Malware targeting Bitcoins suspected in recent theft

by Steve Ragan - Jun 17 2011, 06:00

On Monday, a Bitcoin user reported that his account had been hijacked, resulting in the loss of several hundred thousand dollars. The speculation that Malware was to blame was seemingly confirmed on Thursday, as Symantec reported the discovery malicious code that targets Bitcoins.

Bitcoins are a virtual currency that are traded via a peer-to-peer network. Users earn currency by either purchasing it for its current market value ($18.00-29.00 USD per coin, a price that changes daily), or by using their computers to perform calculations. The necessary account details are stored in a file called wallet.dat, which holds all the encrypted data needed to unlock an account and trade the currency.

Bitcoins are gaining traction, with groups such as LulzSec accepting them as a sort of virtual tip for their actions. In addition, several online shops accept them as payment. However, the media focus lately has centered on their use to purchase drugs online, something that lawmakers have taken note of.

“I am totally devastated today. I just woke up to see a very large chunk of my bitcoin balance gone,” wrote Bitcoin user “allinvain” on Monday, reporting his loss.

In subsequent posts, other community users equated the approximate value of the stolen 25,000 BTC (Bitcoins) was somewhere near $500,000 USD.

Speaking via email to The Register, Nils Schneider, one of the Bitcoin project backers, said that the actual value would be somewhere in the ballpark of $300,000 USD. Either way, the theft is likely the first reported incident related to a new family of Malware discovered by Symantec on Thursday.

Called Infostealer.Coinbit by Symantec, the Malware will search a victim’s computer for the wallet.dat file. Once located, depending on the settings, the Malware will email it to the attacker or upload it to a FTP server.

While wallet.dat files can be encrypted, if left in cleartext on a system, they can be used to drain a Bitcoin account dry. When word of the Symantec discovery reached him, “allinvain” remarked that Coinbit was the most likely way his money was stolen.

The Bitcoin community, while discussing the theft, have come to a consensus that a dedicated system (preferably a VM-based installation) should be used for Bitcoin processing and wallet storage. Adding to that, Symantec encourages users to encrypt wallet.dat with a strong password, preventing brute force attacks in the event that it is stolen from a system.

Around the Web