Bitcoin Forum
December 13, 2024, 10:37:08 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 5 »  All
  Print  
Author Topic: Trojan Wallet stealer be careful  (Read 25877 times)
allinvain
Legendary
*
Offline Offline

Activity: 3080
Merit: 1083



View Profile WWW
June 17, 2011, 03:03:34 PM
 #41

I'm making the following prediction: Bitcoin will evolve to become the only currency without a national government to back it up. It will be a duplicate of the existing financial system minus constant inflation. We will have major bitcoin banks and the majority of regular non uber-geek users will hold their balance with these institutions. The other portion of the userbase will be more than glad to perform an intricate dance of shuffling wallet.dat files around, moving funds from usb drive to usb drive, backing up in a gazillion locations, cause that is what geeks do - they enjoy overly complicated things which make them feel superior and smarter than the rest of the population. Meanwhile the average bitcoin user will give up the holy grail of decentralization in search of security.


allinvain
Legendary
*
Offline Offline

Activity: 3080
Merit: 1083



View Profile WWW
June 17, 2011, 03:31:57 PM
 #42

I am shocked that you think that more BTC will be lost by people forgetting their passwords. More will be lost because they'll be stolen by clever hackers. The incentive is too great for them to not try their damn hardest to get your wallet file - encrypted or otherwise. It's just that encrypting it and using a strong password (heck write that password down and store it in a safe) would make it just that much of a bother for an UNSKILLED hacker. Don't underestimate human ingenuity when there is a huge cash prize at the end of the arduous journey. Wait and see until someone else with a large BTC balance that followed all the recommended security precautions gets his BTC stolen. Or wait until the criminal underworld hears about bitcoins - they'll not be afraid to use physical force to make you produce the BTC wallet.

flug
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250



View Profile
June 17, 2011, 04:50:22 PM
 #43

Meanwhile the average bitcoin user will give up the holy grail of decentralization in search of security.

No holy grail is being given up here. You're just contracting out the security of your bitcoins to someone else. Not necessarily a big bank. Maybe just a geek friend who you trust who wants to earn some money. Maybe someone like Vladimir wants to start up the first secure online bitcoin vault? Come to think of it, once a trusted secure vault has been established, wallet sites could piggy back off it to produce secure wallets?
Unthinkingbit
Hero Member
*****
Offline Offline

Activity: 935
Merit: 1015



View Profile
June 17, 2011, 07:00:31 PM
Last edit: June 17, 2011, 07:53:57 PM by Unthinkingbit
 #44

I am trying to comprehend why in the Open Source community there is this prevalent attitude that if a security measure is not 100% foolproof then it is not worth the trouble to implement it. It is often further asserted that implementing these partial measures would be counter productive because doing so would give the average user a false sense of security leading to careless behavior in other areas.
..

I agree with EpicFail; even though a security measure is not 100% foolproof, it still helps.  Encrypting the wallet certainly helps in the case the computer is stolen and also with this Trojan Wallet stealer.

As far as a false sense of security is concerned, as long as there are reports of bitcoins being stolen, people will know the price of carelessness.

If someone has complete faith in the security of their system and they don't want to use an encrypted wallet; that's fine, they could simply use a blank password.  However, please have the option of a password for those who do want to encrypt the wallet.

Edit:
If the bitcoin developers are already working on an encrypted wallet, then ignore the beginning of this post; instead someone please post a donation address for the developers.

meighty
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile WWW
June 17, 2011, 10:48:25 PM
 #45

The two things I'd really like see is

1. Encryption on my wallet file
2. The ability to move my wallet file where ever I like.

I'd then store my wallet file in a secure (probably truecrypt) container or thumb drive. I'd feel much better about everything.
Garrett Burgwardt
Sr. Member
****
Offline Offline

Activity: 406
Merit: 256


View Profile
June 17, 2011, 11:14:00 PM
 #46

The nice thing about the decentralization of bitcoin is that it's an option, and it allows smaller banks to get in on things easily.

It's not all about the end user, you know Wink

-Garrett
bodhipraxis
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
June 18, 2011, 12:05:22 AM
 #47

The two things I'd really like see is

1. Encryption on my wallet file
2. The ability to move my wallet file where ever I like.

I'd then store my wallet file in a secure (probably truecrypt) container or thumb drive. I'd feel much better about everything.

for #2:
use bitcoin client (0.3.22) with -datadir option:

bitcoin.exe -datadir="Z:\SomeRemoveableDrive\somedirectory"

Don't under, any circumstances store your wallet.dat in a directory under your Windows operating system %APPDATA% (C:\Users\youruser\AppData\Roaming\Bitcoin by default on Win 7)

Don't have bitcoin client installed on windows either.
Store both the client folder and the wallet.dat on separate media that you do NOT keep constantly mounted. Keep balances in the default wallet.dat LOW, to boot, and use a separate wallet in another location at least.

Note: these are not even adequate security measures for a determined search program. But the ftp stealer that is available on forums worldwide (and that is pictured here on Symantec blog with weird ironic name: http://www.symantec.com/connect/sites/default/files/images/bitcoininfostealer.jpg, from Symantec URL http://www.symantec.com/connect/blogs/all-your-bitcoins-are-ours )
uses code such as:

Code:
char* appdata = getenv("APPDATA");   //Gets  %Appdata% data
char* truepath = strcat(appdata, "\\Bitcoin\\wallet.dat"); //Bitcoin file to steal

and it's a 'grab and go' ;-/

Does anybody know where the thread is for keeping track of which anti-malware progs keep track of these new Bitcoin stealers?

The larger security discussion in this thread, of course, is perfectly appropriate, esp. in light of the larger tech media outlets using the 25k theft as "yet another reason not to use bitcoin" ...yada...yada
ffe
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
June 18, 2011, 02:36:04 AM
 #48

Banks get around this (still not completely) with second factor auth and I do not see how bitcoin can do second factor auth without losing decentralisation.

Second factor just protects you if you've lost your password already. Once you've logged in to the bank a Trojan can still send the bank fake transactions.

In the same way a second factor may help protect your encrypted wallet in bitcoin but once the wallet is open a Trojan can read the secret keys and send them.

We need a solution that places decrypting the keys and the transaction signing process in a safe place, like a dongle you plug in to your USB port. The cleartext keys are never in your computer, so a Trojan can never get to them.

The client would have to be patched to use the dongle to sign "send" transactions. The client would never handle unencrypted keys. Keys in the wallet would always be in an encrypted state. When you send coin the dongle must be plugged in and the client sends the encrypted secret key as well as the transaction that must be signed to the dongle where the signing occurs.

The dongle would have a simple LCD screen to display a transaction amount and, maybe with the press of a button, a few characters of the recipient key. If the owner agrees with the transaction he presses the ok button on the dongle and the dongle signs the transaction and sends it back to the client.
mikegogulski
Sr. Member
****
Offline Offline

Activity: 360
Merit: 250



View Profile WWW
June 18, 2011, 08:32:04 AM
 #49

Bitcoin developers, please, please, please do create encrypted wallet functionality, so that I can run bitcoin on my malware infested windows computer while enjoying false sense of security.

+1  Cheesy

FREE ROSS ULBRICHT, allegedly one of the Dread Pirates Roberts of the Silk Road
bitoption
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile WWW
June 18, 2011, 10:19:09 AM
 #50

I've been thinking about a long-term value storage solution.. These recent attacks are brutal, 25k coins is horrible, but it will be much more horrible in 10 years if I'm not mistaken.

Here's my current long-term bitcoin storage plan for the 'save for later' coins. I assume here that we are not paranoid about Chinese bootloaders.

1) Purchase new laptop / install clean and fresh Ubuntu onto formatted hard drive
2) download client. Do nothing else on computer
3) download block chain.
4) download optar, (about which more in a second)
5) From current, possibly insecure computer, send "storage" coins to minty fresh computer.

6) Disconnect new computer right after address generation and you have optar, and can see the the coins at least at 0/unconfirmed in the new wallet.
7) Backup the wallet onto the netbook drive, doesn't matter where.

Cool Use optar to print out a PAPER archive of your wallet.dat file: (more here: http://ronja.twibright.com/optar/)
9) seal paper in pouch
10) safety deposit box
11) re-format hard drive of laptop.

You could GPG encrypt the wallet before it was optared, although then you'd need to remember the password for 20 years.

A brief description of optar: it prints scannable bitmaps onto paper. You can fit a few 100k per page with good error correction rates. Low acid paper plus laser printer = long, long term archival storage.

Thoughts?
Scarecrow
Newbie
*
Offline Offline

Activity: 35
Merit: 0



View Profile
June 18, 2011, 02:09:52 PM
 #51

I would like to give a +1 to the USB key approach already suggested in a couple of the prior posts.

Whenever a new wallet.dat is created the client forces the creation of a USB key that must be plugged in whenever bitcoins are to be sent to another wallet.

You could use a 2GB SD card with a USB adapter for this because its cheap and has the added advantage of a write protect switch.

There is no reason I can think of that one SD card can't be used with multiple wallet.dat files and you should be able to copy one SD card to another for backup purposes.

To SEND any coins you have to enter your password AND plug the SD card into a USB port.

Bitcoin is a project in Beta, exactly the reason to test the system in the real world and arrive at the best possible solution. It is slightly in danger of falling victim to its own success.


allinvain
Legendary
*
Offline Offline

Activity: 3080
Merit: 1083



View Profile WWW
June 18, 2011, 04:30:22 PM
 #52

I would like to give a +1 to the USB key approach already suggested in a couple of the prior posts.

Whenever a new wallet.dat is created the client forces the creation of a USB key that must be plugged in whenever bitcoins are to be sent to another wallet.

You could use a 2GB SD card with a USB adapter for this because its cheap and has the added advantage of a write protect switch.

There is no reason I can think of that one SD card can't be used with multiple wallet.dat files and you should be able to copy one SD card to another for backup purposes.

To SEND any coins you have to enter your password AND plug the SD card into a USB port.

Bitcoin is a project in Beta, exactly the reason to test the system in the real world and arrive at the best possible solution. It is slightly in danger of falling victim to its own success.




I too support that idea. It is an excellent idea. It works along the same lines as PayPal secure key.

allinvain
Legendary
*
Offline Offline

Activity: 3080
Merit: 1083



View Profile WWW
June 18, 2011, 04:31:10 PM
 #53

I've been thinking about a long-term value storage solution.. These recent attacks are brutal, 25k coins is horrible, but it will be much more horrible in 10 years if I'm not mistaken.

Here's my current long-term bitcoin storage plan for the 'save for later' coins. I assume here that we are not paranoid about Chinese bootloaders.

1) Purchase new laptop / install clean and fresh Ubuntu onto formatted hard drive
2) download client. Do nothing else on computer
3) download block chain.
4) download optar, (about which more in a second)
5) From current, possibly insecure computer, send "storage" coins to minty fresh computer.

6) Disconnect new computer right after address generation and you have optar, and can see the the coins at least at 0/unconfirmed in the new wallet.
7) Backup the wallet onto the netbook drive, doesn't matter where.

Cool Use optar to print out a PAPER archive of your wallet.dat file: (more here: http://ronja.twibright.com/optar/)
9) seal paper in pouch
10) safety deposit box
11) re-format hard drive of laptop.

You could GPG encrypt the wallet before it was optared, although then you'd need to remember the password for 20 years.

A brief description of optar: it prints scannable bitmaps onto paper. You can fit a few 100k per page with good error correction rates. Low acid paper plus laser printer = long, long term archival storage.

Thoughts?


Quite extreme but this is something I may use myself..I'm sure you know by now why. Time to print this.

Thanks!

jpp
Newbie
*
Offline Offline

Activity: 20
Merit: 19



View Profile
June 18, 2011, 11:04:41 PM
 #54

do not need optar, a freshly created wallet +and 7ziped and uuencoded fit easily in a qrcode...
hoo2jalu
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 19, 2011, 06:06:28 AM
 #55

Are you talking about the Infostealer.Coinbit?

It has been recognized by Symantec
http://www.symantec.com/connect/blogs/all-your-bitcoins-are-ours

Symantec said the malware will locate wallet.dat then send it back by e-mail or FTP.

The malicious .SCR trojan private messaged to members of this forum is identified as Induc.A on all the popular A/V products. It looks for wallet.dat to send via mail relay to hotmail drop as previously discussed. 

Looks like more and more bitcoin malware is popping up... everyone is running up-to-date anti-virus, right?
saadtariq30
Member
**
Offline Offline

Activity: 107
Merit: 10


View Profile
June 19, 2011, 09:05:08 AM
 #56

running avast internet security..with the latest definitions+windows 7 x64 up to date..firewall set to not allow ANY incoming connections..wallet encrypted..

safe enough?
walidzohair
Full Member
***
Offline Offline

Activity: 184
Merit: 100


View Profile
June 19, 2011, 08:47:42 PM
 #57

Bitcoin developers, please, please, please do create encrypted wallet functionality, so that I can run bitcoin on my malware infested windows computer while enjoying false sense of security.

Are you inferring that the average person's computer will never be safe enough to use the bitcoin client?
It is cheaper to solve the issue at the client level. One single change, every user receives increased security.

Well the average user computer was not ever safe to to store 500k something valuable in it. maybe couple BTCs but not more than that either BTC or anything else like maybe a research data or market analysis .. etc.
walidzohair
Full Member
***
Offline Offline

Activity: 184
Merit: 100


View Profile
June 19, 2011, 08:51:35 PM
 #58

Well that means BTC is a hit. at least now it is getting attacked like normal banks.
JBDive
Full Member
***
Offline Offline

Activity: 238
Merit: 100


View Profile
June 19, 2011, 10:43:03 PM
 #59

WTF is FreeOTFE and why would one use it instead of TrueCrypt?

FreeOTFE is an On The Fly Encryption application.

You can use it instead of TC because it doesn't need to be installed, at least the Portable Explorer version doesn't(otherwise it requires admion permissions).


Truecrypt does not need to be installed either. You can easily create a TC Volume on an flash drive, mount it when needed and carry the Truecrypt program itself on the same flash drive.
sean_incali
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
June 20, 2011, 12:56:05 AM
 #60

It has a name now. Apparently it's from Poland.

http://www.wired.com/threatlevel/2011/06/bitcoin-malware/
Pages: « 1 2 [3] 4 5 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!