Introduction
Bitcoin, a digital currency and payment system introduced in 2009, has been subject to an increasing amount of attention from thieves. Although the system itself is protected by strong cryptography, thieves have stolen millions of dollars of bitcoin[i] from victims by exploiting weaknesses in Bitcoin private key storage systems.
Since Bitcoin's introduction, an increasing number of alternative digital currencies (altcoins) have been created, based on the original Bitcoin client's source code. Even though none of these altcoins have approached the per-coin value of Bitcoin, some have achieved total market caps measuring in the millions of dollars. As a result, these altcoins have also been targeted for theft.
Mass theft of cryptocurrency is usually accomplished through the hacking of exchanges or marketplaces. These thefts are typically well-publicized, and the total number of stolen coins is known. However, another category of Bitcoin theft targets individual users' wallets or exchange accounts via malware such as general-purpose remote access trojans (RATs) or specialized cryptocurrency-stealing malware (CCSM). Due to the skyrocketing value of cryptocurrencies since the beginning of 2013 and the relative simplicity of coding malware and tools to steal cryptocurrency, the Dell SecureWorks Counter Threat Unit(TM) (CTU) research team predicts that CCSM will become one of the fastest-growing categories of malware.
CCSM classification project
To understand the scope of this new threat, CTU researchers embarked on a project to obtain and classify as many CCSM samples as possible. Researchers scanned incoming malware streams with YARA rules, searching for samples that refer to known cryptocurrency software wallet filenames and locations. These samples were classified into families based on similarity. As of this publication, there are more than 100 unique families of malware on the Internet with functionality to steal wallet files or to steal cryptocurrency using other means.
Overall trends
Figure 1 shows the increase in the Windows-compatible CCSM over time. This chart tracks only Windows malware because the Windows portable executable format includes a timestamp in the file headers showing exactly when the malware was compiled. Most malware authors do not bother to alter this timestamp post-release, so it a reasonable and reliable indicator of when a particular sample was created. This chart shows the relationships between average monthly Bitcoin price, new family emergence, and overall total number of families. These variables show a correlation between malware emergence and the price (acceptance) of the currency.
Figure 1. The correlation between Bitcoin price, new malware emergence, and total threat of cryptocurrency-stealing malware. (Source: Dell SecureWorks)
The trend shown in Figure 1 closely follows the overall price trend of Bitcoin. As Bitcoin has become more valuable, more malware authors are targeting it. The record-breaking highs in Bitcoin value from the end of 2013 into 2014 have been accompanied by record-breaking numbers of new CCSM families.
Popularity of coins in CCSM
All CCSM analyzed by CTU researchers targeted Bitcoin. Figure 2 shows the distribution of CCSM-targeted altcoins between January 2009 and the middle of February, 2014.
Figure 2. The distribution of altcoins targeted by CCSM between January 2009 and mid-February, 2014. (Source: Dell SecureWorks)
Figure 3 shows the overall ratio of samples belonging to each malware family. A few malware families seem to be in widespread distribution, while others may have only one or two variants. The "Unclassified" group represents cryptocurrency malware that CTU researchers have not classified as of this publication. The "Miscellaneous" group includes the cryptocurrency malware families the CTU research team has discovered that would not fit into the chart.
Figure 3. The overall ratio of discovered samples belonging to each malware family. (Source: Dell SecureWorks)
CCSM categories
Wallet stealer
The most common type of CCSM is the wallet stealer, a category that includes nearly every family of CTU-analyzed CCSM. This type of malware searches for "wallet.dat" or other well-known wallet software key storage locations, either by checking known file locations or by searching all hard drives for matching filenames. Typically, the file is uploaded to a remote FTP, HTTP, or SMTP server where the thief can extract the keys and steal the coins by signing a transaction, transferring the coins to the thief's Bitcoin/altcoin address.
Most cryptocurrency security guides recommend protecting the wallet with a strong passphrase, preventing the thief from decrypting and using the private keys if the file is stolen. To counter this protection, many of the analyzed wallet-stealer malware families use a keylogger or clipboard monitor to obtain the wallet file's passphrase and send it to the thief.
Credential stealer
Many wallet-stealer families also steal credentials for various web-based wallets, such as Bitcoin exchanges. Some individuals keep a significant amount of bitcoin or other currency in exchanges to trade on price movements. Malware authors are aware of this activity, and many victims have reported that their exchange wallets were emptied without their authorization. In most cases, it is impossible to know exactly what malware was used in the theft, because a full forensic analysis of the victim's hard drive is rarely performed.
Many exchanges have implemented two-factor authentication (2FA) using one-time PINs (OTP) to combat unauthorized account logins. However, advanced malware can easily bypass OTP-based 2FA by intercepting the OTP as it is used and creating a second hidden browser window to log the thief into the account from the victim's computer. Simultaneously, the malware displays a fake "authentication failed" message and blocks the victim's access to the website while the thief empties the account. CTU researchers have not observed a verified example of this type of attack against cryptocurrency exchanges. However, this technique has been successfully used against online banking sites for several years, and it is only a matter of time before CCSM uses this approach.
Man in the middle
CTU researchers have observed at least one family of CCSM that does not exfiltrate wallet files or private keys. Instead, it acts as a "man in the middle," altering the recipient address of a transaction before it is signed. The observed sample runs in the background, monitoring the contents of the clipboard. The malware checks new data in the clipboard for a valid Bitcoin address. If the data is a valid address, the malware replaces it with the thief's Bitcoin address. Victims who do not notice the replacement send the bitcoins to the thief.
RPC automation
Bitcoin and altcoin "reference client" software includes remote procedure call (RPC) functionality, which allows another program to interact with the wallet software. In many cases, a thief with access to this functionality could connect to a running client on a local TCP port and steal the balance of an unencrypted wallet using only two commands (three if the wallet is encrypted and the malware has obtained the passphrase). CTU researchers have not witnessed any CCSM malware taking advantage of this technique as of this publication. It would be difficult to detect this type of theft from a network standpoint, as the transaction would look like any authorized transaction. Another advantage to this technique is that it requires no external command and control (C2) or exfiltration server that can be shut down or blocked.
Detection rates
Across the CCSM samples analyzed by CTU researchers, the average unweighted detection rate across all major antivirus (AV) vendors was 48.9%. Figure 4 lists the major CCSM families classified by the CTU research team and their respective detection rates averaged across all major AV vendors.
Figure 4. Top CCSM families and their detection rate across AV vendors as of February 20, 2014. (Source: Dell SecureWorks)
Wallet protection
Client software choices
When the private keys for a cryptocurrency are stored on a computer connected to the Internet, the potential for theft exists. For Bitcoin there are alternative wallets, such as Armory and Electrum, which can protect against theft-by-malware by using a split arrangement for key storage. One computer, disconnected from any network, runs a copy of the software and holds the private key that can sign transactions. A second computer connected to the Internet holds only a master public key of which addresses belong to the offline wallet. This computer can generate transactions, but it cannot sign them because it does not have the private key. A user wishing to transfer coins generates an unsigned transaction on the online computer, carries the transaction to the offline computer, signs the transaction, and then carries it to the online computer to broadcast the transaction to the Bitcoin network.
Using a split Armory or Electrum wallet can make processing transactions much safer, although the user must still verify the transaction details to ensure malware on the online computer has not altered the transaction before it is signed. Unfortunately, no such clients currently exist for altcoins, although the need for them is recognized and bounties have been offered for their development.
Hardware wallets
Using two computers in a split arrangement where transactions are carried via "sneakernet" is relatively secure, but the logistics are complicated. A much more convenient method would be to use a dedicated hardware device to store the private keys and verify transactions without the possibility of theft. These devices are already in development, with one (the "Trezor" wallet) due to be shipped within the first quarter of 2014.
Transaction integrity verification
Hardware wallets work well for local transactions but not for safely interacting with a remote website on a potentially infected computer. Securely verifying a transaction that has transited a potentially compromised waypoint requires an offline device that can display the details of the transaction before it is processed. Public-key cryptography signs the transaction data on the bank's server before the data is sent to the user. The offline device can verify the signature of the transaction and determine if any changes occurred in transit. If the transaction shows no tampering, the offline device generates a one-time code that authenticates the transaction. This transaction integrity verification (TIV) should become standard for all financial entities, including institutions and sites that accept cryptocurrencies.
Conclusion
After observing CCSM, CTU researchers drew the following conclusions:
As discussed in Enterprise Best Practices for Cryptocurrency Adoption, wallet security is the most pivotal aspect to keeping funds secure. Implementing the practices outlined in that publication will mitigate most, if not all, of the current threats to cryptocurrency wallets.
Appendix
Table 1 lists the most commonly observed malicious filenames in the CTU research team's sample set.
Table 1. Common filenames in malware samples.
Endnotes
[i] Bitcoin (capitalized) refers to the protocol, software, and community, while bitcoins (lowercase) are currency units.
Read the rest here:
Cryptocurrency-Stealing Malware Landscape - Dell SecureWorks
- New Bitcoin-Esque Cryptocurrency Named After Kanye West Launching [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Coinye West: A new cryptocurrency for the masses and an ode to Kanye [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Cryptocurrency gets hip: 'Coinye West' [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- As Bitcoin Soars in Value, Alternative Cryptocurrencies, Such ... [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- AltCoins - Crypto()Currency - Cryptocurrency [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- CryptoCurrency.org [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- DimeCoin - The New Cryptocurrency - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Kanye West Sues Amazon, Others Over 'Coinye West' Cryptocurrency [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- $25,000 in Dogecoin raised to save the Jamaican bobsled team [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Gotangco: Is PH ready for Bitcoin and cryptocurrency? [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- As Bitcoin Soars in Value, Alternative Cryptocurrencies ... [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Cryptominer.de Avalon 200GH/S Bitcoin Miner Asic 55nm Mining Cryptocurrency - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Cryptocurrency mining Rig build 1 - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Bitcoin Value and rise of the cryptocurrency - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- LeadCoin - Cryptocurrency - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Cryptocurrency Mining [Part 2] - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Cryptocurrency Mining [Part 1] - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Know How 74: Cryptocurrency - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Worlds First BITCOIN ATM Opens in Vancouver Canada - Is CryptoCurrency the Future Currency? - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- 42 Coin cryptocurrency contest - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- What is Bitcoin anyway? [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- The rise and rise of dogecoin, the internet's hottest cryptocurrency [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Cryptocurrency Mining Rigs by plugNmine - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- How Cryptocurrency, Crowdfunding And A Little Internet Altruism Saved Jamaica’s Hopes For Bobsled Gold [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- Introducing Dogecoin the Greatest Cryptocurrency - Video [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- Dogecoin - Wikipedia, the free encyclopedia [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- Dummy plug for GPU for cryptocurrency mining - Video [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- My first CryptoCurrency Miner up and running yet partially completed - Video [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- Thought of the Day - 01 / 28 / 2014 - CryptoCurrency - Dogecoin - What is this? - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Wall Street's Cryptocurrency Headquarters: Inside Bitcoin Center NYC - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- My Take on the Profitablity of Cryptocurrency - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Bitcoin steps a little closer to acceptance [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Bitcoin gets two hearings - and steps closer to acceptance [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Dogecoin cryptocurrency donors help send Indian athletes to Sochi [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- How To Create Your Own Cryptocurrency [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Cryptocurrency - Bitcoin Song (by 13inlet) - Video [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Selling Dem Coins - How to convert your Cryptocurrency - Tutorial - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Dogecoin - From joke cryptocurrency to Bitcoin rival - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- New York to Regulate Bitcoin: Is the Cryptocurrency Biz Like "the Wild West?" - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Dogecoin: A 2014 Cryptocurrency Revolution - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- U.S. Treasury Goes Easy on the Bitcoin [Last Updated On: February 3rd, 2014] [Originally Added On: February 3rd, 2014]
- WoW - Dogecoin The #1 Cryptocurrency - Video [Last Updated On: February 3rd, 2014] [Originally Added On: February 3rd, 2014]
- The Dark Horse of Cryptocurrency - Franko - Video [Last Updated On: February 3rd, 2014] [Originally Added On: February 3rd, 2014]
- Think Bitcoin is Expensive? Try 42 Coin, The £100,000 Cryptocurrency [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- We Love DogeCoin The #1 Cryptocurrency - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- Cryptocurrency Hackathon will talk Bitcoin, Dogecoin and more for coders and novices [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Dogecoin Kiss: An original song about the world's friendliest Cryptocurrency - Video [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Cryptocurrency Hackathon will talk Bitcoin, Dogecoin and ... [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- Dogecoin: cryptocurrency passes Bitcoin to reach the moon - Video [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- ZedCoin new CryptoCurrency - Video [Last Updated On: February 7th, 2014] [Originally Added On: February 7th, 2014]
- LiteCoin Trading Robot LTC Robot Cryptocurrency Trading Robot - Video [Last Updated On: February 7th, 2014] [Originally Added On: February 7th, 2014]
- Apple approves Dogecoin app after removing Bitcoin app [Last Updated On: February 8th, 2014] [Originally Added On: February 8th, 2014]
- Cryptocurrency - Wikipedia, the free encyclopedia [Last Updated On: February 9th, 2014] [Originally Added On: February 9th, 2014]
- Cryptocurrency, Permaculture, and 3D Printing - Video [Last Updated On: February 9th, 2014] [Originally Added On: February 9th, 2014]
- Litecoin Robot | The World's First Litecoin Trading Bot Review | Scrypt Money | Cryptocurrency LTC - Video [Last Updated On: February 9th, 2014] [Originally Added On: February 9th, 2014]
- Bitcoin Slump Shows the $8 Billion Cryptocurrency Lacks Mature Infrastructure [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- WE WIN COINS - EXCLUSIVE CRYPTOCURRENCY BETTING SOFTWARE TO INCREASE WINS - Video [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- Dogecoin Value Soars $40M in Value Following Chinese Exchange Opens [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- Cryptocurrency News Round-Up: Protests at Mt Gox as ... [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- Dogecoin Soars $40M in Value Following Chinese Exchange Opens [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Is the new cryptocurrency PotCoin worth it? A Crypto-Market-News review of PotCoin - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Cryptocurrency Expert - Lorraine Murphy - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- CryptoCurrency Con 2013 - Cathy Reisenwitz - Why a Free Society Needs a Free Money - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- How to transfer Bitcoins from one cryptocurrency exchange to another cryptocurrency exchange - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Cryptocurrency Explained The Tech Guy 1046127 - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- CryptoCurrency Hacking Hard - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- ** UPDATE ** Computer, Cryptocurrency, Games and More!! - Video [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- The glitch that will help kill Bitcoin [Last Updated On: February 16th, 2014] [Originally Added On: February 16th, 2014]
- Skinny Puppy at GITMO, NSA Myths, Dogecoin and Cryptocurrency #TMS 2/15/2014 - Video [Last Updated On: February 16th, 2014] [Originally Added On: February 16th, 2014]
- PotCoin, the cryptocurrency for the Cannabis Industrie - Video [Last Updated On: February 16th, 2014] [Originally Added On: February 16th, 2014]
- cryptocurrency mining rig - Video [Last Updated On: February 17th, 2014] [Originally Added On: February 17th, 2014]
- Quark - The Best Cryptocurrency - Video [Last Updated On: February 17th, 2014] [Originally Added On: February 17th, 2014]
- Cryptocurrencies: I Lived on Bitcoin for a Week - Video [Last Updated On: February 17th, 2014] [Originally Added On: February 17th, 2014]
- Cryptocurrencies: The State of Play - Video [Last Updated On: February 17th, 2014] [Originally Added On: February 17th, 2014]
- AMD graphics card pricing skyrockets due to cryptocurrency mining, could kill AMD’s gaming efforts [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
- Could there be a $50,000 bitcoin? [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
- CRYPTOCURRENCY - Bitcoin Overview... - Video [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
- CRYPTOCURRENCY - Money Changer Den of Thieves, The Federal Reserve - Video [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
- How to Buy PotCoins Part 2: Make a cryptocurrency trading account at swissex.com to buy PotCoin - Video [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
- BitPagar cryptocurrency - Video [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]