SoylentNews is people
SoylentNews
from the Only-cut-n-paste-one-half-at-a-time dept.
Submitted via IRC for BoyceMagooglyMonkey
While cryptocurrency has seen tremendous growth over the past year, sending cryptocoins still requires users to send the coins to long and hard to remember addresses. Due to this, when sending cryptocoins, many users will simply copy the address into memory from one application and paste it into another application that they are using to send the coins.
Attackers recognize that users are copying and pasting the addresses and have created malware to take advantage of this. This type of malware, called CryptoCurrency Clipboard Hijackers, works by monitoring the Windows clipboard for cryptocurrency addresses, and if one is detected, will swap it out with an address that they control. Unless a user double-checks the address after they paste it, the sent coins will go to an address under the attackers control instead the intended recipient.
While we have covered cryptocurrency clipboard hijackers in the past and they are not new, most of the previous samples monitored for 400-600 thousand cryptocurrency addresses. This week BleepingComputer noticed a sample of this type of malware that monitors for a over 2.3 million cryptocurrency addresses!
(Score: 2, Informative) by Anonymous Coward on Wednesday July 04 2018, @10:43AM (16 children)
So this malware uses a fixed list of addresses, which it presumably harvests from public blockchain transaction information [blockchain.com], and swaps it out with one of several other addresses of its own. It does not use regex to identify addresses. So, not only are they thieves, but they are bad programmers too.
(Score: 0) by Anonymous Coward on Wednesday July 04 2018, @11:24AM (3 children)
They might be making sure to never swap out a blockchain address that belongs to another malware's scam. At least the other malware that these programmers are also running.
(Score: 3, Insightful) by pkrasimirov on Wednesday July 04 2018, @11:38AM (2 children)
> never swap out a blockchain address that belongs to another malware's scam
Because it will be bad to have the stolen coins in one account instead of another? It will mess all their accounting?
(Score: 2) by zocalo on Wednesday July 04 2018, @11:47AM (1 child)
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Wednesday July 04 2018, @05:11PM
Then maintain a much much smaller list of addresses not to swindle.
(Score: 2) by Snow on Wednesday July 04 2018, @03:38PM (11 children)
No, I think that list is actually a list of public keys that the attacker has a private key for.
When an address is copied to the clipboard, the other list is referenced and a similar looking address is swapped in its place. This way the first couple letters/numbers can be the same so at first glance, everything looks okay.
If it worked as you suggested, even with a list with 2.3 million addresses, the chance of a collision would be .000000000000000000000000000000000000000017%
(Score: 0) by Anonymous Coward on Wednesday July 04 2018, @05:14PM (10 children)
That's no excuse. If they match an address via a regex they can still compare it to their list of preferred substitutions. If they don't have one with a similar start they can choose not to swap addresses, or use any address they want and take their chances.
(Score: 2) by Snow on Wednesday July 04 2018, @05:33PM (9 children)
I believe what you explain is exactly what is happening.
I'm saying the list is just the list of addresses that they control (ie. the replacement addresses).
(Score: 0) by Anonymous Coward on Wednesday July 04 2018, @05:43PM (8 children)
You are incorrect.
RTFA and you'll see the DLL contains a resource of 2.3 million addresses they check against. If the address in in that list of 2.3 million they swap it for another one. If not, they don't.
(Score: 2) by Snow on Wednesday July 04 2018, @05:53PM (6 children)
I did RTFA and it does not say that at all.
The article says that if a crypto address is detected, it replaces it with one under their control. It does not say anywhere that the address in the clipboard is compared to the list. (but sometimes my reading is shit, so please prove me wrong :) )
I believe the list is a list of replacement values.
(Score: 0) by Anonymous Coward on Wednesday July 04 2018, @05:57PM (5 children)
Prove you wrong? Sure. Just watch the video in the article. It shows the resource with the 2.3 million addresses to match against as well as demonstrating the malware in action.
I'll wait.
(Score: 2) by Snow on Wednesday July 04 2018, @07:19PM (4 children)
The video shows the exact behavior I explain. The reporter is incorrect in their understanding/explanation.
Look at 2:50. We see the end of the list of addresses. They appear to be sorted in order. The end of the list is 1zz[...]
Later in the video he copies a multisig address (starts with a 3) [5:28] and the address is replaced with an address starting with 1HMF[...]. The list does not contain any multisig address, so a normal address is substituted in it's place.
Also notice that the substituted addresses start with the same 3 characters as the original. That list is how that happens.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 04 2018, @07:39PM (3 children)
So the guy who is a professional at this, and who uncovered the malware, and spent hours working with it, and who shows the 2.3 million addresses, and who demonstrates how it works is wrong about everything. But you, you who thinks he knows more than anyone else, is right?
Keep telling yourself that; you couldn't be more wrong. And repeat George Constanza's mantra: "It's not a lie if you believe it."
(Score: 2) by Snow on Wednesday July 04 2018, @08:00PM (2 children)
Yes.
The bitcoin address space is far, far, far too large to match in the way you suggest. 2.5M addresses is .00000[...]WhateverNumberIHaveAbove of the available address space. The chances of ever stumbling upon a collision is infinitesimally small.
(Score: 2) by frojack on Wednesday July 04 2018, @11:56PM (1 child)
They don't have to catch that transaction where you send your mom a fraction of a bitcoin.
They just have to have the 2.5Million most active accounts in their list, and redirect a few transactions from those with the malware to any of those.
They aren't trying to hijack EVERY transaction for pete sake. Use your head.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by Snow on Thursday July 05 2018, @03:45AM
This is just a simple evolution of malware that has been around for years.
The original version would just monitor the clipboard for a bitcoin address and then substitute another. This could be noticed if the user was looking at the address when they pasted it. To get around that, this version has a list of precomputed addresses. It will continue to monitor for a bitcoin address, but this time it will take the first 3 characters and find a match in it's list and use that address so when the paste happens, it looks somewhat similar.
Take a look at the last address on the list:
https://www.blockchain.com/en/btc/address/1zzzmmAGUMpkXzg5MSy8VAyzT5syt24Am [blockchain.com]
It has NO transactions. This is not a list of most active accounts. It's a list of precomputed addresses that can be swapped in quickly to make the swap more believable. It's too computationally expensive to generate a believable fake in real-time.
I'm sorry, I'm just -really- into bitcoin. I'm not trying to be argumentative or anything; I'm just really passionate about it. :)
(Score: 0) by Anonymous Coward on Wednesday July 04 2018, @07:55PM
Stop feeding this troll. Let him go back to hacking his toaster where nobody burns toast like he does. Nobody.