Author

Topic: Strange happening cutting and pasteing a bitcoin address. (Read 505 times)

copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
Hmmm, I see this thread was moved and I got no notice of it.  Anyway, I THINK I found the cause.  I run an Oracle Virtualbox WIN10 VM to use as a (LOL) sandbox for questionable items I find in posts on here before I report them as malware or whatever.  It seems that is what bit me and I believe I know where/when I got it.  Unfortunately (or fortunately) the guy was nuked after I reported his post.

After I reboot, I no longer have the issue but, so far, as soon as I load the VM it returns.  That's how it looks at the moment, of course I can easily be proven wrong although I have replicated it about 10x so far.  If that is the case it's easy enough to nuke the VM.

So, you had shared clipboard enabled?
If so, this definitely makes sense. If it isn't, nuking the VM does not necessarily mean your problem is solved.

And for the future, you might want to make sure to disable any interfaces such as shared folders, shared clipboard, network interfaces, etc..


And I am quite sure THIS download https://bitcointalk.org/index.php?topic=5305039.new#new or one similar to it is where it came from.
https://archive.vn/wip/lIP97

Head bob123's warning!  I use VMs for a variety of things myself, mostly so I can test stuff on Ubuntu and MacOS, and I have those linked to my host PC via shared folders and clipboard, but if you are using a VM for investigating potential malware, make sure to keep that VM isolated.

Deleting that VM might work, but unless you're a wizard with the windows registry and can confirm your host PC hasn't been infected I recommend you nuke the whole system and start from scratch.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
OK that does it. This is the third instance of someone getting compromised by clipboard malware I read these last two weeks. I'm going to write a Windows utility that nukes anything that replaces a BTC address in the clipboard with another address and use sha1 checksums to whitelist legitimate binaries like browsers and wallets.

PLEASE  !!!!   
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
OK that does it. This is the third instance of someone getting compromised by clipboard malware I read these last two weeks. I'm going to write a Windows utility that nukes anything that replaces a BTC address in the clipboard with another address and use sha1 checksums to whitelist legitimate binaries like browsers and wallets.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
Hmmm, I see this thread was moved and I got no notice of it.  Anyway, I THINK I found the cause.  I run an Oracle Virtualbox WIN10 VM to use as a (LOL) sandbox for questionable items I find in posts on here before I report them as malware or whatever.  It seems that is what bit me and I believe I know where/when I got it.  Unfortunately (or fortunately) the guy was nuked after I reported his post.

After I reboot, I no longer have the issue but, so far, as soon as I load the VM it returns.  That's how it looks at the moment, of course I can easily be proven wrong although I have replicated it about 10x so far.  If that is the case it's easy enough to nuke the VM.

So, you had shared clipboard enabled?
If so, this definitely makes sense. If it isn't, nuking the VM does not necessarily mean your problem is solved.

And for the future, you might want to make sure to disable any interfaces such as shared folders, shared clipboard, network interfaces, etc..


And I am quite sure THIS download https://bitcointalk.org/index.php?topic=5305039.new#new or one similar to it is where it came from.
https://archive.vn/wip/lIP97
legendary
Activity: 1624
Merit: 2481
Hmmm, I see this thread was moved and I got no notice of it.  Anyway, I THINK I found the cause.  I run an Oracle Virtualbox WIN10 VM to use as a (LOL) sandbox for questionable items I find in posts on here before I report them as malware or whatever.  It seems that is what bit me and I believe I know where/when I got it.  Unfortunately (or fortunately) the guy was nuked after I reported his post.

After I reboot, I no longer have the issue but, so far, as soon as I load the VM it returns.  That's how it looks at the moment, of course I can easily be proven wrong although I have replicated it about 10x so far.  If that is the case it's easy enough to nuke the VM.

So, you had shared clipboard enabled?
If so, this definitely makes sense. If it isn't, nuking the VM does not necessarily mean your problem is solved.

And for the future, you might want to make sure to disable any interfaces such as shared folders, shared clipboard, network interfaces, etc..
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
Hmmm, I see this thread was moved and I got no notice of it.  Anyway, I THINK I found the cause.  I run an Oracle Virtualbox WIN10 VM to use as a (LOL) sandbox for questionable items I find in posts on here before I report them as malware or whatever.  It seems that is what bit me and I believe I know where/when I got it.  Unfortunately (or fortunately) the guy was nuked after I reported his post.

 After I reboot, I no longer have the issue but, so far, as soon as I load the VM it returns.  That's how it looks at the moment, of course I can easily be proven wrong although I have replicated it about 10x so far.  If that is the case it's easy enough to nuke the VM.

legendary
Activity: 1624
Merit: 2481
No shit.  WOW!  I've run malwarebytes and norton and it always was clean.

Small corrrection:

Your PC was not compromised with a malware which was known to malwarebytes and norton.
This does not mean that it is/was clean.

AV's only recognize already well known malware or very obvious ones.
It's not that hard to make it undetectable by standard AV engines.

An AV can only confirm that a device is compromised, but not that it is clean.


You should definitely make a backup of your most important files and format your hard drive reinstalling your OS.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
This may sound far fetched but it is possible that this particular clipboard hijacker is using a vanity address generator under the hood to generate an address that starts with the same couple of characters
That's not far fetched, it's quite likely. Either that, or it has a list of pre-created addresses. Or maybe it connects to a server to fetch a fresh address as needed.

Not necessarily. Search can start from a fixed hard-coded key
That would mean you can extract that hard-coded key and recover your funds (and funds of other victims too). Given that the funds haven't moved, it doesn't look like the attacker is in a rush to secure the funds.



I made a topic about this last year: How to lose your Bitcoins with CTRL-C CTRL-V.
legendary
Activity: 3472
Merit: 10611
That's what I theorized at the start. However, such implementations will inevitably need the private keys to be sent to the C&C which will result in more detection by AVs.
Not necessarily. Search can start from a fixed hard-coded key and only for a small number of characters which means all the produced keys will be very close to that starting key and the attacker has to only watch those keys without needing to send anything over the internet.
For example from "9827eaed4d6ab8c0b78d4b73786a7696491fe8d02f2713a3c9977caf8202387c" (a random key) it only takes 8206 increments to find a key that has an address that starts with "1DBH" (checking both compressed and uncompressed pubs).
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
This may sound far fetched but it is possible that this particular clipboard hijacker is using a vanity address generator under the hood to generate an address that starts with the same couple of characters in order to increase its chance of fooling the victim into thinking the pasted address is the same one as copied (if they only check the start):
Code:
1DBHG... (malicious)
1DBHJ... (real)

This could explain why it takes multiple tries to be able to paste the correct address.
If that's the case it could be detected by checking the CPU activity which should spike immediately after an address is copied. It would be a big spike but for a very short time.
That's what I theorized at the start. However, such implementations will inevitably need the private keys to be sent to the C&C which will result in more detection by AVs. From what I observed, most of the stealthy ones will have a list of addresses (a huge list) to choose from. I think the more plausible explanation is for the malware to have a randomized replacement, (ie. to have a malicious address every x tries).
legendary
Activity: 3472
Merit: 10611
Well I figure if I go back into the PM here I got the correct address from and try copy/paste it again and if it works without problem I would hopefully be OK.

That could be misleading. You already noticed it doesn't happen every time. Who knows if the malware doesn't have some logic in it to avoid detection and not replace the same address in certain circumstances. Or if it doesn't have other nasties in it like keyloggers or ransomware. Play it safe and start from scratch.
This may sound far fetched but it is possible that this particular clipboard hijacker is using a vanity address generator under the hood to generate an address that starts with the same couple of characters in order to increase its chance of fooling the victim into thinking the pasted address is the same one as copied (if they only check the start):
Code:
1DBHG... (malicious)
1DBHJ... (real)

This could explain why it takes multiple tries to be able to paste the correct address.
If that's the case it could be detected by checking the CPU activity which should spike immediately after an address is copied. It would be a big spike but for a very short time.
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
Although after a reboot there is no problem.

Pay attention to Suchmoon's warning...
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
sandy, what OS are you using?

If Windows 10, there are a limited number of registry entries that can do this.  If you have 40 years PC experience, you could try cleaning that way.

There is a chance your BIOS could be affected as well, meaning you could reinfect the computer after reinstall.  If you don't have a super complicated system, it would be prudent to flash / re-flash the BIOS to the latest version - before you format your hard drive for reinstall.  

Latest Win10 update on a MSI motherboard.  I guess to be safe I can also reflash the BIOS.  Although after a reboot there is no problem.

Edit:  Been using AUTORUNS utility and nothing strange is OBVIOUS. Well actually 36 years.  NOT highly technical but can get around pretty well.  Makes my husband jealous I know more than him.

Goodnight!  I've had enough for today. I'll unplug this from the switch.

Thanks everyone! 
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
Well I figure if I go back into the PM here I got the correct address from and try copy/paste it again and if it works without problem I would hopefully be OK.

That could be misleading. You already noticed it doesn't happen every time. Who knows if the malware doesn't have some logic in it to avoid detection and not replace the same address in certain circumstances. Or if it doesn't have other nasties in it like keyloggers or ransomware. Play it safe and start from scratch.

True ....  and I will  but just for fun I rebooted and tried the same BTC address and now it is OK.

1DBHJEnuh5bQfyWXAJD2T1166AJzViXq2R  1DBHJEnuh5bQfyWXAJD2T1166AJzViXq2R  1DBHJEnuh5bQfyWXAJD2T1166AJzViXq2R  1DBHJEnuh5bQfyWXAJD2T1166AJzViXq2R 

I guess I'll just have to deal with this.  It's due for a clean install anyway.
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
sandy, what OS are you using?

If Windows 10, there are a limited number of registry entries that can do this.  If you have 40 years PC experience, you could try cleaning that way.

There is a chance your BIOS could be affected as well, meaning you could reinfect the computer after reinstall.  If you don't have a super complicated system, it would be prudent to flash / re-flash the BIOS to the latest version - before you format your hard drive for reinstall. 
legendary
Activity: 3654
Merit: 8909
https://bpip.org
Well I figure if I go back into the PM here I got the correct address from and try copy/paste it again and if it works without problem I would hopefully be OK.

That could be misleading. You already noticed it doesn't happen every time. Who knows if the malware doesn't have some logic in it to avoid detection and not replace the same address in certain circumstances. Or if it doesn't have other nasties in it like keyloggers or ransomware. Play it safe and start from scratch.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
First thing I'm going to do is a restore from a full hard-drive backup from a week ago and see if it happens.  At least that might save me some time.  Will it still happen if I disconnect from the internet so I can tell if it is still infected?
Behavior likely persists with internet or not. The clipboard malwares that I've looked at has a whole list of addresses embedded and it'll pick a similar address from the list when it detects a Bitcoin Address in the clipboard. It doesn't require internet.

I think it won't be completely safe given how you can't identify the source of infection and your antivirus are not showing anything.
  Well I figure if I go back into the PM here I got the correct address from and try copy/paste it again and if it works without problem I would hopefully be OK.
copper member
Activity: 2562
Merit: 2510
Spear the bees
I think it won't be completely safe given how you can't identify the source of infection and your antivirus are not showing anything.
False positives in this case are far more damaging than false negatives.

One idea would be to use this opportunity to create an air-gapped wallet: you can sign transactions from the offline device and broadcast them from another.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
First thing I'm going to do is a restore from a full hard-drive backup from a week ago and see if it happens.  At least that might save me some time.  Will it still happen if I disconnect from the internet so I can tell if it is still infected?
Behavior likely persists with internet or not. The clipboard malwares that I've looked at has a whole list of addresses embedded and it'll pick a similar address from the list when it detects a Bitcoin Address in the clipboard. It doesn't require internet.

I think it won't be completely safe given how you can't identify the source of infection and your antivirus are not showing anything.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
First thing I'm going to do is a restore from a full hard-drive backup from a week ago and see if it happens.  At least that might save me some time.  Will it still happen if I disconnect from the internet so I can tell if it is still infected?
copper member
Activity: 1652
Merit: 1901
Amazon Prime Member #7
My guess is you are infected with malware. You should stop using the computer/device that you are encountering this issue on immediately. You should especially not enter any passwords, or unlock any encryption keys, as they may become compromised.

This is assuming you have never interacted with the ...xax address in the past. If for whatever reason, you were previously interacting with this address and intentionally had the address in your clipboard, this could be an issue with your keyboard, or with your computer's ability to recognize a "copy" command.

Haven't sent any coin in months.  First time. Oh well, I'll be busy for the next couple days. Bah Humbug
Follow ranochigo's advice. Stop using whatever device you encountered this issue on immediately. If you can, use an entirely new device and start fresh. Otherwise, use a second device to reformat your hard drive. You should not trust any output that the affected device displays.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
My guess is you are infected with malware. You should stop using the computer/device that you are encountering this issue on immediately. You should especially not enter any passwords, or unlock any encryption keys, as they may become compromised.

This is assuming you have never interacted with the ...xax address in the past. If for whatever reason, you were previously interacting with this address and intentionally had the address in your clipboard, this could be an issue with your keyboard, or with your computer's ability to recognize a "copy" command.

Haven't sent any coin in months.  First time. Oh well, I'll be busy for the next couple days. Bah Humbug
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
I've run malwarebytes and norton and it always was clean.  I have multiple backups.  Is there any way to determine when it happened?
I don't trust antiviruses for that reason. They only flag malwares based on the corresponding signatures and/or the program's behaviors when in runtime. It is not difficult to evade the detection using ciphers or disabling the behavior when inside the sandbox or antivirus scans, etc.

It'll be pretty difficult to determine when you were infected, especially if the malware was well made. Have you ran any unknown programs recently?
What do you mean by "reset my accounts?"  
Change your password. Some malwares have a keyloggers together with it. I'll assume the entire computer and whatever information that you've ever typed in the computer to be compromised.
copper member
Activity: 1652
Merit: 1901
Amazon Prime Member #7
My guess is you are infected with malware. You should stop using the computer/device that you are encountering this issue on immediately. You should especially not enter any passwords, or unlock any encryption keys, as they may become compromised.

This is assuming you have never interacted with the ...xax address in the past. If for whatever reason, you were previously interacting with this address and intentionally had the address in your clipboard, this could be an issue with your keyboard, or with your computer's ability to recognize a "copy" command.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
Clipboard malware. It'll replace any addresses that you see with an address that is visually similar in terms of the firstbits. Format your PC and reset your accounts and you'll be fine.
 No shit.  WOW!  I've run malwarebytes and norton and it always was clean.  I have multiple backups.  Is there any way to determine when it happened?  What do you mean by "reset my accounts?"  40yrs using a PC and probably the first time that's happened to me. 
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Clipboard malware. It'll replace any addresses that you copy to the clipboard with one that is visually similar in terms of the firstbits. Format your PC (re-install your OS) and reset your accounts and you'll be fine.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
Wonder if anyone can explain this mystery.

I  sent the following BTC address around $40 and like 90% of the time I copied and pasted it it came up totally different ending in xax below.  I ended up sending to the wrong address (ending in xax).

Trying to paste and THIS IS THE WRONG ADDRESS that keeps coming up.  Trying to copy and paste the CORRECT address and I cannot until the 6th try!!!
1DBHGf7sYMxN1qDa7WwZ5yKng8qJWngxax
1DBHGf7sYMxN1qDa7WwZ5yKng8qJWngxax
1DBHGf7sYMxN1qDa7WwZ5yKng8qJWngxax
1DBHGf7sYMxN1qDa7WwZ5yKng8qJWngxax
1DBHGf7sYMxN1qDa7WwZ5yKng8qJWngxax

1DBHJEnuh5bQfyWXAJD2T1166AJzViXq2R  <----------------------  OK AFTER 5 ATTEMPTS HERE IS THE ACTUAL CORRECT ADDRESS I HAVE BEEN TRYING TO COPY that was sent to me that ended up what you see above.

1DBHGf7sYMxN1qDa7WwZ5yKng8qJWngxax  here we go again. I paste it and it comes up different but always the same as the first 5 tries. So bottom line I ended up sending to the wrong address.

 This is the hash from the transaction that went to the above incorrect address:

32928cf78fe78f98a0674e08f69538bdac5146ce557489db8dfdcd4b9bc866fa

I even made a screen video of it happening to make sure I wasn't hallucinating.
Jump to: