55
56

Dodgy electrum website coming up on Duckduckgo. (self.Bitcoin)

maxupdate 投稿

Noticed duckduckgo is pulling two versions of electrum website. Second is a Singapore host. Looks dodgy:

http://www.electrum-wallet.com - dodgy

https://electrum.org real

http://whois.domaintools.com/electrum-wallet.com

全 12 件のコメント
並べ替え:
ベスト
トップ新着論争中古い順Q&A

[–]etmetm 16ポイント17ポイント  (2子コメント)

The windows binaries for 2.3.2 are modified. This is a scam site trying to infect peoples PCs...

There's been discussion in June here: https://bitcointalk.org/index.php?topic=1098340.0

Edit II: The scam site is currently hosted with softlayer in their Singapore DC. ThomasV has mailed abuse@softlayer.com citing their AUP which defines item 6 "distributing computer viruses or malware of any kind" as unacceptable use. It appears the site is using https://www.hawkhost.com/ as softlayer reseller - hopefully softlayer will take direct action.

[–]hietheiy 2ポイント3ポイント  (0子コメント)

What about contacting duckduckgo and having it removed from search?

[–]weejocktiny 0ポイント1ポイント  (0子コメント)

HawkHost are a really good provider that will respond to this if someone contacts them with all the proof.

[–]dumb-mud 2ポイント3ポイント  (0子コメント)

Malicious electrum-2.3.2.exe (Detection ratio 5/55):

  • Trojan[Backdoor]/Win32.Androm
  • Win32:Malware-gen
  • MSIL/Injector.KNE!tr
  • Artemis!7C3470F5649A
  • Artemis
  • PE:Backdoor.Win32.Gbod.b!1075358427

Normal electrum-2.3.2.exe (Detection ratio 0/56)

Malicious file behavioral analysis

It appears to ferret away files named psvss.exe and updserv.exe in a “Themes” directory, and then overwrite an existing Microsoft file called rsm.exe with the upserv.exe file. rsm.exe is associated with Windows’ Removable Storage Manager Command Line Interface.

It performs these DNS lookups that are NOT made by the normal Electrum executable:

  • EAST.electrum.jdubya.info
  • electrum.no-ip.org
  • erbium1.sytes.net
  • electrum0.electricnewyear.net
  • WEST.electrum.jdubya.info
  • kirsche.emzy.de
  • headers.electrum.org (presumably benign)

[–]jcoinner 1ポイント2ポイント  (5子コメント)

Have you tried running a diff comparing the wallets? It would be interesting to see if they've altered it in some way.

[–]mprr 2ポイント3ポイント  (1子コメント)

At the time of this writing, the file Electrum-2.3.3.tar.gz, which contains Electrum's source code, is identical on both sites.

The standalone Windows executables electrum-2.3.2.exe differ from one another, however. I'd assume that the binaries on the imposter site are malicious.

As it's a bad idea to execute software from unknown sites in general I didn't bother to investigate any further or compare other files.

[–]jcoinner 0ポイント1ポイント  (0子コメント)

Yes, I'd also expect any bad ju ju to be hidden in the exe. And I'm not about to check either. But hopefully people won't get sucked into this.

[–]sQtWLgK 2ポイント3ポイント  (0子コメント)

The site is an exact copy (it is open source). There is a redflag though when you try to download the signatures on http://www.electrum-wallet.com/#download They are not there (most likely, because the files have been altered).

Remember to always check the PGP signatures! Thomas Voegtlin's (lead dev) key fingerprint is 7F9470E6

[–]maxupdate[S] 0ポイント1ポイント  (1子コメント)

Dont want to try that, they could have altered it in many ways.

[–]KillMarcusReed 0ポイント1ポイント  (0子コメント)

Bottom line is your know if it was different, this know if its different. It's either the same code as issued by the developer, or it is not. Running the questionable file through diff poses no threat. If you are curious, try it.

[–]BobAlison 0ポイント1ポイント  (0子コメント)

These sites highlight the importance of checking the signature of any Bitcoin software you download.

Notice how the first site doesn't even give you a signature for the source distribution:

https://electrum-wallet.com/Electrum-2.3.3.tar.gz.asc