Hello There, Guest! Login Register

See your banner advertised here



Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Beware of Increasingly Sophisticated Malware Infection Attempts
#1
Taken from here: https://bitcointalk.org/index.php?topic=935898.0

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:

[Code... (you can see on the original thread)]

The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

http://www.whatscryptocurrency.com
 
Reply
#2
This is probably something we're going to have to pay more attention to as the community becomes more popular. Might have to see about getting staff activation keys for their anti-virus and anti-malware programs for added protection.

EDIT: By activation keys I meant the pro versions.
Retired Server Administrator - September 2014 to February 2015
 

http://www.whatscryptocurrency.com
 
Reply
#3
(01-29-2015, 08:17 PM)Ryan Wrote: This is probably something we're going to have to pay more attention to as the community becomes more popular. Might have to see about getting staff activation keys for their anti-virus and anti-malware programs for added protection.

Yeah, it's something to keep an eye out for. I think the OP said they are also not always detected by anti-virus/anti-malware programs.

Something to think about is, finding the original website for wallets, and as I posted earlier in this thread (for those who haven't read it yet): https://cryptoinfinity.com/Thread-Protection-from-Hacking-Phishing-Viruses, use a virtual machine to try out new programs/wallets.

One thing to think about is different websites that look like they should be official. Darkcoin's official website ends in .io (http://darkcoin.io/), I think anyone can make a darkcoin.com which could be bad in the future.

I'm gonna sticky this thread.

http://www.whatscryptocurrency.com
 
Reply
#4
(01-29-2015, 08:26 PM)MakingMoneyHoney Wrote: Yeah, it's something to keep an eye out for. I think the OP said they are also not always detected by anti-virus/anti-malware programs.

Something to think about is, finding the original website for wallets, and as I posted earlier in this thread (for those who haven't read it yet): https://cryptoinfinity.com/Thread-Protection-from-Hacking-Phishing-Viruses, use a virtual machine to try out new programs/wallets.

One thing to think about is different websites that look like they should be official. Darkcoin's official website ends in .io (http://darkcoin.io/), I think anyone can make a darkcoin.com which could be bad in the future.

I'm gonna sticky this thread.

Well yeah, anti virus/malware programs won't pick up everything so it's important to use your common sense as well. Downloading programs from unofficial sources is also a bad idea, said sources can quite easily lace the programs code with malicious content. Though as long as your cautious in your approach and have solid scanners backing you up you should be fine.
Retired Server Administrator - September 2014 to February 2015
 

http://www.whatscryptocurrency.com
 
Reply
  


Possibly Related Threads...
Thread Author Replies Views Last Post
  New Fake Electrum Wallet BEWARE! MakingMoneyHoney 1 251 03-16-2015, 01:04 PM
Last Post: btcbits
  MultiFaucet.tk Ads with Malware MakingMoneyHoney 7 465 01-31-2015, 05:37 PM
Last Post: Ryan

  • View a Printable Version
  • Subscribe to this thread
Forum Jump:


Browsing: 1 Guest(s)