pondělí 9. listopadu 2020

Malware or not?

In my previous posts Crypto stealer or not and Crypto stealer or not part 2 I was talking about my research and what the trading script is doing, but I haven't actually explained the title. I wasn't sure if the script is actually a crypto stealer or "legitimate software" because it is doing exactly what is stated in EULA.

And that leads me to the topic of this article. Could this "crypto stealer"/trading script be considered as a malware or not? 

Lets first quote some general definitions of a malware:

- Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network (Wikipedia)

- software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system (Oxford dictionary) 

- malware refers to software programs designed to damage or do other unwanted actions on a computer system (TechTerms) 


If we take the first 2 definitions than we should not consider this trading script as a malware, because there is no disruption, no damage to computer and no unauthorized access. But there is the third definition, the most general one, which talks about unwanted actions. And definitely, sending 10% of your crypto is unwanted action. Or is it? If there is a statement in EULA (no matter in which language) and you have to agree with the EULA each time you run the script/program?  

I am not a lawyer and each state might have different legal interpretation, but I would like to know your opinion on this topic. Can we in this case consider it malware and call it a crypto stealer or is it a legitimate software and it is only your stupidity that you didn't read/understand the EULA and run the software?

And more on this malware/not-malware topic. I have also heard something that I call enterprise malware definition. If there is an organization policy where approved software is listed and you install some software that is not on the list of approved software - like whatsapp, winrar, total commander. Would you consider this as a malware? Well, some people yes, because is it unwanted software potentially unwanted actions and it falls within the malware definition. 

What is your opinion?


 

pondělí 2. listopadu 2020

Crypto stealer or not? part 2

 

In our first part we have covered the most important behavior of the crypto trading script and the conditions under which it charges 10 percent of your crypto balance. Now we will be talking about some specifics of the crypto script and some interesting characteristics. 

 

Who might be the intended target?

Well most probably anyone using the Coinbase platform. The article was in English and Russian language so that won't help us much. The article was on the wordpress.com blog without any specific adds, no premium position in google search. Actually, you have to search for a specific keywords to be offered this blog post. Based on the information in the article the person that decides to download and run this script needs to have some level of admin skills, but it should be stupid enough to run the script without code analysis. That gives us the following victim profile:

  • Wealthy person with passion for crypto
  • Motivated to trade automatically on Coinbase
  • Thoroughly searching for similar solution
  • Advanced admin skills and ability to understand the script parameters.
  • Reluctance to analyze the python code

Are there such people?

Well, I don't know. But if you had satisfied all those requirements you might fount the script on this URL:
http://www.mediafire.com/file/izz7hnd8m4wix4s/GDAX_trading.zip

But don't worry, it is not available any more.  I have to appreciate the reaction of mediafire when I reported this file. I still do have a copy so if you are interested just drop me an email. And don't expect you will use the script to get rich. I have waited with this post for some time and Coinbase has implemented some countermeasures that prevents successful script execution ;-)

One more interesting point I would like to cover and that is the script EULA

The EULA

Yes you are reading correct. This crypto trading script that takes your money has an EULA! And very interesting ones.  First of all it is in Russian language. Next, it is mentioning Kaspersky. I am not sure if it is just a copy of existing license agreement or intentionally used Kaspersky name to create false sense of security. 

And then in the point 3.12. you can read (thanks to google translate) that: "By using this software, we can charge you with 10 percent of the invested cryptocurrency"

Hmm,  that is interesting. And to run the script you have to accept the EULA each time - mandatory parameter A. So actually you agree that you might be charged. I am not a lawyer and each country has different laws, but in my humble opinion this might be considered as legitimate. And that lead us to the title. Can we consider it as a crypto stealer or not? Can we consider it as a malware? Maybe yes. And maybe it is just paid trading script (even though the conditions might be specified precisely).

Please, share with me your thoughts or read the loose sequel of this article series "Malware or not"


Excerpt of the EULA

 1. Определения
1.1. ПО - обозначает программное обеспечение, сопроводительные материалы, обновления, описанные в Руководстве Пользователя, Правообладателем которых является ЗАО "Лаборатория Касперского".
1.2. Правообладатель (обладатель исключительного права на ПО) - ЗАО.
1.3. Компьютер - оборудование, для работы на котором предназначено ПО, на которое устанавливается ПО и/или на котором используется ПО.

...

 3.12. Для использования этого программного обеспечения мы можем поручить вам 10 процентов вложенной криптовалюты