James Stanley

Double-check Bitcoin addresses when pasting (Bitcoin TX Generator malware)

Sun 9 July 2017

Tagged: bitcoin, software

Back in April I wrote about the Large Bitcoin Collider and how it is probably malware. Well, now there's another (even more blatant) piece of malware being spread via reddit.

The post

/u/daisypiggy (appears to be a bought account: high karma but no posting history) wrote a post on r/BitcoinMarkets about how it is important to wait for at least 1 confirmation when receiving Bitcoin transactions because "new software is being developed to scam you". Supposedly this new piece of software generates a Bitcoin transaction that looks valid, and will show up on the victim's wallet as an unconfirmed incoming transaction, but which will eventually disappear. Included in the post was a helpful link to a github repo containing the software.

/u/Frakk4d promptly wrote a response about how the software works:

I've seen this software before. It doesn't actually work, just "crashes" on launch then lurks in the background waiting for you to copy a BTC/eth address. When you do, it swaps it for their own so you end up sending your coins to them.

So it seems the post is intended to trick would-be scammers into downloading the software, rather than to warn legitimate users about a new attack.

The software

I had a quick look and wrote up a response:

I checked out the source in the git repo, and the binary release, and there is absolutely no way the binary was generated using the source in the repo. The binary release is launched via some .bat files, which are neither present nor generated by the Makefile in the repo. The .bat files execute a file at includes/APIs/cvsrvc32.exe which is neither present nor generated by the Makefile in the repo. The includes/APIs/ directory also contains a bunch of syntax highlighting configuration files (for no apparent reason) which are neither present nor generated by the Makefile in the repo.

But the real smoking gun is what I found in cvsrvc32.exe :

$ strings cvsrvc32.exe | egrep ^.1 [... a few lines redacted ...] $1f8=1f8f7jwgPTszFyUaCTcFuPbXxVD5LAVx $1Ci=1CiuQujVPphnVhCmQ5jdqAtFuAbxrsco $1bZ=1bZa1az6eV23z6DacS6N2ZP9wMyFrwBv $1RY=1RYcbV1CH8urKk1U8A5S3w181tNf3XkZ $1vK=1vKn17CbgwW8vTCqkCqkUUj24thqNGEb $1xc=1xcMCqSm11NxA9SCF7U4Wtf8xXCJxH8f $1AM=1AMpfNMHS8EA3vrp3f4rd4gSmfEh3Cay $1Zm=1ZmkrC2ddGi1YNMCmtFNyWgsF5BLDurM $1ZZ=1ZZ9uR5sULaF3d6tc9zBNvz5uQJ7bCbi $1AU=1AUekY2ViydicrKf9v5JrnRaZUiGHhPM [... lots more ...]

(full output at https://pastebin.com/yTWzhqTU).

This is a mapping of 3-character prefixes to full Bitcoin addresses!

The malware

Combined with Frakk4d's information, we can surmise how the software works without bothering to disassemble it:

It crashes at launch so the user thinks it just didn't work, and launches its payload (possibly also installing its payload as a rootkit, or run-at-startup, or similar)

When anything is copied to the clipboard it scans for a Bitcoin address

If it finds a Bitcoin address, it replaces it with one controlled by the attacker that shares the same first 3 characters

This is particularly interesting because although it is obvious that a Bitcoin address could be substituted with one that shares a short prefix, I hadn't yet come across any evidence that there is malware in-the-wild actually doing this attack.

I haven't worked out a convenient way to check all 3248 addresses to see if they have any transaction history, but I think it would be interesting to do so. I'll try and do it tomorrow.

Lessons to learn

Don't run random code you find online, especially if it's related to Bitcoin, and especially if it's related to scamming. When pasting a Bitcoin address, double-check as much as possible, not just a few characters at the start.

Any other business

Although this example only replaces 3-character prefixes (and, really, only 2-character prefixes), it is not too hard to imagine a similar piece of malware that replaces longer prefixes. Vanitygen can generate nearly 50 Million addresses per second on an old-ish machine, so it shouldn't take too long to pre-generate an address for all possible 4-, 5-, or even 6-character prefixes. Expect to see this in the future.

Another interesting point is that only 3248 substitutions exist in the executable. Bitcoin addresses are encoded with base58, so in theory there should be 582 possibilities = 3364 address prefixes. I'm not sure whether the remaining prefixes can simply never exist, or whether this malware accidentally misses ~3% of possible prefixes. (If you know, let me know!).

And, in case you want to do some more analysis of the executable, I've pinned the ZIP file I downloaded from the Github repo "Releases" page in IPFS at /ipfs/QmdteaeZ7JmQ6U8aiRFPzKWdBNfSTYojsPeUurK1nm8XVx/BitTXGenerator-Win-x86-x64-1.2.7.zip (don't run it, for obvious reasons).

Updates (2017-07-10)

Frakk4d has found evidence that the "daisypiggy" account has been perpetrating this scam for quite some time: https://imgur.com/a/p3HLN.

The executable contains 3249 P2SH addresses in addition to the 3248 P2PKH ones: https://pastebin.com/bpiKawY1.

The executable actually contains at least 185190 addresses for various cryptocurrencies, including the Bitcoin ones: /ipfs/QmYfbYNQzDxKz692ergwoxyeDyK2iTCu8CNneD2VWN4rnv/addresses.txt.

And the plot thickens further: none of the Bitcoin addresses I checked actually have valid checksums. I'm guessing the program computes the correct checksum and substitutes it accordingly. I'm running out of inclination to look into this any further, but if you come up with anything interesting, please let me know and I'll update this post.

Update 2017-11-29

Graham points out that all of the addresses in the file are in fact Bitcoin addresses, they're just missing the "1" prefix! And that if you add a "1" prefix, the checksum computes correctly. So that's that mystery solved. He also checked the total payments to those addresses and found that they came to 3.7 BTC (which, at today's insane prices, would be about £30,000).