Jump to content
pabnchew

Possible bitcoin miner in some mods

Recommended Posts

First if this is mentioned elsewhere apologies.

 

Also Aslain I know you're not responsible for what's in other folks mods that you include in your pack.  And I'm not suggesting you are, just passing along some info.  And thanks for all you do on your site.

 

Link to TAP's article, https://thearmoredpatrol.com/2018/02/20/wot-potential-security-breach/

 

Just ran into this myself - at least it seems.

 

Couldn't update WoT and got the couldn't connect to update service.  Soon after my AV blocked a suspicious connection to a similar IP listed in the article.  May have been the same IP I know the first handful of numbers were.  But I didn't write it down nor have I checked my AV history.

 

Deleted my appdata for WoT and was able to update the game.  Did this based on some comments in the TAP article even though I didn't see anything in there that looked suspicious.

 

Also before I deleted the appdata folder I was getting partial pages on WoT forum that appeared to be from packet loss.  Also couldn't connect to a few other sites.   ISP speeds were fine, but to clarify I only checked speeds not packet loss, etc..

 

After I deleted the appdata everything seems fine - at least for now.

  • Upvote 1

Share this post


Link to post
Share on other sites

I saw this article. You must know that I check every mod before adding it to the modpack, and also checking it with network analyzer. If something will try to download a coin miner, I will probably know about it. Let me know if you find something suspicious and I will double-check it.

  • Upvote 1

Share this post


Link to post
Share on other sites

Figured you knew about it, but just making sure.

 

Also wasn't aware you checked them all with network analyzer.

 

Again all seems fine now.

 

Thanks for the quick reply and for your modpack.

Share this post


Link to post
Share on other sites

Ever since downloading v08 I've been getting the same thing.  I didn't have the issue with 06, and I never used 07.  Went from 06-08 and it started happening with 08.

 

Here's a few more links to other reports.  If it does turn out to be one of the modders you include in your packs I hope they get named and shamed.  What a shit thing to do.  I use your pack b/c of the integrity you've always demonstrated - your pack is always clean and you go to great lengths to stay on top of what's legal and illegal.  I will continue to use your modpack and would recommend it to anyone now and in the future.  I'm posting this simply to help you if in fact it is originating from one of the modders you include.

 

http://forum.worldoftanks.eu/index.php?/topic/663292-possible-security-gapbitcoin-mining/

 

http://forum.worldoftanks.com/index.php?/topic/564173-good-legal-modpack-now-that-solos-wants-to-bitcoin-mine-with-my-computer/ <-- actually from December '17

 

There's a few others - some in foreign languages I can't read.

 

Hope this helps your search - assuming it's a mod and not WoT itself.

 

And here's the specifics from Norton:

 

Name of the IPS attack: Web Attack: JSCoinminer Download 6

Attacking PC: 82.118.20.2, 80

Attacker's URL: search.linkmyc.com/js/timeCounter.js?v=20171102

Attack caused by: DEVICE\HARDDISKVOLUME4\GAMES\WORLD_OF_TANKS\RES\CEF\CEF_BROWSER_PROCESS.EXE "

Edited by Buckley
  • Upvote 1

Share this post


Link to post
Share on other sites
7 minutes ago, Buckley said:

The one from solo isn't related at all - that's on solo's website - where he asked to allow or opt out of using the miner - which would - if allowed - make him a tiny bit of money while you visit his website I suppose. (And doesn't look like he has that anymore on his site - I know others have tried using similar stuff too..)

 

As for Aslain's modpack - he's been doing checks with network analyzer programs (Fiddler, for example), to see what happens when running the various mods.

  • Upvote 1

Share this post


Link to post
Share on other sites

I knew this behavior was not normal. I registered JUST FOR THIS topic.  I have been too lazy and reluctant about reporting the behavior of WOT running in the background despite being 'closed'; I would just manually kill the program; started in December or so. Thought it could be a bitcoin miner program or such in one of the mods, but thought "its aslains-- its safe! uh-huh<<tinfoilhat>>". The most recent update, the WOT hanging stopped, however I started getting malware bytes alert, on trying to connect to world of tanks-- strange urls have been blocked upon clicking the connect button; like I click connect, and my computer clicks a link to generate "pay per click"? This is my feeling; I was discussing this with one of my friends this very morning on my suspicions, as when WOT was hanging,  it was only when running with mods. This malware alert only happens when mods are installed. Further investigation needs to be done on this issue please. I have a suspicion as to what mods it could be, as i know its not the base aslain xvm or such, but one of the extra bits that give some sort of advantage, but still legal.  Anywho... I hope I did not break any rules writing any of this, as this was a spur of the moment AH-HA post when I saw the topic; the very day I myself was trying to do some in depth investigation on the matter. 

 

Be safe!

Hyper

 

 

Edit: Same process as above, and very similar url as mentioned. The url has been varying. 

Edited by Hypertize

Share this post


Link to post
Share on other sites

The problem has been identified. Polyacov_Yury mods [radial menu, ut announcer, tank lights, colored chat kill msgs, camo selector] :/ Looks like he activated something or changed on his website, that is doing all that stuff.

Share this post


Link to post
Share on other sites
11 minutes ago, Aslain said:

The problem has been identified. Polyacov_Yury mods [radial menu, ut announcer, tank lights, colored chat kill msgs, camo selector] :/ Looks like he activated something or changed on his website, that is doing all that stuff.

That. The creator of PYmods has ninja-changed something on his website, that redirects to weird ads and what not. Bleeping Russians and their sneaky behavior.

Share this post


Link to post
Share on other sites

Get new modpack #10, reverted his core script to old version from modpack #06.

  • Like 1

Share this post


Link to post
Share on other sites
В 22.02.2018 в 22:32, Quaksen сказал:

That. The creator of PYmods has ninja-changed something on his website, that redirects to weird ads and what not. Bleeping Russians and their sneaky behavior.

As I've already said in DM with Aslain - I am, and will forever be, terribly sorry for this incident. My intention was never hurtful - only getting some income from the thing I devote 10+ hours every day to. My scripts never took many resources from user's PC - the browser would hang in background for 3 seconds and quietly destroy itself. AND it woud open once for game session.

AND I have never agreed or even expected (or wanted, or intended) to download any miners to users' PCs.

Also, I don't know anything about the exe file in AppData, so don't ask me about that.

 

At this moment, the code has been removed from my PYmodsCore 20 hours ago. Feel free to update it and use my mods as you like. As I keep saying - I care about users and my reputatuion. If they ask me to do (or not do) something - I listen, clarify and implement everything. Everything reasonable.

And if you ask me, a request to remove a possible virus conduit in my otherwise hurtless mods sounds reasonable enough to me.

 

The only thing I am asking in return is not even some tiny amount of something that will keep me away from desperately searching from some sneaky way on improving my current situation but is to keep bitterness and name blasphemy on minimum. I learned my lesson.

Any advice on legally getting income is appreciated.

  • Like 2

Share this post


Link to post
Share on other sites

Another possible bitcoin miner in some mods!

I don't know in what mod, but he is in the Aslain package. (Aslains_WoT_Modpack_Installer_v.1.0.0_05.exe - in Aslains_WoT_Modpack_Installer_v.1.0.0_03.exe all ok) 

Time;                           URL;                                                            Status;                                                   
2018-03-22 20:28:57; http://js.bestquickcontentfiles.com/dl.min.js Blocked by Anti-Phishing Blacklist;

 ApplicationD:\World_of_Tanks\res\cef\cef_browser_process.exe; 
 

5ab40a1f774bd_Beztytuu.jpg.3c6069707b579fc3b89a77aa6d76177e.jpg

 

 

 

Share this post


Link to post
Share on other sites

Logs?

Share this post


Link to post
Share on other sites
Just now, Caridan said:

From Antivir? or what?

From installer, info in my signature.

Share this post


Link to post
Share on other sites

Thanks

 

Problem solved.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×

Important Information

By using this site, you agree to our Terms of Use and Privacy Policy.