[Resolved] How to remove this malware?


#1

Hallo.

Ich bin grad zu wütend um das auf Englisch zu schreiben.
Wie anbei zu erkennen, Vergnügt sich eure Malware mit nahezu jedem Browser.

Bitte gebt bescheid wie ich den Mist restlos von meinem PC entferne, ansonsten geht es den üblichen Weg: Abuse an AWS und LE, Anzeige bei der Polizei.

Daten habe ich genug gesammelt.

Danke. :rage:


#2

Hi QblX,

Thank you for reporting this.

I am a forum operator and that IP address belongs to my AWS instance.

I used Google translate to translate your post and it seems like you are claiming that this forum uses browser mining software. Of course, if this is the case, it is not done on purpose.

I have not experienced any increase in CPU usage while using this forum, but I would like feedback from other users as well if they can confirm.

There is always a possibility of a hack and that this website is compromised, but I do not have any evidence of this currently. Can you please provide more details about this?

This forum uses the latest version of open source Discourse forum software that hasn’t been changed in any way, but we always need to stay vigilant when it comes to computer security.
Biggest issue in this scenario would be a compromise of users data, rather than mining software. That is why I would really appreciate more information about this from you or other users.
I will do my best in the meantime to discover if this website (or Discourse software) has really been compromised.


#3

Hello Alexej,

What I Know is, that there is malware on my PC since a few days. It seems like it is using a unkown bug in Windows 10. For me thats the only way because it operates very quick and completely hidden.

If there is a new Windows Update (We’ve had a few in the past days) it inject it’s code into a bunch of system files.
It injects into all actual Browsers and using 0,5% CPU and up to 1% GPU time per Tab. But it alternates between them randomly.

The results going to your AWS over different Ports, TLS Secured. Your Site sends ACKs for the received payloads. You can see this on the Screenshot.

Your concerns about Security are right. First, check your AWS.
Something must be wrong here.

But also Microsoft could get into Trouble. Because the modified files do not loosing theire certification.
Need more time to doing further forensic analyses. But Something is definitely wrong here.

Kind regards,
QbiX


#4

That is odd. What ports other than 443 and 80 is it using? Are there packets being sent when you do not have the forum open in a tab? Have you tried deleting your cookies and restarting your computer? I don’t see any other ports open than these two and the one for SSH.

What kind of payload is it sending?

I fear that your computer is infected with malware, but I do hope that this doesn’t have anything to do with the server of the forum.


#5

I think you confuse things. Without more clear info what you think you have observed it is hard to make any qualified statement. But Bisq is not making connections to browsers as long you not click a link to open for instance the blockexplorer to lookup an tx but even there u get a popup first if u want to connect to or prefer to copy the link and use tor browser. Bisq uses only Tor hidden service connections.


#6

Do yourself a favor and move to a secure operating system like Linux or OSX. Specially if you use cryptocurrencies. Windows is just so broken that you should not be surprised about anything…


#7

I’ve done some more research and reverse engineering.
Whoever wrote this shit must be freakin’ a genius.
Absolutely over-obfuscated code, nearly everything is done in RAM, exceptional ex handling, lots of killswitches and manipulation detection.
Here is what I could make visible (The original commandline is much longer.) Works only with DEV Chrome, other browsers will get stuff like this injected.
This is NOT related to Bisq!

I have no Idea where the code is loaded from, nor who will get the payload. I think a Net-Service or pseudo-device will do this job. As we have seen, its cloaked very well. The question is: Why this action against bisq? And what will happen if this Malware spreads?

Manfred I will switch to Gentoo very soon. God bless I do backups every 3 days. (You also should. Try Veeam Endpoint Backup. Its free.)

Sorry for the panic. :disappointed_relieved:


#8

Can u specify more why you though initially it is Bisq related?


#9

Hi Manfred.

Because I saw uncommon traffic peaks in Idle mode. I investigated that my CPU and GPU were used some % above normal. So i took a look at the running processes.
Again, all my Browser Tabs were used as “Mini Miners” its not a website related problem. So I jumped into the OSI layers and found the AWS IP address. (Screenshot in post #1)

I typed it into my browser ans was shocked: The Bisq page.
Sorry again for the trouble.


#10

Thanks for the further info. Do you know why the Bisq forum IP showed up there? Maybe it was normal as you browsed earlier there? If not might be interesting to find out if the malware created those connections (Ddos?).


#11

You’re welcome.

I never visited this page before. Thats why I was really shocked.

Ich analysiere viele Seiten aus Spaß. Oft verstecken die Admins / Firmen Botschaften in den Seiten; Scripts; Cookies… Jobangebote zB PayPal. “If you can read this, we want you!”
Ich habe schon ein Angebot als “Software Tester” eines dänischen Cryptocoin Teams auf diese Weise erhalten. Es gäbe früher oder später eine Art “Crypto currency war” und Sie suchen neugierige Menschen mit Skill. Ich mache ja nichts kaputt. Im Gegenteil. Krieg? Ohne mich.

Ich schweife ab.
Es kann sein, dass kriminelle Energie dahinter steckt. Ich meine man ließt ja immer öfter von DOS Attacken gegen mining pools.
Nahezu jede große Seite nutzt CloudFlare - Das wird schon seine Gründe haben.

Habt Ihr denn einen konkreten Verdacht? Ich helfe gern wo ich kann.
In Zeiten von shodan und co merkt man erseinmal, wie extrem das Thema IT Security verbummelt wurde. Ich kann dir Seiten von Fußballvereinen nennen, die Admin / Root Credentials als Plaintext, maximal Base64 im Quelltext stehen.

Mist, schon wieder abgeschwiffen. :joy:

Also wenn Ihr mich braucht, ich bin für kleines Geld zu haben. Bisq 0.6.4 habe ich komplett Auditiert. Einfach weil ich immer dazu lerne oder auch mal kritische Dinge finde - Welche ich immer den Devs melde.

Meinen alten Bürojob bin ich seit einem Monat los. Mich hat das Pflegen des Firmen ADs und die Softwareverteilung auf Dauer (4 Jahre genervt.)