Forgot your password?
typodupeerror
Bitcoin Security IT

Trojan Goes After Bitcoins 344

Posted by Soulskill
from the strict-inevitabilities dept.
Orome1 writes "Bitcoin has definitely caught the attention of criminals. Even though it has been calculated that the use of botnets for Bitcoin mining is still not quite as lucrative as renting them out for other purposes, targeting people who have them in their digital wallets is quite another matter. Symantec researchers have spotted in the wild a Trojan dedicated to this specific purpose. Named Infostealer.Coinbit, it searches for the Bitcoin wallet.dat file on the infected computer and sends it to the criminal(s)."
This discussion has been archived. No new comments can be posted.

Trojan Goes After Bitcoins

Comments Filter:
  • mugging (Score:5, Insightful)

    by x6060 (672364) on Friday June 17, 2011 @10:45AM (#36474438)
    Imagine that. Storing values that represent "Money" in a plaintext file was a bad idea. Who would've thunk... =\
    • Re:mugging (Score:5, Funny)

      by cgeys (2240696) on Friday June 17, 2011 @10:49AM (#36474490)
      Well, it's open source. You can improve it yourself.
      • by x6060 (672364)
        I would worry about ANY attempt at a form of open currency that was released with such a gaping hole as "If someone grabs this single file off my computer then they have all my money..." It doesn't matter if it's open or not.
        • by unity100 (970058)
          how is it any different in real life ?
          • by tehcyder (746570)

            how is it any different in real life ?

            It's not, if you're stupid enough to keep all your cash under your bed in an area known for burglaries.

        • by erroneus (253617)

          Agreed. Seems pretty obvious that the file should actually be comprised of two parts where one is kept on a removable storage device and the other can be on your local machine(s). That wouldn't be "THE Answer" but it it would be better than this.

          I think that a lot of these types of problems will emerge and Bitcoin will be redesigned and rebooted.

          • by mmcuh (1088773)
            This problem has nothing to do with the Bitcoin network, only the client. Anyone can write a new client that stores the wallet in a safer way and it will not require "rebooting" the Bitcoin system itself.
        • by Bert64 (520050)

          Any currency works like that...
          If someone grabs your cash then they have all your money with traditional currency too.
          You need to take the same precautions with bitcoin too.

        • by LocalH (28506)

          As opposed to "If someone grabs this single wallet out of my pocket then they have all my money". Sure, PINs and the like, but still the situation is similar.

    • Re:mugging (Score:4, Insightful)

      by NeutronCowboy (896098) on Friday June 17, 2011 @10:52AM (#36474542)

      No kidding. I always thought that the actual money file was encrypted, and could have an arbitrary name. You know, like a truecrypt volume file. Then I find out it's by default a text file hanging out on your computer. Fine and dandy if you have 100% control over your computer at all times, but we all know that's never the case. And judging by the passwords people use, it will be easy to brute force most passwords.

      Somehow, I think bitcoin is going to flame out in a rash of digital thievery when criminals realize that it is easier to steal someone's bitcoin file than it is to mine it or even look for credit card info.

      • You could encrypt the wallet, but with what? A password? Offline encryption is too cheap. A key file? But then if you keep that key file in the machine, you gain nothing.

        There's no really effective security that the bitcoin program could apply; you need to copy the wallet off the machine.

      • by DrXym (126579)
        Well it's not a text file, it's a Berkeley DB file but same difference. It's shoddy design and it would have been apparent to anyone who spent a few minutes looking at the state of the source code.
    • by Joce640k (829181)

      I, for one, was totally stunned by that. WTF were they thinking? If the rest of Botcoin is as security-minded as this then it's sunk before it even goes anywhere.

    • If someone has access to your user session then encrypting your wallet it is only going to make the attackers life slightly harder since you will need to supply the software with a password to decrypt it at some point.

      There isn't really any good soloution to this other than moving the wallet completely off the machine that is running an insecure general purpose OS onto a limited function device.

      • by batquux (323697)

        You can put your wallet.dat on a flash drive, lock it in a safe, and still be able to send money to it. The network keeps track of the values. The wallet is your key to access the bitcoins.

      • by DrXym (126579)

        If someone has access to your user session then encrypting your wallet it is only going to make the attackers life slightly harder since you will need to supply the software with a password to decrypt it at some point.

        Encryption protects the data as it resides on disk so unless the trojan is keylogging and captures the exact moment you enter a password (which you may only do once in a blue moon) it has nothing to work with. That increases the chances you'll detect the trojan before it can steal any data. Encryption also protects you from drivebys, e.g. a web browser exploit that allows someone to lift a file off your disk.

        Of course crypto may not protect from someone who owns your machine and has the time to log keystr

    • by Yvanhoe (564877)
      Just as bas as printing this money on paper. What a ludicrous idea.
  • Another visitor! (Score:2, Informative)

    by Anonymous Coward
    Next up: Guy pays for burger with Bitcoin.

    Can we stop the Bitcoin stories already?
    • by infodragon (38608) on Friday June 17, 2011 @11:11AM (#36474814)

      As much as the Bitcoin stories are getting a little much we are seeing the birth of something completely new; A medium of exchange that is independent of any government. The criminal/socially unacceptable elements are legitimizing the currency by applying value. Anything that enough humans apply value to will become valuable. The primary value of gold is that many people ascribe value to it and wish to possess it. If you buy gold on the markets you pay a storage fee because there are not enough commercial applications of gold to make storage profitable. Silver, platinum, copper... They all pay a bit if you buy contracts. The only purpose of gold then is to provide a medium of exchange.

      Bitcoin is something similar in that a very large group of people are beginning to value the electronic currency, thus it has value. The context of the source of that valuation has no consequence. Humans are now using it as a medium of exchange which is now creating demand. That demand is causing a rise in price and others now wish to posses it as it has potential for increasing value. This is the basic form of speculation.

      Now we have a socially illegitimate group applying the initial value and then speculators step in. Speculators are socially acceptable and so a balance is beginning to form. If this continues a stabilized economy will form and it will be unstoppable.

      To wish that these stories be stopped is a bit shot sighted. We may be witnessing something that has *NEVER* happened before! It's quite exciting to watch something like this form, not to mention the insight into human behavior and the many benefits that can result for that insight. Not to mention a currency that is independent of any one government.

      I do not see Bitcoins ever replacing government currency but I do see it becoming a supplemental tool for securing wealth and providing a medium of exchange detached from economically repressive governments. Any government that taxes represses it's people, the people accept that repression as a necessity to govern the society. Anyway, being able to purchase something without the government being in your business is a true expression of freedom and extends a way for true privacy to be exercised. This scares quite a few people in government and will be incredibly interesting to watch it play out.

      As a side note, the VHS and Internet were "legitimized" by unsavory elements of society. And here we are discussing something in a way that 20 years ago was a dream and 80 years ago was unimagined, all because it was first a marginal "thing" exploited by unsavory elements in which a majority of the population expressed the desire to not be bothered. We live in exciting times and Bitcoin is the tip of something extremely interesting.

      • by Zenaku (821866) on Friday June 17, 2011 @11:23AM (#36475008)

        I would mod you up if I could, as you've said just what I wanted to say.

        BitCoin is technically interesting, dammit. I don't own any, and I don't think I want to. . . it does seem like a risky, unstable economy to me. But the very idea of it is brilliant, and the implementation details and implications of its existence are profoundly interesting to me. It fits the "New for Nerds, Stuff that Matters" theme far better than most of the other stories posted here.

        • by infodragon (38608)

          I've considered putting $10 USD into just because it creates a vested interest. That interest sensitizes on a psychological level that no amount of intellectual interest can duplicate.

      • by BitZtream (692029)

        The criminal/socially unacceptable elements are legitimizing the currency by applying value

        So some bored kid modifies a standard off the shelf virus to go specifically after a given file on your computer, that is in effect worthless ... it suddenly becomes worth something? You must be one of the morons who bought into Bitcoin. They aren't attacking so much to do something with your bitcoin, its more like mugging you and taking your wallet then throwing it away later. They are going after them just to go after them and cause trouble, NOT to use the crap that is unusable sense no one with half a

      • by Tharsman (1364603)

        As a side note, the VHS and Internet were "legitimized" by unsavory elements of society.

        Objection!!!

        There is nothing "unsavory" about good porn!

      • Value does not appear magically, or because a bunch of people wake up one day and ascribe value to something. Value exists because of supply and demand -- something which is limited and which people want. The demand for currency is not that it is a "medium of exchange" -- that is nice, but nobody is going to accept pieces of paper with numbers printed on them just because they are a convenient medium of exchange. The demand for currency is a result of its useful in settling debts -- debts owed to the gov
      • As much as the Bitcoin stories are getting a little much we are seeing the birth of something completely new; A medium of exchange that is independent of any government.

        Aside from, of course, barter.

  • And yet... (Score:2, Insightful)

    by Sygnus (83325)

    Nothing of value was lost.

  • by xMrFishx (1956084) on Friday June 17, 2011 @10:54AM (#36474568)
    Encryption! (Sorry, couldn't resist - and I know it's not)

    But honestly, if you're using this system for any sort of money handling, then leaving it, the equivilent of lying around, is not a good idea. Secure your money properly, use common sense. Also I believe it's even on BitCoin's good practise list of recommendations. Encrypt your wallet and keep a backup elsewhere incase a nasty trojan erases it. Good data retention practise applies to everything.
    • by DrXym (126579)

      Encryption! (Sorry, couldn't resist - and I know it's not) But honestly, if you're using this system for any sort of money handling, then leaving it, the equivilent of lying around, is not a good idea. Secure your money properly, use common sense. Also I believe it's even on BitCoin's good practise list of recommendations. Encrypt your wallet and keep a backup elsewhere incase a nasty trojan erases it. Good data retention practise applies to everything.

      If Bitcoin knows it's good practice, then why can't it be implemented in software? The simple fact is if Apple did this or Microsoft or Google then people would (and do) shit on them from a great height. The problem here is the Bitcoin client used by the majority of users is insecure by default. It's making it easy for the bad guys to rip people off.

  • I would be happy to pay five billion bigsexyjoe nickels for you to stop running bitcoin stories. Thank you
    • by Ecuador (740021)

      I will add eleventy bajillion pirate dinaarrgh dollars to that offer.

      • I've got a whole slew of newly "acquired" bitcoins in my Infostealer.Coinbit account I can contribute to the cause as well. If they can be used to stop the blatant and rampant slashvertisement, they will finally have a valuable use.
  • So a trojan goes around trying to find some data? Big deal. Call me when the data has some actual value, and is not just part of a giant speculative bubble (or perhaps pyramid scheme).
    • by walshy007 (906710)

      Call me when the data has some actual value,

      The value of anything is assigned by people themselves, nothing has inherent value. It will have value when people assign it to it, which many people already have apparently.

  • by Dr. Spork (142693) on Friday June 17, 2011 @11:09AM (#36474786)
    This security hole and related stealing is definitely a problem, but it's not a problem for Bitcoin. I give it a week before somebody releases a beta version of a simple bitcoin management application that encrypts, backs up and hides the relevant .dat file, as well as providing other functionality for managing your account and maybe even mining. Ideally, this would be a program that you compile yourself, so that you know there's nothing shady in it. I don't see anything in Bitcoin itself which makes it inherently vulnerable to this sort of stealing. A good application for this could make bitcoins at least as safe as your password for online banking.
  • Back in 2001, a virus stole all my TreeLoot dollars. 2 years of punching the monkey, all down the drain in an instant.
  • money is an abstract representation of a wealth of a society. as such, it needs integrity. this integrity is derived from transparency. without integrity or transparency, "money" loses meaning, and therefore value, because people lose confidence in a society's money: they don't want to invest meaning and value in it if they can't depend upon the idea that it is worthy to do so. and without integrity and transparency, there's no way to track or understand a currency's value. it's like wanting absolutely secu

  • I was kind of wondering what happened yesterday. I mean seriously, a whole day without a Bitcoin story!
  • Trojan's in your wallets don't offer very much protection. Any sex ed teacher can tell you that.

  • Can we stop getting bitcoin spam. It is a stupid idea.
    Seriously, for a monetary system to have value it has to be widely agreed upon. Bitcoins are nothing more than electronic wampum, eWampum or iWampum, if you will. (Those are my trademarks! :-) The value of a bit coin is no more or less a monetary system than is the value of baseball cards, sure, you can buy, sell, and trade them, but they are not actual currency and are not likely to be. In limited circles they make take on as a token, similar to chips

Man is the best computer we can put aboard a spacecraft ... and the only one that can be mass produced with unskilled labor. -- Wernher von Braun

Working...