Report: Nearly 150 Types of Bitcoin Malware Currently Active
This week’s bombshell that a hack might have cost Bitcoin exchange Mt. Gox all of its money might just be the tip of the iceberg for cryptocurrency-related cybercrime. A new report from Dell Secureworks has revealed that cybercriminals have developed 146 different types of bitcoin malware.
Mass theft of cryptocurrencies is usually due to well-publicised breaches at exchanges and marketplaces. However, another category of Bitcoin theft targets individual users’ wallets or exchange accounts, such as general purpose remote access Trojans (RATs) or specialised cryptocurrency-stealing malware (CCSM).
These malware strains have increased dramatically over the past two years. There are currently 146 known versions, up from 45 a year ago, and 13 in 2012. Bitcoin really caught cybercriminals’ attention after its value topped US$1,000 late last year.
The most common type of CCSM targets digital wallets. The malware searches computers for wallet software key storage files. Once it locates a wallet, the malware uploads it to a remote FTP, HTTP or SMTP server where a criminal can break in and transfer Bitcoins to his or her own wallet.
Cryptocurrency security guides recommend protecting wallets with strong passphrases, preventing criminals from decrypting and using the private keys if the wallet is stolen. However, many wallet-stealer families use a keylogger or clipboard monitor to obtain passphrases.
Many wallet-stealer CCSMs also steal credentials for web-based wallets. Cybercriminals are aware that many individuals keep a fair share of Bitcoin in exchanges to trade on price movements and this malware exploits that. Dell noted that in most cases, it is impossible to know what type of malware was used because a full forensic analysis of the victim’s hard drive is rarely done.
Many exchanges have implemented two-factor authentication, using one-time PINs (OTPs) to combat unauthorised logins. However, more advanced version of malware can “easily” bypass this by intercepting the OTP as it is used and creating a second hidden browser window to log the criminal into the account from the victim’s computer. At the same time, the victim received a fake “authentication failed” message and is blocked from accessing the website while their account is looted.
Dell noted that it has not observed an attack on a cryptocurrency exchange that can bypass 2FA – yet. Since it is a technique that has had success against online banking sites for several years, “it is only a matter of time before CCSM uses this approach.”
Man in the Middle
At least one family of CCSM acts as a “man in the middle,” altering the recipient address of a transaction before it is signed. This malware monitors the contents of the clipboard, checking for a valid Bitcoin address. If it finds one, it replaces it with the malware operator’s Bitcoin address. Victims then unknowingly send Bitcoins to the criminal.
Cryptocurrency software includes remote procedure call (RPC) functionality, which allows another programme to interact with the wallet software. Cybercriminals with access to this functionality could potentially connect to a client on a local Transmission Control Protocol (TCP) port and steal the balance of an unencrypted wallet using only two commands (three if the wallet is encrypted and the passphrase has been intercepted).
To date, Dell has not observed any CCSM malware exploiting this technique. However, it would be difficult to detect this type of theft, as it would look like any authorised transaction. Additionally, this technique requires no external command and control (C2) or exfiltration server that can be shut down or blocked.
Detection and Protection
Dell found that detection of CCSMs is less than 50% successful, on average. Given that 2FA and antivirus software are largely ineffective against this malware, Dell advises using an alternative wallet like Armory or Electrum.
Alternative wallets can protect against malware theft by using a split arrangement for key storage. This involves using one computer, disconnected from any network, running a copy of the software and holding the private key that can sign transactions. A second computer connected to the internet holds only a master public key of which addresses belong to the online wallet. The online computer can generate transactions, but it cannot sign them because it does not have the private key. To transfer Bitcoins, a user generates an unsigned transaction on the online computer, carries the transaction to the offline computer and signs the transaction, and then carries it back to the online computer to broadcast the transaction to the Bitcoin network.
The two-computer method is relatively secure, but the logistics can be complicated. Dell noted that it would be more convenient to use a dedicated hardware device to store the private keys and verify transactions without the possibility of theft. These devices are currently under development and due for delivery in the first quarter of this year.