Slashdot Mirror
Beware: 'Digmine' Cryptocurrency Bot Is Spreading Via Facebook Messenger (techspot.com)
Cybersecurity firm Trend Micro has discovered a cryptocurrency bot that is being spread through Facebook Messenger. The bot, dubbed Digmine, was discovered in South Korea and has since been found in Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. TechSpot explains: Victims receive a file named "video_xxxx.zip" from one of their Facebook Messenger contacts. Opening it will load Chrome along with a malicious browser extension. Extensions can only be downloaded from the Chrome Web Store, but this is bypassed using the command line.
Once the malware infects a system, a modified version of XMRig -- a Monero mining tool -- is installed. This mines the cryptocurrency in the background using a victim's CPU, sending all profits back to the hackers. Additionally, the Chrome extension is also used to spread Digmine. If someone has their Facebook account set to log in automatically, the fake video file link will be sent to all their friends via Messenger. The malware could also be used to take over a Facebook account entirely. The good news is that Digmine only works through the Chrome desktop version of Messenger. Right now, opening the malicious file via the Facebook/Messenger app or mobile webpage won't have the same effect. After Trend Micro revealed its findings, Facebook said it had taken down any links connected to Digmine.
Mobile means we get to relive all the same attacks we saw decades ago.
I'm a good cook. I'm a fantastic eater. - Steven Brust
we should rejoice!
Make sure you have good quality AV.
Try and find a better message app.
Domestic spying is now "Benign Information Gathering"
Better stick with Edge
I can't see this being a problem for the /. crowd.
Really, who here uses Facebook Messenger, Google Chrome and open ZIP attachments?
Nope, sorry. This is malware so the packets are coming from inside the firewall. A miner doesn't wait for instructions it just mines and fires off the results.
Try again smartass. At least with the domains blocked they can't make any use of the malware.
Good firewalls block traffic in and out. It’s just that most people have crap firewalls.
How does opening a .zip run the contents? Does the user also have to run the i-know-you-want-to-double-click-me.exe file?
dna.js
It also doesn't do diddly squat for blocking URLs like https://translate.google.com/t...
Nor domains where some content is good and some is evil. It's all or nothing.
Nor randomly generated hostnames like f359db86.evil.com where the attacker points *.evil.com to the same A/AAAA (with a simple 8 nibble address like this, you'd need 4,294,967,296 host names).
Nor if using a proxy server that doesn't have a host list, because the proxy server does the resolving.
Nor if using a resolver that doesn't have file as the first lookup mechanism. (Mine have "dns [!UNAVAIL=return] files")
Nor can it block apk spamming slashdot.
It's almost 2018. You have to be pretty delusional to think that host files blocking is useful today.
Randomly generated or not, once a hostname is blocked in hosts, it's blocked & I've even shown Tepples there are DGA lists (where names are generated thus) & I use them - so much for that bs from you.
bs from me?
A snippet of javscript code in a web page here shows:
var host = Math.random().toString(16).slice(2,10);
var domain = 'thrax.ru';
var url = 'https://' + host + domain + '/js/master.js';
How do you possibly block that with a host list without adding 4 billion entries? Answer HOW, please.
It should be obvious to anyone that it's using a hosts list that can't even handle wildcards like DNS can that's bs.
How does opening a .zip run the contents? Does the user also have to run the i-know-you-want-to-double-click-me.exe file?
That's an easy one, you count on users trusting Windows. Since the start Windows has screwed users with extensions. Either hiding them or only showing the first encountered.
MyFile.zip.exe was very popular awhile back, it would show as a MyFile or Myfile.zip file, yet run as the hidden .exe file.
As for asking to run it, many have most likely tired of saying yes to the requester and disabled it.
P.S.=> Who cares if hosts don't do wildcards? It's near ZERO EFFORT per my program PLUS?
To generate 4+ billion entries? Lol!
The true intention was well disguised! Who wouldn't have opened a file called "video_xxx" sent by a random person? A different story would have been a name like "warning_this_is_a_virus_never_ever_click_here"; even in that case, around 25% of people might click on it anyway. There are lots of unlucky individuals out there who cannot do anything to avoid this almost-perfect technique to succeed. LOL.
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
How does opening a .zip run the contents? Does the user also have to run the i-know-you-want-to-double-click-me.exe file?
That's an easy one, you count on users trusting Windows. Since the start Windows has screwed users with extensions. Either hiding them or only showing the first encountered.
MyFile.zip.exe was very popular awhile back, it would show as a MyFile or Myfile.zip file, yet run as the hidden .exe file.
As for asking to run it, many have most likely tired of saying yes to the requester and disabled it.
The first thing I do when working on someone's computer is uncheck the box "Hide extensions of known file types".
SLOWER TRAFFIC KEEP RIGHT
Well between my pfsense box in front of my modem, a smart switch behind the modem and a Pi-Hole box my Lan uses for dns I think I'm half assed alright. Any strangeness noticed, occasional paranoia or boredom, whichever it may be, then I do have a Kali box that only gets the network cable plugged in when Im actively using it, usually just for Wireshark nowadays. Since I haven't been quite as mischievous as I was in my youth in a long while...
How about a hacked version of the malware that returns incorrect results to the C&C? It doesn't even have to use a lot of CPU cycles ... just get the command to start, delay as long as possible and return a response with "Found the answer!" with some random pile of fluff. The idea is to get the C&C to trust the bogus results while making it wait as long as possible so that it essentially submits the wrong answer to the blockchain or at least loses the race to some other miner.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Even if you pay $1 per domain & get 255 subdomains over 4 billion, ROI = weak!
You don't get 255 subdomains. Confusing subdomains with class C subnets is worrying if you attempt to sell network-related software.
With a single domain, you get the choice to create as many hostnames and subdomains on the domain as you want. Any number of hostnames or subdomains on a domain won't cost a dime more. What makes this feasible is that DNS servers take wildcard requests. Unlike your hosts file, they don't need an entry for every host, but can use wildcards, like:
* IN A 123.45.67.89
This will resolve any host in the foo.ru domain to the same address. It does not carry any cost per hostname. You don't need to know it in advance.
By using a very simple javascript, like what I posted before, the client generates a random hostname. Whatever it is, it can now be looked up in DNS,
You can do nothing to stop this with a hosts file, because you cannot possibly pregenerate every possible random hostname.
And for the record, no I do not use sockpuppets, nor do I post as AC. I have no need to. I don't feel a need to back up my claims with support from others - verifiable and reproducible information doesn't need that kind of support. That others also point out the same "flaws" doesn't mean that they are me. And the number of people who have done so over the years does not necessarily mean that there's something wrong with all of them. There could be a different explanation, just saying...
1.) How much does 4 billion domains cost
You don't understand domain names at all. You don't need 4 billion domains. You need one, with any number of subdomains and hosts you want being free. 4 billion, 8 trillion, it doesn't matter. They're all yours for the price of a single domain.
2.) Does my approach work to STOP this threat??
Nope, it does not. That's the problem. You cannot block: ... where the first part is randomly generated.
1f873bb2fed1.hostname.com
2953bfe64711.hostname.com
These are legal domain names, by the way. Try them.
Because hosts doesn't take wildcards, you would have to enumerate the entire list of possible domains, and with a 63 character limit, you can't find a hard drive big enough to hold all the variations. So your host list is worthless for this, whereas a DNS server, firewall or adblocker can easily block it, because they support wildcards.
See subject (you lose in your theoretical bs too) 0.0.0.0 1f873bb2fed1.hostname.com & 0.0.0.0 2953bfe64711.hostname.com = blocked (up to whatever via DGA tracker lists have changing a source in my APKIniFile.ini (change back once loaded & blocked))
You completely miss the point. You blocked the two examples, but not the possible hosts. The entire point was that they were random. The host name part doesn't exist until generated, at which point it needs to be blocked. When a piece of js generates f4002db3688.hostname.com or any other random hostname in the .hostname.com domain, your hosts file does not have that never-before-seen hostname there.
And this is not just botnets as you seem to think - several ad trackers do the same these days, generating random hostnames, presented in URLs. Not only is it unblockable by fixed name lists, but it also gives them two pieces of information instead of one - both your IP, and the IP of your DNS server. This helps identify where users are, to better present ads that a user might actually click.
And you can do nothing to block them with your host list, because you have no idea what the name is before it is generated by a piece of javascript or server side code.
Hilarious - HOW can botnet herders store "4++ BILLION ENTRIES" themselves if I can't?? How could a router??? How could DNS???
They don't need to, because they can use wildcards.
In my router, I can block access to all hosts under .domain.com or *.ru with:
content-filter common-list forbid
*.domain.com
*.evildomain.ru
In my DNS, I can add a section where I state that I'm authoritative for these domains when queried from internal domains, and put a wildcard entry for each domain I want to block the lookup of every host.
$ORIGIN domain.com.
* IN A 127.2
$ORIGIN evildomain.ru.
* IN A 127.2
"Botnet herders" (you still can't get past the misconception that this is just botnets?) don't have to, because their web server will have a section in the web server for responding to *.domain.com or *.evildomain.ru. They don't need to know in advance that the hostname used is yaddafoo4713234523.domain.com
But your hosts list cannot do wildcards and must have an entry for every possible combination. Which is impossible even for a single domain, which can answer up to 1.95*10^98 different valid hostnames with a single wildcard.
It may be insensitive, and it's definitely offensive (as i believe it's supposed to be) but the fact is that in US prison populations, blacks outnumber latinos 2-1, and latinos outnumber whites by a further 2-1. The reasons for this are, to me, far more offensive than APK's comments, but are also way beyond the scope of what I wanted to point out. Sometimes the actual facts and figures agree with the numbers suggested by prejudice and stereotypes.
That doesn't really excuse APK's comments, but calling him racist based on this is a bit of a stretch, even if he was basing his imagery from nonfactual stereotypes. More likely it's something (unfortunately) ingrained in all of us by years of crime shows, and perhaps a Sublime song. And check out the website. It's a fascinating and awful look at incarceration in america. Its actually terrifying.
I don't need APK to resign from whatever he does, but maybe you both could take a spin through the site below and possibly channel some of that energy into something useful.
Or maybe just better insults.
http://static.prisonpolicy.org...
https://www.prisonpolicy.org/r...
chris watts íë¦ìS ì(TM)ì