Bitcoin Forum

So at 10:06pm ET on April 10th 2013 I was on btc-e reading the chat box. Then and there someone posted a link to www mtgox-chat info (do not open unless you know what you are doing) claiming a video announcement that mtgox was going to start trading litecoins.

I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. I then forgot about this website.

http://imageshack.us/a/img24/381/mtgoxchat.jpg

Some while later at approx 11pm, I received an email. This was an email from mtgox that a withdrawal had taken place. I thought this was a joke.

------------------------------------------------------------
Dear bitbull,
 
There has been a withdrawal from your Mt.Gox account:
 
Transaction reference: 97235bfd-9909-4020-9f06-e9d318c1ef7f
 
Date: 2013-04-11 02:06:22 GMT
 
IP: 198.203.29.120

You can access your account history for more details.

Please contact us as soon as possible by replying to this email if you did not request this withdrawal.

Thanks,

The Mt.Gox Team
------------------------------------------------------------

I immediately responded back to them, but what I discovered is that the withdrawal had been instantly processed and already confirmed in the blockchain:

https://blockchain.info/tx/bb30f2f110ba5b7bb60812bc3d7744f5086f6b4a38439566f1888a8d26e1fbec

http://imageshack.us/a/img805/9832/mtgoxwithdraw.png

which left less than a third of a bitcoin in my account. I then realized that this withdrawal happened at the EXACT time i accessed the mtgox-chat website based on my browser history. I then realized that I only received my notification email from them much after the fact apparently because their servers are overloaded and not functioning correctly.

Being a techie, I started researching. I found out that this site is hosted here in the USA. I also found out that the withdrawal was submitted from an IP in Los Angeles even though I have been accessing mtgox from Pennsylvania / New York. I then discovered that the site is a teleport pro rip of bitcoincharts.com branded with a mtgox logo, and was registered on namecheap (with bitcoins as it may be) not even 5 days ago! This is the IP resolve of the domain name.

http://imageshack.us/a/img835/1841/serverip.jpg

I then discovered that the site is loaded with a java script which, based on an initial analysis by my java programmer friend, is a 0 day java exploit with a cross site injection attack, which automatically started. It also contains an additional keylogger payload, all customized specifically for mtgox. They even "offer" an easy to use file download link for those whose browsers are not running java. This script INSTANTANEOUSLY initiated a mtgox withdrawal of nearly all my btc (34btc) in the background (I was logged into mtgox on that browser, seemed to be using some form of proxy to access my browser cookie cache it would seem) and then changed the account password so I couldn't login anymore. This was proven to be 100% automatic as the withdrawal occurred the same exact minute I accessed that website for the first time.

It then continued to gather all my computer passwords and logged everything I was doing including my blockchain account (as I eventually located the log files) and then sent it to the hackers / script kiddies.  Luckily I have dual password protection on my blockchain wallet otherwise all my other bitcoins would be gone too. I wouldn't just call them just script kiddies because this script was very specific and well written for the mtgox website.  I had two antiviruses running and neither caught it. Only later malwarebytes picked it up as a well encoded trojan payload executable.

http://imageshack.us/a/img841/2209/malwaren.jpg

Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police". They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this. Second because their security policy should account for such instances, and I did not even have an opportunity to warn them I did not make the withdrawal. Yet most importantly, BECAUSE THEY SHOULD HAVE KNOWN ABOUT THIS OVER 3 DAYS AGO!!!

http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/

Yeah, I'm stupid, I should have enabled a Yubikey or other 2nd auth method when bitcoins started exploding in value ... but still, this attack is rather basic and should not be possible on a site at the level of Mt. Gox. I can only imagine how people with larger amounts would feel if clicking on a link emptied their account $10k+...

This is a serious loss for me, and unless this is handled correctly this can also badly affect the community. I know they are super busy as they are backlogged with over 10,000 account verifications - I can only hope this gets handled appropriately. Does anyone have any advice how to go about contacting mtgox, they are so busy they don't even realize someone has a specialized phishing operation running to rob their customers!

Any advice is very much appreciated.


UPDATE 4/21/13

I got my coins back :)

https://bitcointalk.org/index.php?topic=173227.msg1907593#msg1907593

But other's are still suffering. 

http://www.reddit.com/r/Bitcoin/comments/1cokps/java_exploit_stole_all_my_btc/

I'll be the first to buy a hardware wallet...

FYI, I know bitbully and respect his analysis.

I expect Mt. Gox to come up with an analysis and refund him and any other affected clients.
bitbully - I advise emailing a link to this thread to Mt. Gox support.

The above is true if the attack resulted from a case of XSS or other similar attack vector, that would imply negligence on Mt. Gox's part. If the attack is simple keylogger/trojan based that replays user credentials, I take it back.

Wow, well that seriously sucks. I guess there's still hope that Mt. Gox will help you out. I wouldn't count on it though :@

Internet explorer?

Use firefox with noscript, would have probably prevented xss.  As for the 0day javascript exploit, no script will save your bacon their two, only allow scripts you can identify and trust.

That keylogger it ran, was it actually installed to the system or was it just running in the browser?  Boy thats win 8 for ya.

change ur email and banking passwords. after you've done a clear install.

consider linux or os x

"MtGox security" Season 02 Episode 01

Posted this to a separate thread on reddit.

http://www.reddit.com/r/Bitcoin/comments/1c4m6q/watch_out_0day_exploit_stealing_mt_gox_funds/

Thx doobadoo for the advice.

Moved to a clean system until I wipe infected one, all passwords reset, was using chrome and win7 and you don't have to tell me I know the risks of using Microsoft. I'm on top of my security, always have been but this trojan was well crafted, I mean when the incentive is there you'll have the entire online underground mafia programming these things. These guys must be making a killing. I think the payload was both a browser java instance and custom keylogger executable. But I'm not an expert all I know is the second I clicked on that site my bitcoins were withdrawn near instantaneously, and I had mtgox.com open and logged in on another tab.

Crossing my fingers mtgox will help.

Sorry to hear.

Friends don't let friends use Windows + Bitcoin.

Are you sure you didn't run a Java applet? Because that's pretty much the same as running an executable file, and in that case, your negligence can't be blamed on MtGox.

I have a strong feeling it was a Java applet, because XSS can't install trojans on to your computer without an additional attack vector.

Sorry, but this seems to be mostly due to your own negligence. I know it's hard to hear. Sorry dude :(

It's impossible that all this happened just for entering that website.

1) You installed something from that site.
2) Or; You gave it extra permissions to run something on your browser.

This.

Or A LOT of people is in deep shit.

Anyhow: 2 Factor Authentification is a must.

Look at the site.

JAVA.

Chrome asks permission to run Java.
#2

Are we sure the trojans have anything to do with the attack? He may just be coincidentally ALSO infected by some trojans from some bad software he d/led and installed. He says the coins were tx instantly when he clicked the poisoned link.  That smells like xss.  he was logged in to gox, executed some bad javascript and that script injected it into the gox script running in the next tab and transferred whatever coin he had in gox to a withdrawal address.  No need to upload account credentials, just grab whats there. 

There's really no evidence here that this is Mt Gox's fault. Most likely, it's an exploit that takes over control of the browser. If you had a Mt. Gox window open, it can read any information or click any links that you can. The vulnerability is most likely in your JVM or in your browser. (Unless it's an XSS thing, in which case it could be at least partially Mt. Gox's fault, but honestly I think that's less likely.)

Of course, that's not to place any blame on you. Yes, you could have run the browser in a VM you only use for Gox and close it any time you're going to do anything else and sweep your computer for malware before you open the VM and keep the VM encrypted and ....

But then basic stuff would be pretty incredibly hard, wouldn't it?

It's the job of these antiviruses to protect you from malicious stuff like this, and they failed you. Of course, providers of antivirus software take no responsibility for the reliability of their software.

It looks like the thieves have stolen 72.38 BTC in just one day. Not bad, who says that crime does not pay?

I'm really sorry for what happened to you, but here it's not Mt. Gox fault.

There's no threat model that can take complete client compromise into account, except maybe dual-factor auth on any withdrawal, but even that would only protect you until you make an authenticated operation, then the attacket can fake the pages so that you think you are sending a BTC to someone and instead you are sending all to them.

To get an idea of how unsafe is running untrusted Java hang around here http://java-0day.com/
Always use click-to-play, and well, don't click.

My only suggestion here can be: use exchanges as exchanges, and keep a nice offline wallet for savings. Seriously, it's easy, you don't have to trust the site and it doesn't get hacked. You can have one for 35$ (https://gist.github.com/FiloSottile/3646033)

Thanks for the input guys. I know that my software choices in life may have made me more vulnerable to such attacks. But all the technical details aside, it's CLEAR that this site is built and targeted methodically at mtgox users, and that these perps are doing their best to attack mtgox users however they can. Whether that means through phishing scams, xss, keyloggers, java exploits, human social engineering, etc... mtgox should take a proactive role in curving these attempts.

The reason I chose mtgox is because they are the biggest and most well known. My assumption is that I would be insured against such common hacking tactics. They are holding massive amounts of wealth and just like banks, forex companies, and paypal, mtgox should bare a certain degree of responsibility for hacked accounts. I don't think we can expect the masses to adopt bitcoins if they need to have a degree in IT security just to protect their funds, none the less in a hosted soft wallet environment.

Lol, I guess my attempt to get the virus detected by more than 16/42 antiviruses didn't help huh? As soon as I saw the website posted in the chatbox, I immediately warned people NOT to go on it and the user was banned for 3 days. Oh well, now you know.

Please don't blame MtGox, this is what you accepted, you allowed a Java executable to run and gave it permission to run outside the sandbox.

https://news.ycombinator.com/item?id=5531507 (https://news.ycombinator.com/item?id=5531507)

The second sentace could have been a quote from the scammers.

Really sorry for your loss, but just like Windows gets hacked because everyone and his dog uses it, MTGox suffers exactly the same way - for the same reason.

If your story helps someone else, at least it will not have been a complete disaster.

"In order to see Chatbox or to communicate with us. Please Update java at the top of the page.

- If the Download did not worked, Click Here"

View Source > <h3><a href="http://g2f.nl/0lczsoo"> - If the Download did not worked, Click Here <a/></h3>

I never knew Adobe changed their domain to g2f.nl. Anyway, I'm sorry for your loss.

Disable Java in the browser.

There is no reason to run Java in browser nowadays. (Not JavaScript. Java.)

I sound like a broken record, but this is coming up again, in yet another thread. Bitcoin, and all of us, deserve decentralized markets.

I concur, this is very unfortunate and it sucks, but I can understand if MtGox refuses to pay your damages...

I understand some people are getting prompts to run the Java applet, this was not the case with me. I was browsing the web and am aware not to run random applets, scripts, etc..and I did not lower any security restrictions at any point in time. I am very security conscious, so if I can become a victim, so can many others who are none the less wiser.

Finally it does seem the site was added to the google phishing directory which is good.

Thank you all for helping me to figure this out. I really don't want anyone to experience what I went through today.

Did mtgox refund you? What are they saying.

That's why I have always Java disabled on webbrowsers.

Don't know it's true, but someone cliams that MtGox is hacked:
http://pastebin.com/ZSqRN3RK

My heart goes out to you there. Everyones nightmare. Get a yubikey. Seriously. Nothing can be without 2fa.

Oh shit! My bitstamp doesn't have it enabled! RUN! RUN! RUN!....


....whew, that was close.

TLDR
+1 for 2FA. On a related note, it seems like several accounts were compromised over @ BTC-e within the last few days.
Sorry to hear about your coins OP.  :(

https://defuse.ca/bitcoin-pool-ddos.htm

FAKE

All the logins come from http://pastebin.com/Kd093NQi and are not MtGox users.

Javascript drive-by, cost's nearly nothing. With 300 USD you can easily buy pre-made keyloggers, java driveby, and other useful blackhat items/scripts to get someones account information. It really doesn't take a brain anymore to 'hack'.

I use google chrome no-cookies browser, and got about 15 different passwords. It's really annoying because I never know which one is for what website... Though I must admit the ones I use for forums and such are easy. Did you know that there's basically a list of 5 billion or more passwords? Start thinking out of the box, and make random passwords like Xfha25ADmw-_215s. Still though... OP post shows that even if you have a good password you can be stolen from. Think wisely.


Also, here is a tip for those who read this; once you have added your creditcard or any other form of payment on a website, immediately delete it once finished. Else it might stay registered there, and once someone finds out that it's there... your fucked.

Can't see how MtGox can be liable if you have malware executing orders in your computer.


Most likely he just clicked "ok" as most people blindly do.

Still a pity though.

http://sitecheck.sucuri.net/results/www.mtgox-chat.info


they say its clean  :o

Firstly, let me say that I am truly sorry for your loss - nobody deserves to lose that amount of money. This is my genuine opinion, then unfortunately I have to wave my finger at you and point out the following:

* When having an account at MtGox, you should use two-factor authentication (yubikey). I've heard you can use Google and your cell phone too, but I haven't tried that.
* When operating MtGox, do so with it's own browser and have the rest of the sites you have open in another browser, with no other tabs open. This will ensure that any cross site exploit can't take place.
* Unless it's a link you recognize (youtube.com, reddit.com etc), then don't click any link in that trollbox. Even better would be never to click anything from that trollbox. It's dangerous - as you now with great pain has experienced.

Btc-e.com is facilitating this to happen. Actually, no links in the trollbox should be clickable. People will click on links, and they will become exploited. There are skilled hackers aka predators, just waiting like crocodiles in the water for the kettle to come and drink in their water hole (clicking links). Even if links clicked are not exploitable, if the hacker controls the server where you click the link, he can collect informaiton about your btc-e.com user account (username, your ip) and then target an attack directly at your ip to see if there's any vulnerabilities  on your network.

If in doubt - always be careful - and as this incident shows - it's very easy to be exploited. This is just an alternative to the msn, skype and facebook viruses. When there's something to steal or exploit, there will always be cyber criminals lined up to take advantage of this.

The trollbox can also be disabled when using the site. Also, most of the info in the trollbox is of extremely low quality, and when someone uses a bait as 'click here to see MtGox accepting litecoins', the smart malicious hackers knows this will trigger the curiosity of people, which will then click that link, and subsequently become infected. If you see any such news, then rather than clicking that link, go to reddit/r/bitcoin or bitocintalk.org and see if there's any mention of it there. If it isn't, then it's probably just a hoax. Also, be very careful when clicking on links to unknown bitcoin sites in general.

I use Windows XP and Firefox. I don't get virus'd often, or very rarely, and usually is because I intentionally run something I'm not supposed to. Although two factor authentication is nice, I find that I personally don't need it, since I never access any important sites insecurely, and all have good long unguessable passwords.

FAIL

This is why everyone should always browse the web with Firefox and NoScript addon... You have to manually whitelist sites/domains that you trust.

What part is the fail? or everything I guess? To others and to you maybe.

I also use Deep Freeze. Turns my whole computer into it's own sandboxed VM, so any malware disappears on reboot.

Not having 2 Factor Auth when dealing with MONEY is FAIL.

You have very long random passwords? There's many other ways to compromise a system, both server or client side. Only truly secure way is 2FA

You use Deep Freeze? Not secure at all. Did you read the OP? Deep Freeze will do nothing to protect you from certain attack vectors.

What is Yubikey? How does one go about enabling 2 step authentication?

To anyone - be careful, It's still not detected by the most of antiviruses.
https://www.virustotal.com/en/url/bd2178330605ace1a5d050b0a45aecfcd4ef0a751d0b8ae40cc35e796c58f42b/analysis/1365696137/

Sun Java still have non fixed vulnerabilities. Use FlashBlock and NoScript add-ons for Firefox. Don't use IE.

Very sorry about your loss. However: there is nothing else that MtGox could have done to secure against such rudimentary attacks.

You got owned by a Java exploit which can apparently execute arbitrary code on your computer. So it can log in as you on mtgox.com and do everything that you can do yourself. Even if you had no active session on MtGox, and were using the Yubikey to authenticate, the malware would still have been able to steal your coins: it could have stayed in the background, waiting for a browser session to mtgox.com to be active before hijacking it to perform the transfer. Maybe it could even have installed a persistent malware on your PC that would start running at boot time and wait for you to log in, one day, with a Yubikey, before stealing the coins.

Note: by default MtGox utilizes the Yubikey for logins only, not for transfer operations, but it is possible to configure your account to require it for transfers. You should have enabled this feature.

OP ran Java in a browser.
OP clicked on a link from some random internet personage.
Everything that followed was a logical result of these two actions.

Actually this is 100% your own fault. You screwed yourself by clicking on anything in the btc-e trollbox which is basically where all of antichat.ru go to steal coins from the low hanging fruit running java enabled browsers.

noscript will help as long you know what to allow

also you could use a mandatory vm to surf the web

Recommend you harden FF a little.  Disable the java plugin  (tools addons).   Make sure you are running the newest FF.  Install Noscript and disable javascripts globally before accessing the Gox.  You can then "allow" each javascript one at a time from the sites you recognize.

while not goxing/blockinfo walleting, you can enable javascript globally.

Also, don't let the link to your cloud wallet touch your clipboard.

NoScript has a built in xss deterrent, not perfect, but it tries to sandbox all the javascript so that jscripts from different sites cant communicate.

Easy guide to not being robbed of all your coins:

- USE 2-FACTOR AUTH
- install noscript addon in browser and only enable trusted sites
- don't click anything in the trollbox
- download and install Common Sense 2013 to prevent yourself from clicking random email links too

Sorry for your loss, but no, Mt. Gox should not refund you for your losses. You pretty much violated every tenet of online security and got caught in a phishing net in doing so.

are you saying theres a windows 8 fault?

Só, you stupidly run a java programa on your browser and end up with your mtgox credentials compromised and now Mtgox should reward your stupidity?

Right... ::)

If your computer is compromised by a remote exploit allowing arbitrary code execution, you should pull the machine offline, backup whatever data-only files you need from another system, and wipe and reload. It is near-impossible for the average user to detect or sanitize a hacked machine -  the computer can be rootkitted, have a remote access toolkit installed, keylogger, etc. and other things will fall such as stored passwords in web browsers, bitcoin wallet, personal files. Best pull the cat5 immediately.

Java has never not had 0-day applet vulnerabilities, it is broken by design, there's always new ones to be found. Best to kill it with fire.

I also saw this link posted multiple times in BTC-E chat. After people pointed out the person was posting a virus, the moderator bans him for 1 HOUR. I think BTC-E must be getting kickbacks from this or something. I have seen people banned for DAYS for the harmless act of posting in all caps. But someone blatantly attempting to steal coins from BTC-E customers is allowed to try again in 1 hour, instead of being banned forever as they should have been.

Just the fact that they have that chatbox, especially on the trading page with no obvious way to disable it, shows what an unprofessional exchange it is. BTC-e is not to be trusted IMO.

If you are also a victim of this exploit, I might know someone who can provide more information. One of the exploits was hosted on a friend's site (he's aware of it, removed the files and related accounts, and is now looking at further options -- records of IPs and such are kept). I've already contacted the OP.

In case you want to start a legal procedure or something (because this is, at least in the jurisdiction the files were uploaded, both stealing and computer fraud), this kinda info might be useful. Send me a PM if you want to get in touch, and please explain your situation and why you want to get in touch. I'm not going to redirect lots of random people.
I can also relay messages and questions if you wish.

They would have banned him longer and/or permanently, had the malware been stealing from btc-e.com accounts instead of mtgox.com  ::)

I'm sorry this happened to you. Hopefully this will help protect other potential victims. The hardest lessons in life are also the ones we remember the best. You will now never forget:

a) never follow links on the web unless you are absolutely certain that the site it leads to is trusted
b) never ever click something on a page that looks a bit dodgy

Just be thankful, that you learned this for about $4k, you could have easily lost $20-$50k+ if you had been careless in the future without having learned this lesson. Whenever I lose big amounts of money for a good lesson learned, I always remind myself that if I studied in the ivy league Id have lost $160,000+ But I didn't, so I have some buffer room for other real life mistakes!

True, and that's one advanced piece of code, but there's people out there who would be able to pull it off..

bitbully,

I'm sorry for your loss. However, I was under the impression this attack was an XSS style attack, which I would expect Mt. Gox to compensate you for if it were the case, since not properly defending against XSS attacks would be pure negligence on their part.

Still, you need to provide some evidence that this is an XSS and not just a keylogger/trojan.
If the attack is not XSS based, but simply involved a trojan stealing your credentials and replaying them to Mt. Gox, then the responsibility and fault for this attack is only yours (painful words to hear, I know).


I don't think it's their job to do it. They need to make their site secure against the common threats like XSS, but they can't be held responsible for trojans running on your computer executing orders on your behalf. It's simply not their job.


Really?

Mt. Gox is not a bank.
Assumption is the mother of all fuckups.


Bitcoin right now is not ready for mass adoption. Better security like Hardware Wallets (https://en.bitcoin.it/wiki/Hardware_wallet) and insured Bitcoin Banks are needed. The potential gains for investors/speculators right now are there for the taking precisely because it's so hard.

As much as I would like to say that it's not your fault and turn my head to Mt. Gox to completely reimburse you, this was completely your fault.


Let's take a look at the red flags.

• The domain wasn't MtGox.com
• It was preying on your wants
• There was some random guy in chat bragging about it

The biggest thing is you allowed the Java to run.

But let's look forward to the future.

1. Always keep your Java updated.
2. Consider installing something like QuickJava (https://addons.mozilla.org/en-US/firefox/addon/quickjava/) for Firefox, or just outright disabling it in Chrome. Alternatively if you use IE, consider a blowtorch and sledgehammer.
3. Always think before you leap. Today, user interaction isn't required for most viruses to jump onto your computer and take control, except for that first step of going to it.
4. Drink more coffee. It's worked for me.
5. Like you said, add in two-factor authentication.

Welp, I'm off to set up a VM to deconstruct this exploit in. I'll report back if I find out any more technical details.

Yes, it's more secure with 2 factor auth, but my personal experience has been more hassle than it's worth, and I regularly deal with thousands of dollars worth on other sites. However, it's the fault of the bank or site that does not offer 2 factor auth. It just so happens that I have no choice to deal with certain banks (in my country), and they don't offer 2 factor auth.

So what I do, when I have to access those sites, I restart my computer so anything that was there from random browsing is gone. Then I go only to those sites to do what I have to do. I believe I have the client side secured more than enough. I also believe the server side isn't as secure as I prefer it to be, but I can't do anything about that until they upgrade their systems.

Deep Freeze (and other similar stuff like sandboxie, return nil, etc) isn't meant to protect you from your own user initiated mistakes like clicking on links or running programs. I have it primarily to fix my system to my last known good working configuration every time. Updates to software like Firefox and OS are done manually, and usually after doing a reboot first.

I actually live relatively "dangerously" online. But I take responsibility for what I do. When I have to deal with someone else's money, I just have to be more vigilant about securing what I'm working on.

I tend to live somewhat "dangerously" as well, but to allow Java to run, unbidden, from any web browser is foolhardy in the extreme.  I now no longer allow Java to run at all, except when I issue it from a shell command line (not as root) and with known software from a known source, just like allowing any other application to run.

Thanks for the support everyone.

Just to reiterate, a java applet was never run, clicked on, or allowed to execute by me. I'm reading there was more than one attack vector in the page. There was a java initiated executable payload, which contained at the very least a keylogger - yet within seconds of clicking on the link the withdrawal was already initiated, leaving no time for the attacker to sniff my passwords and manually perform a withdrawal. The password was also changed after the withdrawal. Additionally there could have been a session token theft, or some form of XSS.

My understanding from two different IT security consultants is that mtgox's website security is sub-par. Instead of everyone trying to blame me or mtgox, perhaps the discussion should be about how we can stop this from happening in the future. I'm trying to make a point that however this trojan was crafted, it is very good at instantaneously emptying out your account. Someone could repackage it tomorrow and this whole story will repeat itself. No antivirus detects it, and it works directly with mtgox's site. I don't understand how some of you feel like this shouldn't be of concern to mtgox.

I'll be waiting for a response from mtgox, and will update if and when I receive a response. I do recognize however there is an uncomfortable situation over there right now, with bitcoin price going crazy, potential ddos attacks, thousands of new users in queue, under-staffing and system overloads. I mean their website isn't even loading right now and their pricing api isn't working...

Makes me real hopeful to see colored bitcoins and atomic swaps come to life.

I appreciate all those who are helping me both publicly and privately.

Is it possible for this exploit, or a similar one, to work on Mac OS X?

Hey Frott,

You bring up a lot of good points. I'm not a expert with the terminology. The 0-day exploit was referenced in a post from 3 days prior:

http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/

and was suggested as a possibility of how the script was able to run automatically. Others have said my security settings were misconfigured.

I know the trojans detected by malwarebytes were from that site because AdobeUpdate-Setup.1.84.exe is the downloaded file from that site. It was definitely from that website and the file dates/times match.

I was able to grab most of the site but some files are missing so if anyone has a full rip please PM me. I have forwarded it to security researchers and they are reverse engineering it as we speak. So far we know that it was a "Dark Comet" keylogger, but thats only part of what I was able to grab, so until I get a hold of the rest of the site I won't know everything that was implemented.

I'm not claiming to know exactly how it worked, but what I do know is that it was fast, unexpected and painful. In the end I'm just happy that people are becoming aware of how easy it is to lose all your mtgox btc in the blink of an eye, and yes taking extra security precautions is a must and let this be a lesson to me and all others (Seems I'll be paying the tab this time...).

Are there any utilities that can continuously record the screen of my computer, so that I can go back in history and observe exactly what I saw in the past?

Yes.

Safest bet is a camera. Or if you trust the malware not to quit the screen recording program, and I don't think it will, use a screen recorder like Fraps or Hypercam or one of the thousand others.

It's not all bad, You made the BBC news, bitbully!

http://www.bbc.co.uk/news/technology-22120833

Oh, wait... :/

Incidentally, they do have a method that is secure against this ... Yubikey, and Google Authenticator.

Happens a lot:

MtGox account got cleared out
 - http://bitcointalk.org/index.php?topic=85533.0

All BTC disappeared from my Mt. Gox account
 - http://bitcointalk.org/index.php?topic=88368.0

Another:
 - http://bitcointalk.org/index.php?topic=80562.msg941759#msg941759

And another: My mtgox account got compromised, what can I do?
 - http://bitcointalk.org/index.php?topic=84585.0

Yet more: MT.Gox account hacked - lost 2k USD - MT.GOX will not explain how.
 - http://bitcointalk.org/index.php?topic=89142.0

And more again: Bitcoins stolen from MtGox
 - http://www.reddit.com/r/Bitcoin/comments/x8lcv/bitcoins_stolen_from_mtgox

And yet more: Stolen from Mt.Gox coins. Help return the coins.
 - http://bitcointalk.org/index.php?topic=119816.0

Or more here: Email from Mt.Gox this morning.
 - http://www.reddit.com/r/Bitcoin/comments/z0na5/email_from_mtgox_this_morning

And even more here: I just had $715 stolen out of my Mt. Gox account.
 - http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account

And the biggie: Bitcoinica MtGox account compromised
 - http://bitcointalk.org/index.php?topic=93074.0

With more here: Unauthorized Account Activity on my Mt.Gox Account - Account Compromised/Hacked?
 - http://bitcointalk.org/index.php?topic=94140.0

And even more: *MY* Mt Gox Account was Hacked - lost it all today... now what!?
 - http://bitcointalk.org/index.php?topic=137795.0

Ditto: My MtGox account was just exploited - 3 BTC stolen
 - http://bitcointalk.org/index.php?topic=141816.0

Ditto on the ditto: Just lost 190 bitcoins through Mt. Gox
 - http://bitcointalk.org/index.php?topic=141831.0

And other ones get added to the list: Unauthorized withdrawal on Mt. Gox
 - http://bitcointalk.org/index.php?topic=147070.0

And now this: How I got robbed of 34 btc on Mt.Gox today
 - http://bitcointalk.org/index.php?topic=173227.0

And another recent one: My funds and BTC have just disappeared from my Gox account!
 - http://bitcointalk.org/index.php?topic=174556

And on other services as well. Here same thing happened to some GLBSE users:
 - http://bitcointalk.org/index.php?topic=84893.0

And elsewhere, BitMarket.eu in this instance:
 - http://bitcointalk.org/index.php?topic=5441.msg1259168#msg1259168

And on bitcoin.de as well: Bitcoins stolen from bitcoin.de.
 - http://bitcointalk.org/index.php?topic=130264.0


In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:
 - https://mtgox.com/press_release_20120605.html

If the exchange you are storing funds with doesn't provide OTP, consider using a different exchange:
 - http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

If you are storing funds in an EWallet, consider using a paper wallet.

Also, here is a fantastic guide: How to use 2-factor auth on mtgox, even without a smartphone (from a second device, of course, not from the same computer you log in on).
 - http://bitcointalk.org/index.php?topic=111943.0

guys they did it again !
but gox hushed the pw right with salt so strong pw are safe but if you typed in flipper or some shit
change it now!

Is this verbatim? The "If the Download did not worked" maybe should have set off alarm bells...
Horrible story though, really sad for the guy.

I'm thinking of doing a Ubuntu boot purely to run a browser in for trading. People are right to warn about Windows, - it's much harder to defend against malware...

three words:

YU BI KEY

I use Debut Video capture. It will record a sizeable rectangle of screen to .avi or other video format.

Just take it as a lessson learned, and don't get defensive. You screwed up, and paid for it. I'm sorry about your losses.

You guys should check you don't appear in any of these lists:

http://pastebin.com/search?cx=partner-pub-4339714761096906%3A1qhz41g8k4m&cof=FORID%3A10&ie=UTF-8&q=Compromised+MTGox+account+info&sa.x=0&sa.y=0&sa=Search

When I grow up I wanna be a haccker JUST like these guys, and I wanna rip off guys like you just CLICK and FORGET!

In spite of being a techie how the hell could you be so irresponsible ! EVEN 34 BTC at a time like this can cause some damage... No wonder the SLL/BTC prices plummeted today !

This is just further proof that the website "logged in" model is not workable for this application. Using a site build on a fundamentally broken paradigm will unavoidably yield this sort of result.

You are not a noob. Obviously you know what 2-factor authorization is and you are lazy enough not to use it. How could you blame MtGox and even ask for any compensation?

Conceivably, an exploit like this could lie in wait until you use two-factor and then hijack your existing session to do whatever.  While the OP did, IMO, screw up, Gox has some responsibility to monitor their own computers.

what could gox've done ?

I don't know, maybe they could just block everyone who logs in to MtGox with correct credentials, that would show those hackers who's the boss ::)

They could have been a bit quicker deleting an obviously bogus and malicious link from their own chat.

It was a link in the btc-e chat. It could as easily have been a link posted here (http://www.youtube.com/watch?v=q5YkFJJLALo).

What could limit the success of these attacks besides 2FA would be if mtgox would lock changes to withdraw address or account details for 24 hours and send an email of the activity.

I stand corrected.  The OP did state it was a link in btc-e chat, and I misremembered.

The exploit took advantage of the fact that he was already logged in, so even if he was using 2f how could this have helped unless Mt. Gox requires 2f again when you perform a withdrawal.

Every Mt. Gox 2f user knows Mt. Gox requires 2f again when a withdrawal is performed  ::)

Thanks, I'm not a Mt. Gox user and I didn't know.

Well, the whole point of 2fa is that you need a ONE TIME PASSWORD that changes every few seconds. You don't need to be a MtGox user to know that, because that's how OTP and 2FA works everywhere.

Here's some proof for you Poutine.

"I am moverstar and I am legit."

Seems like MtGox need to start using some form of email-verification before the transaction to other accounts/out of MtGox actually happens.

???
How about people stop being cheap and just buy a yubikey. Is $30 (or however much it costs) too expensive to protect your money? Email verification pales in comparison to having a physical hardware token. Come on people,  stop being cheap and just buy the thing!

Come on, you just need to do a couple of small trades and they will send you a yubikey for free

And Google Auth is free too

Dont trust ANYONE on BTC-E Bunch of scamming C***s

UPDATE 4/21/13


It's been a long and hard journey, but I did it, I got my 34 bitcoins back.

First thank you to all those anonymous users out there who helped me track down the thief, and those who supported me throughout.

Luckily for me the stupid Canadian teenager who committed these crimes was very sloppy and left a massive trail which allowed us to identify him and target him on his turf @ hackforums.net. Mtgox never helped, they are the Achilles heel of bitcoin. They have overcentralized the exchanges, monopolized the control over bitcoin's value, and their customer service is non existant (I mean literally non existant, their live chat hasn't worked for weeks).

So how did I find this kid and get the coins? An amazing group of researchers put together valuable information, starting by contacting the file hosting site that hosted the trojan. They got the login and ip info and matched it to a user called PoutineCoutu across the net which has a few scam reports. We then found him highly active on hackforums.net where he was selling and GIVING AWAY bitcoins, which also matched all the activity to the bitcoin address where my coins went. He's so stupid he didn't even wash the coins and was selling them publicly. He even has multiple threads asking how to open ports on his firewall for his trojan C&C and that he is using a silent java drive-by script.

Reported to police (they are really no help, so much for paying their salary, seems they've gotten fbi reports about bitcoins and don't really like them, started asking if I pay taxes on them...), but at least I had a precedent to pursue. Tried contacting the thief, he blocked me and claimed I was blackmailing him all over the forums. This went on for a while. He was feeling the heat and dumped the coins to an offline exchange member, Xch4nge, which I tracked down immediately by tracking the coins on blockchain.info. Contacted him and what an amazing guy, helped me throughout the entire process and took alot of heat but basically a huge skid war erupted all across the forums, and he still held on to the coins for a week until finally the kid came to his senses realizing what he was doing is "bad" (and he might go to jail). He was arguing that it's okay he stole the coins from someone, but not okay someone "stole" the coins from him.

Finally he publicly agreed to allow the return of the coins. Throughout the entire process many people came to my help and provided me information about this person and one guy who goes to school with him even said that he's a $%@!. And the guy who sold him the Java script even apologized to me and said he's sorry that his script was responsible for my loss...

For the full story (if you have a few hours) go here:

http://www.scmagazine.com.au/News/339677,bitcoin-hacker-hunted.aspx
http://www.hackforums.net/showthread.php?tid=3402988
http://www.hackforums.net/showthread.php?tid=3418367&pid=32074125#pid32074125
http://www.hackforums.net/showthread.php?tid=3422032

As for the trojan and mtgox I have attached my final thoughts below.

I think this might be the first time ever someone got their bitcoins back :)


---------------------------------------------------------------------------------------------


Let this incident be a lesson to both me and Mtgox.  Mtgox's website is not security conscious. At no point in the registration process are the dangers of not using secondary authentication pointed out. Yes in the end it is the user's responsibility but it behooves me that they would not implement additional security protocols, the way for example the blockchain.info wallet does. Even a yubikey might not have protected me considering how compromised my system was from the trojan.

A very reasonable security feature would be to have an option for delayed withdrawal processing times, that once set cannot be changed for 24 hours. As a default of lets say 2 hours withdrawal delay I would have been able to notify mtgox to cancel the withdrawal in time. Or a simple withdrawal pin such like other bitcoin commerce sites use...

But all this is in hindsight. As for my case, analyzing my system showed that my browser and system security was misconfigured apparently due to a previous comprimising, and/or my software versions were vulnerable to an exploit which allowed the script to run unauthorized. Unfortunately there is not a fool proof scenerio to avoid malware (for a normal person, not some guru security expert).

This script, or executable installed a highly advanced trojan called dark comet which basically allowed the attacker to perform pretty much any imaginable task. How at that point the withdrawal was initiated so quickly is unknown, but it does seem the attacker had a couple minutes to act since a deeper investigation has shown the page was first opened a few minutes before the withdrawal took place. Most likely it was a combination of automatic and manual tasks which afforded the attacker access to the account. As for more advanced forms of attack, XSS or token theft, these were possibly implemented through the trojan, but it is more likely that the attacker was able to use password sniffing and info gathering techniques along with predefined scripts to yield very fast results. The payload itself was wrapped in an autoIT executable and is mostly undetectable by scanners.

Having spoken with so many programmers and IT security professionals, they have adviced that Mt.Gox is highly vulnerable to different forms of web application attacks and should pursue penetration testing services immediately. My understanding is that they didn't learn from the first time.

Well played, sir.

I have to say it's really great to see one of these stories with a happy ending for a change.  This is how it should be more often.

bitbully, MtGox is not "vulnerable to different forms of web application attacks". Stop spreading FUD. People may say this, but they don't know what they are talking about.

I am a security professional and let me tell you that while MtGox used to be vulnerable to flaws like CSRF and XSS (back in 2010 / early 2011), it is not the same website anymore. It is today considered well-secured and well-designed: HTTPS, 2-factor auth, etc. To my knowledge there has been no known CSRF or XSS flaw in the last year or so. Although, as a security professional, I know that all big enough websites are bound to have flaws here and there, but again MtGox appears to be well-secured. Don't say that it is known to be "vulnerable to different forms of web application attacks".

As you said yourself, you were instead compromised by a local trojan: Dark Comet. No amount of web security features (other than 2-factor auth) can protect you from a local trojan running with all local privileges. You failed to use 2-factor auth and that is "how you got robbed of 34 BTC". You are right that MtGox should advertise 2-factor auth / Yubikey more, but no amount of explaining security to users is going to convince all of them to buy a Yubikey. MtGox even tried to offer free Yubikeys (http://bitcoinmalaysia.com/2012/09/02/free-yubikeys-from-mtgox/) but some users still did not take the offer!

Nice read but Dark Comet is not a highly advanced trojan. It's part of the standard script kiddies toolbox. Glad you got your bitcoins back.

100% Sun Microsystems Java plug-in's fault, absolute shit for security.

If you must install it limit it to run only in trusted domains.

Am running ESET NOD32 antivirus trial it won't even let me visit that exploit website.

-----------------
free trial 30day, continues to work after expiration will nag
http://www.eset.com/us/download/home/detail/family/2/?trl=ea

am using opera browser is lightweight and very fast no disk cache
http://www.opera.com/

ghostery addon for privacy ad remove and no cross site tracking
https://addons.opera.com/en/extensions/details/ghostery/