66 comments

[ 2.7 ms ] story [ 116 ms ] thread
Well, that explains why the PHP can do everything guy had a native app.
What's this in reference to? (genuinely curious)
I think the reference is that Karpeles does everything in PHP, so the "stolen" Windows/Mac executables are clearly not his. (Though I don't know that anyone thought they were.)
Right. A man who writes an SSH server in PHP just because he can, then immediately deploys it in production, is probably not the same man who writes a native app here.
The old lead developer at MtGox who's internet handle is "MagicalTux" is a big fan of PHP :).
This explains everything :).
Exactly - I could have believed one back office app even, but cross platform? Yeah right...
I assume the people most likely to download the Mt. Gox data dump were ones who lost coins held by Mt. Gox. So this malware is likely preying on people who are already victims. Pretty cruel.
Plenty of people had accounts & personal info at Mt Gox but didn't have any money there.
"Didn't lose any money in the MtGox closure? Don't worry! We can fix that!"
Seems to me like they just did a good job identifying easy targets.
I received a phishing spam that was advertising a 'Scam victim's compensation fund'.

From a scammer point of view, it is a pretty clever way to select targets.

The indefensible part is bitcoin wallet software storing the keys unencrypted.
Supposedly it's off by default because loss of key is of a higher probability than theft. The software has supported encrypted wallets for years...
Does that lend credibility to the idea that part of the rest of the data dump is also fraudulent? Tampering with numbers or exploiting a 0-day could prove to be even worse, though I admit the latter is a bit far fetched.
Not really. It's pretty damn hard to fake 700+MB of data, and a great many people have found their own records in it. No, this simply emphasizes that despite the initial window dressing, the hackers are in it for the money: they get whatever they stole with the trojan, and however much they can sell the rest of the dump for.
There's also the guy who posted on pastebin that he was selling people's data and would exclude for people for 0.25 BTC. Of course, people who used fake names/email addresses also got a positive hit when asking to get removed.
Is there a way to create a trojan wallet.dat file that would identify thieves if stolen?
You can trace all transactions, so you would be able to identify where the thieves sent the stolen coins, but attempting to track stolen coins in general doesn't work (the value of a wallet is a quantity, so you cannot distinguish between stolen and unstolen coins once they're in the same wallet/tumbler/etc).

I did like the jokey idea someone had a little while back of putting a (very) small wallet on servers and watching the blockchain for transactions therefrom as an intrusion detection system.

I was thinking more along the lines of wallet.dat crafted in a way that when placed in the dir of Bitcoin-qt for example will exploit it's flaws to take over the machine running Bitcoin-qt.
ultra0 on Reddit [1] posted the source code, which was dumped from memory, of TibanneBackOffice.exe [2] that shows it is stealing Bitcoin-Qt wallets.

The analysis on Securelist the TechCrunch post is referring to is located at [3].

[1] http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibanneb...

[2] https://3d3.ca/ijKOh.vbs#eV7i3HIliI93y+UR

[3] http://www.securelist.com/en/blog/8196/Analysis_of_Malware_f...

Could someone give me a brief overview of the what the code is doing? I see a bunch of "on ____" blocks, which I thought might be functions but then they don't seemed to be called later on (unless I am missing something). What language is this?
Code linked in 2 and 3 looks like VB. Link 3 gives overview of how it works.
It's http://livecode.com/

Whoever dumped it is talking about it in the reddit thread, start there. Those are definitely function like things.

The code is written in LiveCode. According to the documentation, those "on" blocks appear to be message handlers. [1] They do appear to act like functions as "sW" and "sC" are called from the "doSearch" message handler block. These blocks also are what contain the malicious code.

Basically, the code is searching for bitcoin.conf and wallet.dat in the typical storage place Bitcoin-Qt stores its data. If it manages to find these files, it reads them and sends the contents of them off to two different web addresses, effectively stealing the Bitcoin wallet. The paths and filenames the code uses to find this data are Base64 encoded in the source code so a text search through the code will come up with nothing unless the strings used for searching are Base64 encoded first.

[1] http://livecode.com/developers/api/6.0.2//on/

When did MTGox start being written as Mt. Gox and pictures of mountains appearing in blog posts about it?
They wanted to keep the domain name for branding and legal purposes, but not the association with Magic The Gathering (The domain was registered for a company for trading MTG cards eight years ago, MTG Online eXchange, but it was never used for that purpose)

So, about 2 or 3 years ago, they cleverly rebranded "MTG OX" to "Mt Gox" without changing the domain name.

Then they cleverly lost $500 million.

The field of computer security is still too young to handle cash. The biggest barrier for cryptocurrency.
I agree with your basic point. However the field of defensive computer security is the same age as the field of offensive computer security.

The problem is that defensive security still is not a big enough priority for customers or vendors. When customers walk in to a computer or mobile device store and ask "is this thing safe enough to store my Bitcoins?" and go elsewhere if the answer isn't good enough, we may see vendors up their game.

The same flaws that let a government see you naked let crackers steal your cryptocoins. When I'm in an optimistic mood, I think that cryptocurrency could be the thing we need to motivate more people to care about security.

Credit cards work fairly well with pretend security. That cuts way down on the purposes where an irreversible digital currency is interesting.
> The problem is that defensive security still is not a big enough priority for customers or vendors

This is absolutely true. Most people care about price over any other variable.

Yet even areas where there are people who prioritize security consistently fail (Apple vs Jailbreakers, Open Source SSL/TLS developers vs CA validation failure). There is literally no code on this planet you can trust 100%. Even the code that sent people into space had bugs.

edit: I do like the idea of cryptocurrencies, but I don't trust software enough yet. I'm more bullish on the idea of P2P shared blockchains in the form of namecoin as a replacement for DNS etc.

> Most people care about price over any other variable.

most people (at least, in western countries) don't pour over the ingredients, or sus out the manufacturing process to see if their food products have poisons in them, or whether they are fit for eating. It's mandated by law.

I would like to see security have such measures mandated by law, so that it frees the average joe from having to worry about it. Because face it, the average person can't worry about it - it's an expert field.

Mandating something like FIPS for everything would impair startups quite badly. For the moment I'm quite happy to not have regulations on the development process or content of software.
It is a good thing all of our IRAs, 401ks, issued currencies and markets are behind it and pretty much digital as well now. The flipside is that computer security is much better than the old human security with phones and faxes of back in the day. The newer systems are at least more verifiable and higher security.

Crypto currency or not, all of our money is now digital really, it has to be to move fast enough and keep up.

None of those are cash. All of those are reversible in the case of errors. Even the NASDAQ has reversed trades.
Yes transactions between financial entities should have some reversibility but bitcoin is more like real physical cash that also can be tracked. Stolen physical cash ends up in the same non reversible predicament.

The fact that crypto currencies leave a digital trail and verification actually makes it a tad safer than cash if it was a true stable currency which it isn't yet, but one that could offer that between larger crypto currency 'banks' which is what the market does now with real money, the networks and institutions aren't there for crypto currency yet.

Eventually entities will do the exchanging for you in return for the transaction reversibility, just using another currency or crypto credit. Already happening with stored wallets, exchanges and more. Eventually they will be banks. But currently bitcoin is as safe as having actual cold hard cash in your hands.

Even cash is slightly more "marked", since bills have serial numbers, and it's more difficult to launder large amounts of cash than to send BTC through a mixer. Doesn't help much in small-time cases like having $100 stolen from your wallet. But it makes it harder to make off with a large amount of cash and then actually spend it. A common way of tracking bank thieves is to blacklist the serial numbers and wait for alerts from cash-counting machines that check the blacklist (mostly at banks and back offices of large businesses). Then investigate the areas where blacklisted serial numbers pop up. It's not foolproof, but it makes it much harder to successfully do anything with $10m in stolen cash.
Well that's the point isn't it? We've tried pretty much everything troughout the last century, and the only solutions that seem to work in practice requires being reversible in the case of errors.

Ergo, most likely working solution for the 'money of the future' would be something that's reversible. You'd try to get the other advantages of bitcoin in the proper solution, such as instant, verifiable, cheap/free and easily scriptable global transactions - but abandon those that require irreversibility.

The data didn't contain malware. There was an executable that did.
> Hey, there is an .exe file from a self-admitted group of bitcoin hackers. Better run it to see what it does!
This was the logic of many on Reddit. I was pretty shocked.

"Yeah, I just wanted to see what it did."

Luckily, some were sensible enough to run it in a virtual machine.

> Luckily, some were sensible enough to run it in a virtual machine.

or, that virtual machines should be more common - mum and dad's computers should have vm software installed, so that they can then be free from having to worry bout things they download. The mantra could be " run in the vm, and you'll be safe".

Using the same virtual machine for everything means its just as much of a hassle to wipe it as to wipe your real machine, and your regular activities are at risk from the crap you install into the vm -to be secure it would have to be machines that reset themselves, not just virtual. What about when mum and dad actually want to install a new program or save some files?
No it doesn't . backup the disk image
they may be susceptible to having fallen victim to sneaky trojans from previous file executions, but resetting a VM to a previous image state is trivial.

a new class of victim : infected VMs

an infected vm is no victim. Lets say you downloaded a pirated game which also has malware in it. You play said game in a vm specifically made _for_ that game. So the malware only runs when you are actually using the vm.

You'd have a vm for each specific piece of software that is untrustworthy, and sharing of files can occur thru sanctioned channels (such as a local, safe temp directory shared by each vm, or read only mounts).

Aren't you reinventing app sandboxes here?
That's a good question - why don't modern consumer OSes offer simple, convenient one-click app sandboxing?
Because programs operate on files which need to be accessible by other programs. This is the whole point of files with interoperable file formats.

The applications that does not do this, i.e. games, are good candidates for sandboxing, but normal applications? Not so much.

Well, you could include the standard file operations (launch program by doubleclicking that file, save that particular file; secure "save-as" selection provided by OS) as managed parts of the sandbox; and have a functional app that is unable to open&change any files that the user doesn't intentionally choose.
You don't know how to take a snapshot, then delete it?
He does, mum and dad don't, and it's still a hassle.
If only there was some sort of Remote Desktop software...
Yes, because a completely different person taking time of his life to fix your computer problems for free is not a hassle, right?
A monthly checkup for your parents computer is a very minor hassle, and it's made much easier when you can use remote desktop software.

It's worth while to you also, it would negatively affect you if your parents did something dumb or there was a virus on their computer that uploaded all of their banking information, or if they kept a desktop file with their passwords rather than using a secure password manager. If their identify got stolen or someone stole money from them, or their names got tarnished, that would harm you, correct?

(comment deleted)
Is there any reason why a sensible BTC client implementation wouldn't encrypt wallet.dat by default?
No, but that may only delay the inevitable if the malware is smart enough to silently wait until the user decrypts their wallet.
(comment deleted)
I wonder: this kind of malware doesn't require admin permissions, does it?
Did anyone actually get money stolen by this?

The headline says "Users" were "Robbed of Bitcoin", but does not give us any proof. I suspect the writer, John Biggs, could not find anyone.

Early Christians said, "If God is not in something, it will not succeed. If it is of God, cannot be stopped."

God says... vanities outwardly current Helpidius famished unworthy petulantly rested C patterns beggary prose perishable rewards directions studies' stiff disgust propound disalloweth bathed intercedeth first-born works largely did Whom Godhead tremble monument feast Continual swaying them old turning huge falls Bride Robert preacher remembrances belong tune thundered sorry notice Anger justify singing moved already calling deception Goal gates Yes vomited seal saith lamented NEGLIGENCE fellow-citizens beholder inaccessible decked encumbered especially stank palaces evidently Teacher rehearse relief corresponding folks' mastery theft Edward heresy wisely relics 2002 peacemaker asterisk argument Body NOTICE certainly learner factito filled conference spent abundant griefs transferred eagerly SAINT assailed gestures Newsletters persuasive sight frame XIII Grief Great burial cloaked calculation echoed marvelled contemn tossed months 2 allaying June tediousness Artificer omit tones round practise Forsake mislike conveys you delusions -considering voyage range Emperor stumbling One Caesar incongruously allegory credulity strained EBCDIC supporting treasure lizard removed best eight-and-twentieth goes dignities Project retiring EIN reconciled electronically bemoaned 90 att becometh anger gliding foretold horror questionings excluded formerly approaching connects allegory tenderness crosses discovers