►Keep your STEEM safe! An analysis of a clipboard wallet replacer malware & Why you should care!

in #security8 years ago (edited)

Intro

Bitcoin wallet replacer malware in those days are quite common, as it's quite easy to develop and has dramatic effects when installed on the "right" computer. The malware basically replaces Bitcoin addresses stored in your clipboard with similar-looking addresses from "attackers". In this post I'm going to show you a little into the structure of such a malware and why it's essential to know, if you want to be more secure!

Clipboard checking method

One of the main functionalities of such a malware is a method to detect a possible BTC address in the clipboard. In this case the method is called ProbablyBtcAddress and is called if the clipboard has changed. Then the clipboard is getting stored to a variable called text and is then compared with regex(possible BTC address functionality).
Selection_025.png

Replacement code

If a possible BTC wallet address in the clipboard is found, the method SetMostSimilarBtcAddress is called. It stores the wanted address in a string b and then loads previously generated BTC addresses as a HashSet. Then it checks, if the first and the last character of the already generated addresses(as you can see in the screenshot below) fits with the address in the clipboard. Once an address has been found, the clipboard will be set to the unwanted address.
Selection_026.png

Generated addresses stored in the malware

Selection_024.png

So what does this has to do with my STEEM?

As you could have guessed it probably, Such an attacker could easily change the detection to the STEEM address format. With the growing numbers of users every day and thus the growing value of the Steemit community, it's in my eyes just a matter of time, when criminals are trying to get some STEEM on unwanted ways. With this post, I wanted to raise more security awareness for this awesome community.

Always double-check the address you pasted somewhere!!

Stay safe!

Cheers, @nicetea

#cybersecurity #it #malware #analysis
8 years ago in #security by
$2.87
  • Past Payouts $2.87
  • - Author $2.24
  • - Curators $0.63
4 votes
Reply 6
Sort:  
  • Trending
    • [-]
     8 years ago  

    what if the malware just replace the POST data inside the browser while submitting the address? you pasted the correct address but the submitted form is modified....

    you need to keep both eyes open and have a active and up to dated antivir. give malware no chance ;)

    $0.17
    • Past Payouts $0.17
    • - Author $0.17
    • - Curators $0.00
    1 vote
    Reply
    [-]
     8 years ago  

    I'm sure this site is definitely going to have issues with different kinds of attacks soon

    $0.00
      Reply
      [-]
       8 years ago  

      Pretty sure, yes!

      $0.00
        Reply
        [-]
         8 years ago  

        Like ddos and other kinds

        $0.00
          Reply
          [-]
           8 years ago  

          Every major site could be a potential target to DDOS attacks. I think that the actual information on sites are a bigger risk to look out for!

          $0.00
            Reply
            [-]
             8 years ago  

            Congratulations @nicetea! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

            Award for the number of posts published

            Click on any badge to view your own Board of Honnor on SteemitBoard.
            For more information about SteemitBoard, click here

            If you no longer want to receive notifications, reply to this comment with the word STOP

            By upvoting this notification, you can help all Steemit users. Learn how here!

            $0.00
              Reply