RSA 2014: Bitcoin Wallet Stealers Plentiful And Pesky

Bitcoin thieving malware comes in at least 100 different forms and is finding increasingly sophisticated ways to make off with people’s wallets, research released at RSA 2014 revealed today.

There has been a spike in Bitcoin-focused malware this year, with 80 of the 100 cryptocurrency malware types emerging in the last year, according to Dell SecureWorks. That’s startling growth, according to Joe Stewart, director of malware research at SecureWorks.

Epic Bitcoin malware growth

“If you look at any other family of malware, you might see one new one every couple of months,” Stewart said. “We know a lot is being stolen.”

Most of the malware is simple yet effective, looking for the wallet.dat or similar file either in specific folders or just by looking across entire hard drives. Keyloggers also included in many malware types can pass along any passwords used to protect wallets too.

Then there is the ease of producing such malicious kit. “A beginner programmer could create something that would steal Bitcoin,” Pat Litke, security analyst advisor at SecureWorks, told TechWeekEurope.

One piece of malware spotted by the researchers was so small and limited in functionality it appeared to be legitimate. It simply looked in memory, replacing Bitcoin transaction addresses to redirect transfers.

The most prominent form of cryptocurrency-focused malware was Predator Pain, which has been offered on underground markets for some time, promising to scoop up logins to various online services outside of Bitcoin, including World of Warcraft and Microsoft Outlook.

Miners targeting various alternative cryptocurrencies have proliferated in recent months too, even if those targeting Bitcoin have declined due to the increasing difficulty of solving the tricky mathematical problems that need to be cracked to unlock more coins.

As seen in the image below, the tools for the mining malware are easy-to-use pieces of software:

Do cops care about Bitcoin theft?

A big concern is that law enforcement aren’t taking the threat seriously. “Until banks really adopt Bitcoin we don’t think law enforcement will pay much attention to it,” Stewart added.

He recommended users adopt hardware wallets, which do not connect directly to the Internet and therefore are not easily stolen like many of today’s Bitcoin wallets.

Meanwhile, the Pony botnet, which has previously been spotted hoovering up logins to massively popular websites like Facebook, has been given additional Bitcoin powers. Security firm Trustwave SpiderLabs said it had uncovered a Pony botnet controller that had stolen $220,000 in various virtual currencies, including Bitcoin, LiteCoin, FeatherCoin and 27 others.

That included 355 Bitcoins. “This instance of Pony compromised 85 wallets, a fairly low number compared to the number of compromised credentials,” a blog from SpiderLabs read.

“Despite the small number of wallets compromised, this is one of the larger caches of Bitcoin wallets stolen from end-users.  It is likely that this low number simply reflects the percentage of people actually using Bitcoins and storing their wallets on their local machine, which explains why this number seems to grow as Bitcoins become more popular.”

Just like those stealers identified by SecureWorks, the Pony botnet targeted the wallet.dat file, and had also gathered 700,000 stolen credentials.

ESET researchers also said this week they had discovered Bitcoin-stealing malware that targeted Mac OS users, spreading via cracked apps, including a fake version of Angry Birds.

Such security threats will do nothing to improve the reputation of Bitcoin, which took a hit this week with the closure of the biggest exchange, Mt Gox.

Are you a security expert? Try our quiz!