Intro
Bitcoin wallet replacer malware in those days are quite common, as it's quite easy to develop and has dramatic effects when installed on the "right" computer. The malware basically replaces Bitcoin addresses stored in your clipboard with similar-looking addresses from "attackers". In this post I'm going to show you a little into the structure of such a malware and why it's essential to know, if you want to be more secure!
Clipboard checking method
One of the main functionalities of such a malware is a method to detect a possible BTC address in the clipboard. In this case the method is called ProbablyBtcAddress and is called if the clipboard has changed. Then the clipboard is getting stored to a variable called text and is then compared with regex(possible BTC address functionality).
Replacement code
If a possible BTC wallet address in the clipboard is found, the method SetMostSimilarBtcAddress is called. It stores the wanted address in a string b and then loads previously generated BTC addresses as a HashSet. Then it checks, if the first and the last character of the already generated addresses(as you can see in the screenshot below) fits with the address in the clipboard. Once an address has been found, the clipboard will be set to the unwanted address.
Generated addresses stored in the malware
So what does this has to do with my STEEM?
As you could have guessed it probably, Such an attacker could easily change the detection to the STEEM address format. With the growing numbers of users every day and thus the growing value of the Steemit community, it's in my eyes just a matter of time, when criminals are trying to get some STEEM on unwanted ways. With this post, I wanted to raise more security awareness for this awesome community.
