Bitcoin stealing malware evolves again

Luke Parker , 11 Feb 2016 - BitcoinSecurityVirus

There are three traditional ways for malware and viruses to generate bitcoins for their creators. Direct theft of private keys from bitcoin wallets, parasitic bots that mine bitcoin with stolen processing power, and Ransomware that encrypts files and demands a bitcoin payment to restore access.

Stealing private keys is often accomplished with a computer virus. This type of malware emerged in early 2011, using keyloggers and other classic techniques to find data that looks like a bitcoin wallet private key, or a whole wallet data file full of them.

The largest attack of this kind was conducted with the Pony botnet in 2014, which stole a variety of personal information from millions of users. The criminals behind the malicious code got away with about US$220,000 worth of various cryptocurrencies, from its many victims.

A second type of attack also emerged in 2011. Using the idle processing power of infected computers, this new breed of trojan actually mined bitcoins. The ZeroAccess botnet infected as many as 1.9 million machines with the code. A more recent attack variety affected Android phones, and was distributed to over 10,000 users through the Google Play store in 2014.

- Microsoft



Although newer, the third attack type has been on the rise lately. Instead of searching for private keys or mining bitcoins, ransomware encrypts a victim’s hard drive. One particularly bad strain of ransomware, Cryptowall, actively targeted US victims in 2014, extorting between $200 and $10,000 in bitcoin for decrypting the files. The thefts prompted the FBI to issue a public warning about the scheme in June 2015.

A McAfee labs Threat Report revealed a 165% rise in new ransomware during the first quarter of 2015, after having stated previously that “ransomware will evolve its methods of propagation, encryption, and the targets it seeks.”

- The US Computer Emergency Readiness Team (US-CERT)

A fourth type of bitcoin-thieving malware was recently created. This new variety hijacks the infected device’s Windows clipboard, and replaces bitcoin addresses as they’re copy and pasted.

Trojan.Coinbitclip is the first instance of this new type of attack, discovered by Symantec on Feb 2nd. It was designed to watch for a bitcoin address copied using the clipboard, and replaces it with one of it’s own, bypassing any protection from multi-signature and hardware wallets.

While clipboard hijacking is not a new concept, this is the first time it has been found replacing bitcoin addresses.

- Symantec


This clever little invader carries with it a large list of bitcoin addresses and chooses the closest match when making the switch, making it harder to spot the switch. In the sample Symantec observed, there were 10,000 Bitcoin addresses stored in the code. The end result is that copying and pasting a payment address can easily trick you into sending your coins to the malware's creator.

Considering that the risk level of this trojan is "very low,” Symantec claims that it is "easy" to remove. The security company has already created and deployed the first threat definition for their software, which will detect and remove Trojan.Coinbitclip.

However, it won't be long before such a simple trojan is modified for other operating systems and delivery methods. The threat currently infects PCs running Windows 7 or older version of the Windows operating system, and has been delivered through a third-party tool for the popular digital trading card game Hearthstone.

The online collectible card game, developed by Blizzard Entertainment, is free-to-play with optional purchases both inside the game and elsewhere online.

Hearthstone was released in March 2014, and the following day it became the number one most downloaded app in 34 countries, including the US. By November 2015, the game claimed more than 40 million registered players.

The game also has a robust aftermarket of sorts, from which players can download third-party applications and files to help them in the game. One such underground program called the “Hearthstone hack tool v2.1 -Gold and Dust Generator” was widely advertised on Hearthstone forums as a simple program that would help players build wealth. Unsurprisingly, the program didn't work as advertised but delivered the trojan instead.

As attacks like this evolve, web security companies like McAfee, Symantec, and Kaspersky each scramble to deploy countermeasures. Although competitors Microsoft and McAfee collectively list 1,073 threats containing the word bitcoin, they don't have this particular threat solution listed yet. Neither did the rest of the top 10 largest vendors at the time of this writing.

To date, there is no foolproof solution to protect bitcoin-stealing malware from swapping out bitcoin addresses on computers and smartphones. However, this new threat demonstrates that there is a need for such a solution.

Currently, most wallets have address books which store previous recipient addresses. Senders can choose one by simply selecting the associated user from a list or drop down menu. The drawback is that this only works for recurring beneficiaries.

Services such as Keybase and Onename can broaden the database of addresses. These third party services can also automatically check them against known compromised addresses.

There are also several anti-malware software suites that can help fight malware attacks. There are also many basic security best practices to use, such as a firewall to block all incoming and outgoing connections, disabling AutoPlay, removing unnecessary services and never downloading files from untrusted sources that could prevent malware attacks. Specifically for bitcoin wallets, the official Bitcoin wallet security page provides some great resources.