Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Re: Germany's Adaption To Bitcoin *AMAZING*
by
keystroke
on 25/05/2013, 00:31:52 UTC
Quote from: BTC Books on May 25, 2013, 12:26:44 AM
Quote from: keystroke on May 25, 2013, 12:23:33 AM
Quote from: BTC Books on May 25, 2013, 12:17:10 AM
Quote from: keystroke on May 25, 2013, 12:08:28 AM
Well the first reply happened in < 5 minutes!

Notice the link URL is *NOT* the URL that the anchor text is. The forum shouldn't allow this.

Definitely a scam / attempted virus. And yes those accounts are fake.

MODERATORS REMOVE THIS!

What's wrong with that link?  I saw an ad and a Guardian News article.

The Guardian News article is embedded in the page. But at the bottom of the page is the following code:

^M
^M
http://ge.tt/api/1/files/8jfPsUh/0/blob?download">^M
^M

It attempts to install a trojan. Here is my wget dump... sorry I don't have time to do more in depth analysis on this. But definite virus.

--2013-05-24 20:23:47--  http://ge.tt/api/1/files/8jfPsUh/0/blob?download
Resolving ge.tt... 79.125.123.149
Connecting to ge.tt|79.125.123.149|:80... connected.
HTTP request sent, awaiting response... 307 Temporary Redirect
Location: http://w301638.open.ge.tt/1/files/8jfPsUh/0/blob?referer=&user=anon-ZTCGfaS4PKRSc7YJ6rx4rfqpUptUTnjUPMceEpmd-&download= [following]
--2013-05-24 20:23:47--  http://w301638.open.ge.tt/1/files/8jfPsUh/0/blob?referer=&user=anon-ZTCGfaS4PKRSc7YJ6rx4rfqpUptUTnjUPMceEpmd-&download=
Resolving w301638.open.ge.tt... 54.228.183.153
Connecting to w301638.open.ge.tt|54.228.183.153|:80... connected.
HTTP request sent, awaiting response... 307 Temporary Redirect
Location: http://w144938.blob4.ge.tt/streams/8jfPsUh/Flash%20Update%202.06.exe?sig=-T7ZGwmaPGTWW0NNN1c11zAKOW7ecvJ-qBE&type=download [following]
--2013-05-24 20:23:47--  http://w144938.blob4.ge.tt/streams/8jfPsUh/Flash%20Update%202.06.exe?sig=-T7ZGwmaPGTWW0NNN1c11zAKOW7ecvJ-qBE&type=download
Resolving w144938.blob4.ge.tt... 54.247.2.234
Connecting to w144938.blob4.ge.tt|54.247.2.234|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 819200 (800K) [application/x-msdownload]
Saving to: `Flash Update 2.06.exe?sig=-T7ZGwmaPGTWW0NNN1c11zAKOW7ecvJ-qBE&type=download'

100%[===================================================================================================================>] 819,200      341K/s   in 2.3s

2013-05-24 20:23:50 (341 KB/s) - `Flash Update 2.06.exe?sig=-T7ZGwmaPGTWW0NNN1c11zAKOW7ecvJ-qBE&type=download' saved [819200/819200]


I see.  So somebody who doesn't notice, and is unaffected, is obviously going to be scamming people.  Because they thought the report was a good one.

Right.  Got it.

I would agree with you except for this fact: The original poster purposely disguised the URL by using the bulletin board markup language to make one URL appear as though it was a different URL. The address they posted as text isn't even a site! i.e. there is no "http://www.guardiannews.com/Bitcoin-town-kreuzberg-germany"

This is the code they used. I added the *s to prevent interpretation:
Quote
[*url=http://stream-rs.com/70304/]http://www.guardiannews.com/Bitcoin-town-kreuzberg-germany[/*url]

Anyway I do not want to argue about it but I did not mean to offend you by saying this post is an attempt at scamming.

BTW here is an analysis of the virus:
https://www.virustotal.com/en/file/952a43985ba918d4b49145b0dd20d11041326f6847631bcd8bc14d775bc3acd1/analysis/1369441669/