Bitcoin Forum>Alternate cryptocurrencies>Altcoin Discussion
Author

Topic: XXXNEWCOIN TROJAN (Read 1282 times)

iakovl
newbie
Activity: 1
Merit: 0
XXXNEWCOIN TROJAN
January 30, 2014, 11:27:33 AM
#12
Quote from: Nicolai on March 09, 2013, 12:31:56 PM
Small update regarding "Bitboom"

Feel free to (ab)use this info.

thank you for accusing me and doing a hell of a job framing someone

the ip is TurkTelecom... i on the other hand am from israel, not the same area in the world
i do develop C# a bit (see the QA on stackoverflow, not on the level of making malware)
would really appreciate if you remove the links and my name...

i don't use bitcoin, nor do am i involved in anything like "this" so be kind and don't point fingers on people with your crap "detective" work
ip = TurkTelecom, my stackoverflow profile = israel... not to hard to know the two apart
jubalix
legendary
Activity: 2632
Merit: 1023
Re: XXXNEWCOIN TROJAN
March 09, 2013, 05:53:04 PM
#11
Quote from: dust on March 09, 2013, 05:28:03 PM
I'm surprised that no one has released an altcoin with malware in the binaries, but clean source on github.  I always build altcoins from source, and perform a quick audit of the commits on top of bitcoin to check if there is anything fishy.

we probably should have some sort of pure bin. file checker or something



dust
hero member
Activity: 840
Merit: 1000
Re: XXXNEWCOIN TROJAN
March 09, 2013, 05:28:03 PM
#10
I'm surprised that no one has released an altcoin with malware in the binaries, but clean source on github.  I always build altcoins from source, and perform a quick audit of the commits on top of bitcoin to check if there is anything fishy.
Severian
sr. member
Activity: 476
Merit: 250
Re: XXXNEWCOIN TROJAN
March 09, 2013, 12:34:54 PM
#9
You are awesome, Nicolai. Thanks.
Nicolai
newbie
Activity: 39
Merit: 0
Re: XXXNEWCOIN TROJAN
March 09, 2013, 12:31:56 PM
#8
Small update regarding "Bitboom"

Decompiling shows the malware is: "DarkComet" which has been 'cryptet' with some crappy C# "crypter" two times.

I have submittet all samples to virustotal (so all AV-companys can add detection to this malware) Smiley

If anyone have the time/desire, then please contact TurkTelecom and tell them that the IP "85.107.169.23" spread malware.
Also please help me getting this malware removed from sourceforge, by using the Report Abuse function: https://sourceforge.net/projects/bitboom/report_inappropriate

The malware was uploaded to SF by someone called "iakovl". Googling this name and you find a similar stackoverflow profile, looking at the questions he have made, and you'll see that his a C# developer: http://stackoverflow.com/users/501160/iakovl?tab=questions (just like the "wrapper" of the malware was written in).

Feel free to (ab)use this info. See below, however the TurkTelecom IP is most likely some random hacked computer in Turkey.
Offthechain
newbie
Activity: 35
Merit: 0
Re: XXXNEWCOIN TROJAN
March 09, 2013, 09:55:42 AM
#7
Nice detective work there!
Nicolai
newbie
Activity: 39
Merit: 0
Re: XXXNEWCOIN TROJAN
March 09, 2013, 09:40:14 AM
#6
Bitboom:

Virustotal analysis:
 * Detection ratio: 7 / 43

Sandbox analysis:
 * Create auto-startup entry (so it run every time you start your computer)
 * Connects to bekiap3332424.sytes.net (85.107.169.23 = TurkTelecom) port 1604 (this is the malwares C&C)

Reverse Engineering:
 * Program has two embed resources: windows.rtf ("buffer") and windows1.rtf ("rawAssembly") which is copied to memory and the decompressed (this is a common trick to avoid AV detection)

This is clearly malware
jubalix
legendary
Activity: 2632
Merit: 1023
Re: XXXNEWCOIN TROJAN
March 09, 2013, 03:51:54 AM
#5
Quote from: Severian on March 09, 2013, 03:48:06 AM
Or a fake wallet.

sourceforge.net/projects/bitboom/

I'm glad to see 0 downloads anyway.

wow yeah!!!!
Severian
sr. member
Activity: 476
Merit: 250
Re: XXXNEWCOIN TROJAN
March 09, 2013, 03:48:06 AM
#4
Or a fake wallet.

sourceforge.net/projects/bitboom/

I'm glad to see 0 downloads anyway.
jubalix
legendary
Activity: 2632
Merit: 1023
Re: XXXNEWCOIN TROJAN
March 09, 2013, 03:45:38 AM
#3
Quote from: Mike Christ on March 09, 2013, 03:04:07 AM
I keep thinking the same.  But I'm more worried a BTC client will have a backdoor.  Always use open source Grin

are there enough people checking the open source though, i mean bitcoin qt yeah

but what about multibit (think probably)

terracoin nope I doubt it

setting a mining right up is one thing, but being a good programmer is another

being a good C++/Java programmer with crypto background to really take the time to look at the code, very few people here.

hmmm.....terra coin website screams doggey to me.

(disclosure I purchased a few 100 TC on VIR)

so I am talking myself down here
Mike Christ
legendary
Activity: 1078
Merit: 1003
Re: XXXNEWCOIN TROJAN
March 09, 2013, 03:04:07 AM
#2
I keep thinking the same.  But I'm more worried a BTC client will have a backdoor.  Always use open source Grin
jubalix
legendary
Activity: 2632
Merit: 1023
Re: XXXNEWCOIN TROJAN
March 09, 2013, 03:03:03 AM
#1
At what point will someone relaase as "new coin" that is easily mined, but contains a trojan/virii of some sort that get you keys if not air gaped, or does something to your control of you computer....


eg...terracoins? has anyone even looked at he source code?Huh?

people just install this stuff hopign to get lots of coins early....



its going to happen at some point
Bitcoin Forum>Alternate cryptocurrencies>Altcoin Discussion
Jump to: