New Malware Targets Bitcoins To Steal

from the if-your-money-needs-malware-protection dept

It's been fascinating to watch the back and forth discussions about Bitcoin. The big story recently was the supposed "theft" of $500,000 worth of Bitcoins. But, perhaps a lot more interesting is the report of new malware specifically targeting Bitcoins. The malware specifically looks for a Bitcoin wallet, which it then looks to email to a specific server. Among the many concerns people have raised about Bitcoins, this one hadn't received that much attention earlier, but could potentially scare a lot of people. The lack of traceability is one of the selling points, but it also has a downside in these types of situations.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Josh in CharlotteNC (profile), Jun 17th, 2011 @ 1:26pm

    Just like cash

    Your BitCoin wallet holding your BitCoins is no different than a physical wallet stuffed with cash. That's made abundantly clear if you read the FAQs on the BitCoin website. If you leave either wallet sitting out in the open (physically or digitally), you're gonna lose it, and recovering cash - good luck with that.

    So, if you take precautions with cash, and your online bank account and credit card info, you need to take them with your BitCoins, too. A significant difference between an online bank account and your BitCoins is that you are in 100% control of all the information related to your BitCoins. You don't have to worry that after buying something from a merchant, that they'll save or leak your credit card number and its out in the wild.

    Say you mine BitCoins on a Windows box that's connected up to the Internet. When you mine one, it goes to the wallet file on that machine. Get a non-networked Linux box for your "real" wallet, and transfer any mined coins from one to the other.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      DCX2, Jun 17th, 2011 @ 2:19pm

      Re: Just like cash

      That's pretty much what I do for online banking. I found myself a cheap netbook, wiped it clean, installed ubuntu on it, and the only thing I use that netbook for is online banking. It is otherwise disconnected; even the battery is removed, although not for security reasons...it just helps prolong battery life.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    :Lobo Santo (profile), Jun 17th, 2011 @ 1:44pm

    well,

    Obviously they got what they deserved for not using a secure Linux system.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Bengie, Jun 17th, 2011 @ 1:58pm

      Re: well,

      Win7 was harder to remotely hack than OSX or Linux at all the recent conventions.

      If people want to be safe with their coins, make a separate account for BC and put deny access to everyone else on the BC wallet file. Then you can run BC as that user and no malware you randomly decide to install will get your wallet.

      If people didn't randomly install crap on their machines, they would get malware.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jun 17th, 2011 @ 2:30pm

        Re: Re: well,

        "conventions" ! = real life.


        Not saying 7 or Linux is easier to "hack" than the other, I'm saying that neither's security should be ranked based on conventions where vendors' interests are at stake more than those that wish to breach them.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        btrussell (profile), Jun 17th, 2011 @ 3:51pm

        Re: Re: well,

        "Win7 was harder to remotely hack than OSX or Linux at all the recent conventions."

        Would have been easier if they had connected to the network.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jun 19th, 2011 @ 7:12am

        Re: Re: well,

        Win7 was harder to remotely hack than OSX or Linux at all the recent conventions.

        Citation needed.

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    PrometheeFeu (profile), Jun 17th, 2011 @ 1:56pm

    Well, if you keep 1/2 million dollars in cash in your house, and somebody breaks in and takes the money, you can't magically wave your hand and get it back. Security is one of the reasons why we put our money in banks and it's the same thing with bitcoins.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 17th, 2011 @ 2:01pm

    COINcidence? I don't think so.

    First the government targets Bitcoins, then all of a sudden this malware springs up. Hmmmm...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    FuzzyDuck, Jun 17th, 2011 @ 2:15pm

    Tracibility

    > The lack of traceability is one of the selling points,

    The lack of traceability is a myth. People can follow the stolen bitcoins through the network as each transaction is public. It's going to be pretty hard for the thief to cash it out somewhere.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      pixelpusher220 (profile), Jun 17th, 2011 @ 2:51pm

      Re: Tracibility

      The 'traceability' refers to the physical 'owner' of the BitCoins, not the BitCoins themselves. As you note, the transactions are public and distributed.

      Only if someone validates the BitCoins they are receiving against this list will they be stopped. Just like serial numbers on paper money. Unless you're looking for it, the 'cash' is just 'cash'.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        umccullough (profile), Jun 17th, 2011 @ 4:48pm

        Re: Re: Tracibility

        That's my understanding as well - that the bitcoin block is untraceable once it leaves a person's wallet - but you can track who is sending/receiving them.

        That does little good if 25,000 people receive a bitcoin from this thief - it doesn't mean that those 25,000 people become thieves, just as a store clerk receiving a stolen $20 bill in return for groceries doesn't make them a thief.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 17th, 2011 @ 4:49pm

    (A non-patentable idea)

    Bitcoin should require a password after selecting an 'account number'.

    So you have all these bitcoin account numbers and you select one. You shouldn't just willy nilly be able to select an account number and then suddenly transfer bitcoins from one account to another. A password should be required and that password should be the password required to decrypt the necessary information to transfer bitcoins.

    Sure, most people will likely choose easily crakable passwords, and bitcoin should give some advice on recommended password parameters, but at least it slows down the process of malicious bitcoin transfers by third party software, which could give a later alerted user time to transfer his bitcoins to an uncompromised account before the password is cracked.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 17th, 2011 @ 4:51pm

      Re:

      (assuming the malicious software didn't destroy the necessary transfer data or that the user has backups if the software did).

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jun 17th, 2011 @ 4:55pm

        Re: Re:

        (also, people on slashdot suggested that people should be diligent and separately encrypt the necessary transfer data with a secure password. No, Bitcoin should have the technology that allows users to encrypt their transfer data built in).

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      umccullough (profile), Jun 17th, 2011 @ 4:54pm

      Re:

      We're talking about a file on your hard drive here... it doesn't matter if you password protect the file - once malware is in place, you just throw a keylogger on to watch everything the user types.

      You can always encrypt the wallet file, store it offline, or send your bitcoin to a website that "stores" them for you (mybitcoin.com for example)... but that doesn't stop the fact that stored bitcoin can be taken from your machine if you don't protect it somehow.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jun 17th, 2011 @ 5:07pm

        Re: Re:

        "We're talking about a file on your hard drive here... it doesn't matter if you password protect the file - once malware is in place, you just throw a keylogger on to watch everything the user types."

        Of course, but you assume that all cases of malware intrusion are succeeded by someone typing in all of their bitcoin passwords before discovering the intrusion.

        Also, a password can deter someone with physical access to the computer from simply copying the file over and getting easy access to that information. It gives time for users who periodically transfer money from account to account for security reasons to do so or to discover the intrusion and transfer the money before anything gets cracked. More work is needed to gain access to those coins, that extra work will act as a thief deterrent, and people will weigh the work necessary to steal those coins with the work necessary to earn them.

        Also, malware creators will need to extend more work creating an appropriate keylogger to work with the data transfer software (or if it's a general keylogger they have to spend lots of time looking through the logs, especially if they are looking through the logs of hundreds of users, and by then many of those users could discover the intrusion and transfer the money to another safer account).

        It's like a lock on a door. It won't keep a determined criminal out by any stretch of the imagination, but it's enough to deter many criminals.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          umccullough (profile), Jun 17th, 2011 @ 5:19pm

          Re: Re: Re:

          Bah, keyloggers are a dime a dozen these days.

          It's important to note that the bitcoin software is not necessarily a single program - anyone can create their own "secure" bitcoin program if they want (it's open source)... so this problem is likely to solve itself as people actually care enough to do it.

          There's no central authority involved here, so trying to say what they "should do" is sort of pointless, as no one person, or group of people is necessarily responsible for how bitcoin is stored or managed.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Jun 17th, 2011 @ 5:24pm

            Re: Re: Re: Re:

            "It's important to note that the bitcoin software is not necessarily a single program - anyone can create their own "secure" bitcoin program if they want (it's open source)... so this problem is likely to solve itself as people actually care enough to do it."

            I know.

            "There's no central authority involved here, so trying to say what they "should do" is sort of pointless, as no one person, or group of people is necessarily responsible for how bitcoin is stored or managed."

            'They' refer to the bitcoin client developers, and there is a point, to point out the need to create such security features. Yes, they will likely be created anyways, but I was just making a suggestion for discussion purposes since such a suggestion is relevant to the OP.

             

            reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Jun 17th, 2011 @ 5:28pm

            Re: Re: Re: Re:

            "Bah, keyloggers are a dime a dozen these days."

            Yes, but general key logs are a time consuming pain to analyze, especially when you have hundreds of them, such extra needed work acts as a deterrent and gives alerted users time to transfer the money to other accounts before it gets stolen.

             

            reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jun 17th, 2011 @ 5:21pm

        Re: Re:

        "You can always encrypt the wallet file, store it offline, or send your bitcoin to a website that "stores" them for you"

        Yeah, but in order to transfer data, at some time that file needs to be decrypted, and a keylogger can monitor the password necessary to decrypt it. So your 'solution' suffers the same shortcoming just as well.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          umccullough (profile), Jun 17th, 2011 @ 6:15pm

          Re: Re: Re:

          If it was me, I'd store large quantities of bitcoin offline in multiple wallets (which the guy with 25,000 of them apparently did not bother to do), and then only as much as I need when I'm certain my machine is clean.

          I don't know about you, but I keep my money in multiple locations - some easy to get to (my actual wallet), some in a safe (locked in my house), and some in my bank account (obviously protected by the institution itself).

          That way if someone mugs me in the street, they only get what's in my wallet at the time. If someone breaks into my house (and somehow figures out my safe combination - perhaps because they somehow saw me use it through a window or something), they still don't get what's in my savings account.

          Anyone can do the same with bitcoin, they just tend to be lazy because it's "convenient" to just keep it all in one place, on their trusty, secure computer.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Jun 17th, 2011 @ 7:11pm

            Re: Re: Re: Re:

            "If it was me, I'd store large quantities of bitcoin offline in multiple wallets (which the guy with 25,000 of them apparently did not bother to do), and then only as much as I need when I'm certain my machine is clean."

            Implementing client based password protection and the above aren't two mutually exclusive possibilities.

             

            reply to this | link to this | view in chronology ]

  •  
    icon
    Hephaestus (profile), Jun 17th, 2011 @ 5:41pm

    The protocol for the bitcoin system is pretty much unbreakable

    The problem lies in the wallet file being clear text, and the client apps being unsecure. What someone needs to do is come up with a client side protocol document like (pdf warning) Satoshi Nakamoto's paper Bitcoin: A Peer-to-Peer Electronic Cash System. This has caused the price of bitcoins to fall by $3 USD, they were at $19 USD three days ago. (Here is a current price chart)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 17th, 2011 @ 7:48pm

    Just use Ukash...

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This