Any news? Its 2 weeks after the complain was filed. Did the police or the lawyer got back with news in the meantime? Anything?
Its been 2 weeks... In the legal world thats like 2 seconds. Hope it doesn t take two weeks then ^^
|
|
|
Kudo For Nick's great malware reverse engineering: Reference: http://www.securemac.com/Remove-CoinThief-Trojan-Horse-Instructions.phpOSX/CoinThief has been distributed under four different names so far: BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker.
BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. Both app names appear to have been taken from legitimate apps in the Mac App Store. The malicious payload was not found in Mac App Store copies of these apps.
When run, the malware installs a browser extension in Chrome, Safari, and Firefox, which will appear in those apps as "Pop-Up Blocker 1.0.0" with the description "Blocks pop-up windows and other annoyances." There are some indications that this name and description were also taken from a legitimate browser extension. The browser extensions watch your web traffic, looking for specific headers for bitcoin-related websites. They communicate with the background process, which will periodically connect to a remote server (currently offline) to exfiltrate login credentials.
The background process is set to be constantly running via a launchd task. Additionally, the background process will check for the presence of Bitcoin-Qt, and appears to be modifying components of Bitcoin-Qt, possibly with the intent of leaking private keys.
To check for the presence of the malware on your system:
Take a screenshot of these instructions or print them out, and disconnect your system from the internet until you've verified that your system is clean. Open Activity Monitor (located in your Utilities folder), and look for a process called "com.google.softwareUpdateAgent."
Note that this is a specific name that is currently known to be used by the malware. Open Chrome, Safari, and Firefox (if installed on your system), and check for the presence of the "Pop-Up Blocker" extension. If you see either the "com.google.softwareUpdateAgent" process or the browser extensions, continue on to the removal instructions. To manually remove the malware from your system:
Manual removal is going to require entering a few terminal commands. The commands must be entered exactly as they are listed below, so copy and paste them in if need be.
Before entering the terminal commands, delete the apps from your system (BitVanity, StealthBit, Bitcoin Ticker TTM, or Litecoin Ticker) by dragging them to the Trash and emptying the Trash. Make sure to quit the apps before attempting to delete them.
Open the Terminal (located in your Utilities folder), and type the following command: launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist Press the return key after entering the command. This command will unload the launchd task, and stop the malware from constantly running in the background If you see a message stating "No such file or directory, nothing found to unload," the launchd task was not loaded on your system. Next, you're going to enter a command to unhide the malware file itself, and move it to your Desktop. From there, you will manually drag it to the Trash. This will serve to avoid accidentally removing the wrong file. Type the following command, again pressing the return key after entering the command: mv ~/Library/Application Support/.com.google.softwareUpdateAgent ~/Desktop/com.google.softwareUpdateAgent
In the above command, pay close attention – there is a period before the first instance of com.google.softwareUpdateAgent. Next, you're going to do the same for the file that starts the launchd task, and move it to the Desktop. Type the following command, again pressing the return key after entering the command: mv ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist ~/Desktop/com.google.softwareUpdateAgent.plist Drag the com.google.softwareUpdateAgent and com.google.softwareUpdateAgent.plist files that should now be present on your Desktop to the Trash, and empty the Trash. Open your web browsers, and delete the "Pop-Up Blocker" extensions. Backup your wallet and reinstall Bitcoin-Qt. Change your password information for accounts you have on any bitcoin-related websites either from a system that you know is clean, or after you have ensured removal of the malware.
|
|
|
Just wrote to securemac.com to let them know about the correlation between Bitvanity and Stealthbit. Hopefully they will have a look at Bitvanity code and give us more insights as to what it does.
|
|
|
Thanks to the bitcointalk and reddit communit(ies) for making this known. I'll make sure and make a post about it to the Unsystem list, where the developer of sx (which is not malware, but was used by the Stealthbit author(s) apparently) will I'm sure address it and provide some advice. Fortunately, I didn't touch the Bitvanity or Stealthbit stuff - and it's obvious that the person(s) who designed Bitvanity/Stealthbit are thieves, now I guess the question is, what does the community of developers do about it. Time to pop that question.
Yes, this cannot be stressed enough. Devs of sx (used for Stealthbit app) and Vanitygen (used for Bitvanity app) had nothing to do with mentioned malwares. Trevor just recompiled their code while introducing some malicious binary. Look like the Reedit community is way more active than this forum. After 6 months, 2 threads and various posts, not much has happened on bitcointalk. On reedit, in 48 hours 2 guys have been working on deciphering the code. ref. http://www.reddit.com/r/Bitcoin/comments/1xf2qj/my_wallet_just_emptied_into_this_address/cfbhip5Finally made an account on Reddit just to reply to this. After seeing this post early this morning I spent the day analyzing the malware and the preliminary analysis is available here[1] . Basically, the pre-compiled StealthBit app acted as a dropper for a disguised payload which installed the background process to check in with the server for updates, send information, etc, and a browser extension for Safari and/or Google Chrome (depending on what you've got installed) that slurps up all your browsing data (which is where they got your wallet info from). I'm hoping to have more time to analyze it further tomorrow, but I've been at it for almost 10 hours straight and I'm exhausted! Thanks for the link. I m not aware of multiple thefts, although victims might just not be aware these apps were to be blamed.
|
|
|
No!!! It got me!! Lost 20 btc! Can't believe it.. in shock.. what do I do? DO I have to reinstall everything? WHy is there no warning on that thread?
Hi Allinfinite, I m really sorry for your loss. I suppose there is no warning as nobody was sure of anything yet. This said, I have contacted Reedit and Github, but nothing of substance has been done. In Reedit bitcoinprojects' section, mods did loot into it: I didn't see any hard-coded bitcoin addresses when I looked through. But, I didn't exactly understand how the code worked either. If you're typing in a private key, it may be transmitting that key to another server that runs code to quickly move funds to a hard coded wallet. So, I can't say we need to take it down, but I say we leave it for others more experienced to test out.
I contacted /r/bitcoin section moderator aw well (Theymos), but got no answer. I contacted Github days ago to let them know, but except them asking me way I thought this was a malware nothing was done. Last time I contacted Github to warn them about Bitvanity being a malware, their answer was: "Hi *****,
If the project in question doesn't behave as expected, I'd suggest opening an issue and discussing it with the maintainer.
Cheers, Steven! Seeing their previous performance in preventing further diffusion of malware even when told about it, I directly posted a warning in Githup Repo https://github.com/thomasrevor/StealthBit/issues. To tell you the truth, it doesn't look like anyone gives a shit (there was a Reddit thread about Bitvanity being a malware, but no one took the time to inform Github). And this is a bit disappointing. I ll renew my plea here to anyone that has some knowledge in OSX app coding to have a look at Stealthbit and see how it operates. Regarding your theft, could you give us some more infos? txid, if any other app where running in the backgroud, or any other relevant infos would be much appreciated. Again, I m really sorry that happened to you.
|
|
|
Everyone who is involved must contribute SOME amount of BTC, else they risk the possibility of what that may mean if any of the funds are recovered Thanks VS Are you speaking for VS? No, he just says Thanks VS (for his involvement & work I guess). I m not sure what he means. I have been a strong advocate for donations, and a bit pissed off to see so few, but regardless of ones contribution all will receive their faire share of (if any) salvaged funds. That I m sure of. Now if this is based on the number of owned shares, or on a % of lost investment, that I m not sure of. I suppose this will depend on what the law specifies in such circumstances.
|
|
|
Sorry to hear your loss Thanks, from now on if I have an offline wallet on 2 raspberry pi (with a few satoshi). Learn and live I would really appreciate if any one around has some coding knowledge in OSX to have a look into the (presumed) hacker's new app - Stealthbit (mentioned in previous post - https://github.com/thomasrevor/StealthBit). I have been in contact with reedit mods, and this is what they said: I didn't see any hard-coded bitcoin addresses when I looked through. But, I didn't exactly understand how the code worked either. If you're typing in a private key, it may be transmitting that key to another server that runs code to quickly move funds to a hard coded wallet. So, I can't say we need to take it down, but I say we leave it for others more experienced to test out. I have also been in contact with Github, but they are always reluctant in taking down an app that is not proven to be a malware. and they din't seem to have the resources (or incentive) to look into it. Github: Thanks for reaching out to us again. Can you describe the malicious activity of StealthBit? My answer: I m not a specialist unfortunately (...) The only thing I m quite positive of, is that ThomasRevor and Trevory are the same person. There are too few coders writing bitcoin OSX applications for this to be a coincidence. Maybe cross check their IP address? although it would seem very amateurish for him no to use VPN or Thor. Anyway, I posted my concerns as an issue for stealthbit. I have been trying to get in contact with him for 4 days, have been posting warnings in his threads, but no answers up to now. Which is a bit concerning. Can't some of your team have a look into the code? Anyone here good/care enough to have a look?
|
|
|
Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.
Was your electrum compromised or were you running bitvanity? @E.Sam Sorry about your loss, if you contact bitstamp do you think you will be able to recover your BTC? Bitstamp wouldn't give client's information without a court order. Since they are based in EU, theoretically that shouldn't be too difficult. I would still have to prove a correlation, and since the stolen funds transferred via another address, that could be tricky. Anyway, I came to term with my loss, just trying to prevent others from falling for it. Edit: I was running bitvanity in the background (was not using the generated vanity addresses from it. As for Electrum, it was not even installed)
|
|
|
Yes you're right, I was actually thinking of mentioning this. When I started this thread, I wasn't sure if this was due to a malware or not. I guess it is quite clear now.
|
|
|
It belongs to Bitstamp (was tracing some stolen BTCs that ended up there).
|
|
|
In case of failure to get the funds with donations, I guess it's up to me to pay the remaining amount of the invoice, after all it is in my name.
That should be out of the question. I know people lost a lot and are a bit sceptical about spending more to get some of their investment back, but at the end of the day you are not mama Teresa :] I hate to have to say this as I would much rather see people voluntarily contribute, but if the majority is not willing to make a small donation, then obligatory contribution should be put forward as an option. We are not asking for some crazy amount here. Has pointed out previously we have around 40 donations, which indicates that less the 1/2 the complainants contributed. If the remaining 40/50 give 0.02, 0.03 BTC (that's 16-24$), then we're good.
|
|
|
Email is the same.. no idea why ..mmm
Email Burnside, he should be able to sort this out for you: ceo[at]btct.co
|
|
|
Hey guys, I emailed the lawyer, but i still need to give the sxact informations about the transaciton history of the shares.
But I cannot find my Api keys, where are they supposed to be? can't find them in my email
For BTCT, Burnside must have sent your API to your registered mail address a couple of weeks ago (got mine on the 14/01/14). Maybe you registered with different mail?
|
|
|
|