed sadly, would be interesting to see what is stored on the scammers account.

I know the LTC addres the fucker is using but I think that I will keep that as my little secret. God damn, a whole pint of beer! That is robbery!
sr. member
Activity: 476
Merit: 250
I think the FTP password changed sadly, would be interesting to see what is stored on the scammers account.
sr. member
Activity: 259
Merit: 250
I'll never understand these morons. He did all that work for 1 Litecoin. If he actually directed his energy towards something good, he could've made way more money with those programming skills. And now he's going to hell, if there is a hell.

Hey! It was my precious litecoin you are now talking! Smiley

But honestly, he could have more if he would not had become greedy and asked BTC for the application, and yes, I also like to think that maby I helped somebody by telling about this and decompiling the code.

However, some people, even in this thread, have been attacking me for opening this thread (and yes, also requesting a little donation (havent got anything though)). It looks like that in this forum it is ok, to just beg coins in some thread but not ask donation if you have lost something and by doing that maybe helping others!

It really makes me sad!
legendary
Activity: 3248
Merit: 1070
I'll never understand these morons. He did all that work for 1 Litecoin. If he actually directed his energy towards something good, he could've made way more money with those programming skills. And now he's going to hell, if there is a hell.

he can just make another aka and create client with wallet stealer, which is even worse
sr. member
Activity: 259
Merit: 250
But applications which upload wallets could be at least be warned!

From a computer point of view, the wallet it's just a file
Suppose you want to copy the wallet to another computer, is this a legitimate action, or is a virus?
How can an antivirus do such decisions? What an AV does is to just compare it to a known list of malware. Or detect something suspicious, like editing critical files/place itself in autorun

Ok, I (CLEARLY) Smiley am not expert in this area Smiley

What about this other question I had regarding the product you proposed:

Regarding the FW is free version enough for a regular user?
sr. member
Activity: 259
Merit: 250
when i scanned it with virustotal, it reported 1 red flag

Well that goes to show that you cannot trust virus total. Last time I trust that bitch.

vt is junk. upload to malwr and you would have seen very clearly.
common sense would have been best defense though.

Tested this and here is the result, so that could not helped either!


    Error: Analysis failed: The package "modules.packages.exe" start function raised an error: Unable to execute initial process, analysis aborted

File Details
File Name    CoinGen.exe
File Size    500736 bytes
File Type    PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5    c2ab580d501cbc47d5cebd920abb2e84
SHA1    bf990585b666e8dc0084aa6ef079e14c747e002e
SHA256    dab61b5f3270ca9b72540a29b1f7777e147fb543a4e87cc33378dafcafb20ccf
SHA512    6fbe68e3c64e81029bfa1de8beaefed9cca7b6a5c735ec339419b5addac9363773cd159b325d317 b3c94bade9d4b834844872bdf6cd2fb3b08b863897bb89778
CRC32    B5DA53E1
Ssdeep    12288:gzn45Ov0iZJxBy18nBHhfivB8HGEBzkSyD2k/kwHlbjaqOwr4b9JBQ2Y6MCIaZf2:5
Yara    None matched
Pages:
Jump to: