UPDATE 4/21/13It's been a long and hard journey, but I did it, I got my 34 bitcoins back.
First thank you to all those anonymous users out there who helped me track down the thief, and those who supported me throughout.
Luckily for me the stupid Canadian teenager who committed these crimes was very sloppy and left a massive trail which allowed us to identify him and target him on his turf @ hackforums.net. Mtgox never helped, they are the Achilles heel of bitcoin. They have overcentralized the exchanges, monopolized the control over bitcoin's value, and their customer service is non existant (I mean literally non existant, their live chat hasn't worked for weeks).
So how did I find this kid and get the coins? An amazing group of researchers put together valuable information, starting by contacting the file hosting site that hosted the trojan. They got the login and ip info and matched it to a user called PoutineCoutu across the net which has a few scam reports. We then found him highly active on hackforums.net where he was selling and GIVING AWAY bitcoins, which also matched all the activity to the bitcoin address where my coins went. He's so stupid he didn't even wash the coins and was selling them publicly. He even has multiple threads asking how to open ports on his firewall for his trojan C&C and that he is using a silent java drive-by script.
Reported to police (they are really no help, so much for paying their salary, seems they've gotten fbi reports about bitcoins and don't really like them, started asking if I pay taxes on them...), but at least I had a precedent to pursue. Tried contacting the thief, he blocked me and claimed I was blackmailing him all over the forums. This went on for a while. He was feeling the heat and dumped the coins to an offline exchange member, Xch4nge, which I tracked down immediately by tracking the coins on blockchain.info. Contacted him and what an amazing guy, helped me throughout the entire process and took alot of heat but basically a huge skid war erupted all across the forums, and he still held on to the coins for a week until finally the kid came to his senses realizing what he was doing is "bad" (and he might go to jail). He was arguing that it's okay he stole the coins from someone, but not okay someone "stole" the coins from him.
Finally he publicly agreed to allow the return of the coins. Throughout the entire process many people came to my help and provided me information about this person and one guy who goes to school with him even said that he's a $%@!. And the guy who sold him the Java script even apologized to me and said he's sorry that his script was responsible for my loss...
For the full story (if you have a few hours) go here:
http://www.scmagazine.com.au/News/339677,bitcoin-hacker-hunted.aspxhttp://www.hackforums.net/showthread.php?tid=3402988http://www.hackforums.net/showthread.php?tid=3418367&pid=32074125#pid32074125http://www.hackforums.net/showthread.php?tid=3422032As for the trojan and mtgox I have attached my final thoughts below.
I think this might be the first time ever someone got their bitcoins back
---------------------------------------------------------------------------------------------
Let this incident be a lesson to both me and Mtgox. Mtgox's website is not security conscious. At no point in the registration process are the dangers of not using secondary authentication pointed out. Yes in the end it is the user's responsibility but it behooves me that they would not implement additional security protocols, the way for example the blockchain.info wallet does. Even a yubikey might not have protected me considering how compromised my system was from the trojan.
A very reasonable security feature would be to have an option for delayed withdrawal processing times, that once set cannot be changed for 24 hours. As a default of lets say 2 hours withdrawal delay I would have been able to notify mtgox to cancel the withdrawal in time. Or a simple withdrawal pin such like other bitcoin commerce sites use...
But all this is in hindsight. As for my case, analyzing my system showed that my browser and system security was misconfigured apparently due to a previous comprimising, and/or my software versions were vulnerable to an exploit which allowed the script to run unauthorized. Unfortunately there is not a fool proof scenerio to avoid malware (for a normal person, not some guru security expert).
This script, or executable installed a highly advanced trojan called dark comet which basically allowed the attacker to perform pretty much any imaginable task. How at that point the withdrawal was initiated so quickly is unknown, but it does seem the attacker had a couple minutes to act since a deeper investigation has shown the page was first opened a few minutes before the withdrawal took place. Most likely it was a combination of automatic and manual tasks which afforded the attacker access to the account. As for more advanced forms of attack, XSS or token theft, these were possibly implemented through the trojan, but it is more likely that the attacker was able to use password sniffing and info gathering techniques along with predefined scripts to yield very fast results. The payload itself was wrapped in an autoIT executable and is mostly undetectable by scanners.
Having spoken with so many programmers and IT security professionals, they have adviced that Mt.Gox is highly vulnerable to different forms of web application attacks and should pursue penetration testing services immediately. My understanding is that they didn't learn from the first time.
