►Keep your STEEM safe! An analysis of a clipboard wallet replacer malware & Why you should care!

View this thread on: d.buzz | hive.blog | peakd.com | ecency.com

security·@nicetea·8 years ago

0.000 HBD

►Keep your STEEM safe! An analysis of a clipboard wallet replacer malware & Why you should care!

## Intro
Bitcoin wallet replacer malware in those days are quite common, as it's quite easy to develop and has dramatic effects when installed on the "right" computer. The malware basically replaces Bitcoin addresses stored in your clipboard with similar-looking addresses from "attackers". In this post I'm going to show you a little into the structure of such a malware and why it's essential to know, if you want to be more secure!

## Clipboard checking method
One of the main functionalities of such a malware is a method to detect a possible BTC address in the clipboard. In this case the method is called ```ProbablyBtcAddress``` and is called if the clipboard has changed. Then the clipboard is getting stored to a variable called ```text``` and is then compared with regex(possible BTC address functionality).
![Selection_025.png](https://steemitimages.com/DQmYPQvTHbfxWHKwBnbuVCd6acXWXLzU1qqzXUn47A5JPUf/Selection_025.png)

## Replacement code
If a possible BTC wallet address in the clipboard is found, the method ```SetMostSimilarBtcAddress``` is called. It stores the wanted address in a string ```b``` and then loads previously generated BTC addresses as a HashSet. Then it checks, if the first and the last character of the already generated addresses(as you can see in the screenshot below) fits with the address in the clipboard. Once an address has been found, the clipboard will be set to the unwanted address.
![Selection_026.png](https://steemitimages.com/DQmTAEkUUV6bmt2Ms55BwGrCaaaKkMU1ZMUJQB3XX36Zd2A/Selection_026.png)

## Generated addresses stored in the malware
![Selection_024.png](https://steemitimages.com/DQmSHdbKAsudshw79PtjMErUBYq9CwTuKSdoymE1FA2j4n3/Selection_024.png)

## So what does this has to do with my STEEM?

As you could have guessed it probably, Such an attacker could easily change the detection to the STEEM address format. With the growing numbers of users every day and thus the growing value of the Steemit community, it's in my eyes just a matter of time, when criminals are trying to get some STEEM on unwanted ways. With this post, I wanted to raise more security awareness for this awesome community.

## **Always double-check the address you pasted somewhere!!**

## Stay safe!

Cheers, @nicetea

👍 nicetea, cultura.bitcoin, ubg, swisswatcher,

properties (23)vote details (4)