[WARNING] Malicious Armory Website Clone Found

malevolent

legendary

Activity: 3472

Merit: 1724

Quote from: etotheipi on November 23, 2013, 06:11:26 PM

So the btcarmory.org has been suspended and is empty. However I was able to pull off the "installers" using a VM before it was taken down, and currently have them in a tar archive waiting for... something! Anyone have recommendations for how to go about analyzing the executables and figuring out what they do? I'm super interested to know how they decided to "attack" you. Whether it was simple wallet stealing, some kind of trojan, or maybe even unrelated malware that does other things.

I know there's only so much you can do with a compiled binary, but I suspect there are people that know how to properly isolate and monitor the executable while it's running. I'm envisioning low-level tracing of system calls, network accesses, disk accesses, etc, while running it in a VM.

I'm not going to post the malware downloads publicly, but if someone has background to analyze them, or connections that do, I'll be happy to send them. I have both a Windows .exe, and more interestingly (to me) a Linux/ELF "armoryamd64.out".

Remember that it might behave differently under a VM if the author of the malware foresaw people would want to find out how it works under the hood.

BlackBison

sr. member

Activity: 250

Merit: 250

Brilliant, thanks alot! Grin

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Quote from: BlackBison on November 23, 2013, 06:17:25 PM

Sorry to change the topic, but any news on when you are going to release the 'lighter' armory client that runs on lower spec (less RAM) pcs?

Keep up the excellent work.

The latest testing version is stable and already posted on the website. Just a little bit more polishing and we'll have an official release next week for Windows and Linux (having serious issues with OSX, so that might be a bit longer). If you want to know or discuss it any more, continue over at the RAM-Reduction Thread.

BlackBison

sr. member

Activity: 250

Merit: 250

Hi etotheipi,

Sorry to change the topic, but any news on when you are going to release the 'lighter' armory client that runs on lower spec (less RAM) pcs?

Keep up the excellent work.

Thanks.

Moebius327

hero member

Activity: 770

Merit: 500

Quote from: etotheipi on November 23, 2013, 06:11:26 PM

So the btcarmory.org has been suspended and is empty. However I was able to pull off the "installers" using a VM before it was taken down, and currently have them in a tar archive waiting for... something! Anyone have recommendations for how to go about analyzing the executables and figuring out what they do? I'm super interested to know how they decided to "attack" you. Whether it was simple wallet stealing, some kind of trojan, or maybe even unrelated malware that does other things.

I know there's only so much you can do with a compiled binary, but I suspect there are people that know how to properly isolate and monitor the executable while it's running. I'm envisioning low-level tracing of system calls, network accesses, disk accesses, etc, while running it in a VM.

I'm not going to post the malware downloads publicly, but if someone has background to analyze them, or connections that do, I'll be happy to send them. I have both a Windows .exe, and more interestingly (to me) a Linux/ELF "armoryamd64.out".

I am interested at this as well.

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

So the btcarmory.org has been suspended and is empty. However I was able to pull off the "installers" using a VM before it was taken down, and currently have them in a tar archive waiting for... something! Anyone have recommendations for how to go about analyzing the executables and figuring out what they do? I'm super interested to know how they decided to "attack" you. Whether it was simple wallet stealing, some kind of trojan, or maybe even unrelated malware that does other things.

I know there's only so much you can do with a compiled binary, but I suspect there are people that know how to properly isolate and monitor the executable while it's running. I'm envisioning low-level tracing of system calls, network accesses, disk accesses, etc, while running it in a VM.

I'm not going to post the malware downloads publicly, but if someone has background to analyze them, or connections that do, I'll be happy to send them. I have both a Windows .exe, and more interestingly (to me) a Linux/ELF "armoryamd64.out".

Mike Christ

legendary

Activity: 1078

Merit: 1003

I was wondering why there were two websites for armory; I guess I got lucky!

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Amazing! I didn't think it would be this easy! We were told this would be difficult to deal with, but apparently it doesn't have to be hard.

Our email:

Quote

To: [email protected]
Subject: Suspend Service/Takedown Notice: Trademark Violation

Good afternoon,

The website "www.btcarmory.org" is currently a registered domain of internet.bs.

I'm writing to issue a Suspend Service and Takedown notification for (www.btcarmory.org) that is in violation of Trademark law. These individuals have cloned the website listed at www.bitcoinarmory.com and are using it illegally. I have attached a copy of the original www.bitcoinarmory.com website. We're requesting immediate revocation and takedown action at this time. Please acknowledge receipt of this correspondence and advise with any questions. Thank You.

Reply:

Quote

Dear Armory Technologies, Inc.,

We have suspended it.

Best regards,
--
Internet.bs Corp. - Support Team
ICANN Registrar
http://www.INTERNET.bs

The malicious website is already offline. I wonder if they will attempt to fight the suspension...

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Please only download Armory Bitcoin Wallet from https://bitcoinarmory.com

We have identified a clone website which provides malicious download links for our software. All software and communications by Armory Technologies, Inc, will happen via the domain bitcoinarmory.com. There are no other domains under which we operate! We use the following [offline] GPG key to sign all software releases, and sign all employees' GPG keys:

Armory "Offline Signing Key": 0x98832223
(please do not use this key for encrypting email to us -- only for authenticating software and employees!)

Armory is a tool for advanced users, holding serious quantities of money -- please make sure you download the correct version and verify hashes & signatures before installing it! There are instructions at the bottom of our downloads page that describe how to verify the signatures in Linux. Windows is a bit harder, but possible if you install gpg4win and verify the SHA256 hashes file.

P.S. - I am not posting the link to the malicious site here, because it's unnecessary and I'd prefer people only be exposed to the good domain. If you have a reason for it (such as doing a security investigation), please contact me.

Topic: [WARNING] Malicious Armory Website Clone Found (Read 2030 times)