Trojan Wallet stealer be careful

[ElHajjaj]

Don't forget offsite backups in case your house burns down or gets carried away to Oz by a tornado.

[1713541440]

1713541440

[1713541440]

1713541440

[1713541440]

1713541440

[1713541440]

1713541440

[1713541440]

1713541440

[1713541440]

1713541440

[sergio]

Use Linux, and take additional steps for added security.

Windows is insecure by default, to many viruses available, and not one antivirus is 100% perfect, they all have a margin of failure were new viruses go undetected.

There are also viruses for Linux but it is very rare, and Linux out of the box is more secure.

What everyone should do is run Linux, Debian (Ubuntu), Fedora, Mandrivia, etc.

And for those of you that have a lot of bitcoins encrypt and backup the wallet.
pgp, gpg, and best crypt, true crypt are all good choices.

True crypt is best for usb, or portable disks.
pgp or gpg are good for encrypting the wallet directly.
or in you want something transparent with best crypt you can configure an account to automatically mount an encrypted file system, once the file system is mounted it is no longer encrypted until you log out, so best crypt works best using a separate account that you log in, and as soon as you are done log out, once you log out the filesystem is unmounted, and it is an encrypted folder representing the filesystem.

The only problem is that if you are expecting a payment you can not have the wallet encrypted with the current version of the bitcoin client, therefore what you can you is use 2 accounts, one that keeps the wallet encrypted and you backit up, and the other that you use for receiving or making payments, after  that wallet reaches certain amount of money make a transfer to the wallet you keep encrypted, and then backup the wallet in encrypted form somewhere else.

That way you have 2 wallets, once for pocket change, like the wallet you carry in your pocket un encrypted, and the other wallet that has all the cash encrypted and backed up.

Also when using encryption use a secure algorithm, there are many that are very secure, and others are very easily broken.

Also when it comes to encryption always use an open source package.
There is an old saying that security by obscurity is snake oil, so rely on open source for your security.

Another reason for using encryption if your computer is stolen, with either windows or Linux it is possible to log on the system once the thief has physical access to your machine, however if the wallet is encrypted there is nothing the thief can do other than a brute force attack, and if you used a secure password with a good algorithm it is nearly impossible for the thief to gain access to the data in your wallet.

[MikesMechanix]

Linux is no magic bullet when it comes to security. I've seen so many compromised Linux boxes with hacked sshd, apache, bind, and running python scripts it's not even funny. The tools a typical Linux box offers to hacker is just ridiculous compared with your typical Windows box.

[Nescio]

Linux is no magic bullet when it comes to security. I've seen so many compromised Linux boxes with hacked sshd, apache, bind, and running python scripts it's not even funny. The tools a typical Linux box offers to hacker is just ridiculous compared with your typical Windows box.

The typical Linux box gets hacked through misconfiguration of third party software. The difference with Windows is that the 'typical' Linux box is a server, not a desktop, so it will run network facing services and lots of times will be administered according to the 'what bushfire needs to be extinguished next' principle since security is usually subordinate to other considerations in a corporate setting (mainly deadlines), even if the admins know what they are doing.

That doesn't mean Linux is less safe than Windows (I would argue the opposite), it just has different attack vectors. I agree that Linux offers a lot more tools compared to Windows

[kwukduck]

New scam software found on youtube, please flag as such

http://www.youtube.com/watch?v=l9UvUyT5i5s

DO NOT USE THIS PROGRAM!

[jjiimm_64]

Well that means BTC is a hit. at least now it is getting attacked like normal banks.

These have been my thoughts too.   bitcoins must be valuable if so many are trying to steal them....

[danknug]

I'd like to be able to rename my wallet.dat to some other file, and the client asks for the file on startup.

+1

[dooglus]

I'd like to be able to rename my wallet.dat to some other file, and the client asks for the file on startup.

Something like this will do it for you on Linux:

Code:

#!/bin/bash

cd
wallet=~/.bitcoin/wallet.dat

if [[ -e "$wallet" ]]
then
    echo "real wallet file $wallet already exists; giving up"
    exit 1
fi

echo -n "which file is your wallet hidden as? "
read hidden

if [[ ! -e "$hidden" ]]
then
    echo "hidden wallet file $hidden doesn't exist"
    exit 1
fi

echo "moving hidden wallet to $wallet"
mv -i "$hidden" "$wallet"

sleep 1

echo "starting bitcoin"
bitcoin "$@"

sleep 1

echo "moving $wallet back to secret location"
mv -i "$wallet" "$hidden"

Save to a file, add a line to the end of .bashrc saying:

Code:

alias bitcoin="/path/to/script-file"

Start a new terminal, type 'bitcoin', and it should use the script instead of the regular client.

[KeyserSoze]

[edited]

[dooglus]

i have my wallet.dat on a usb key in my desk drawer at home.

The usb key has a fingerprint reader on it. when i want to access my wallet,

1.  I insert key, authenticate with my middle finger
2.  copy my wallet to bitcoin dir,
3.  start bitcoin... recieve/send,
4.  close down bitcoin,
5.  recopy to a new dir ( date/time labeled ) on usb drive,
6.  remove key, place in drawer.

So thumb in the eye for linux nerds... i can do it too cos im a PC lol

So you're copying an unencrypted wallet to an online Windows box.

Wouldn't a trojan just have to wait for the file to be copied and then steal it?

[Grouver (BtcBalance)]

i have my wallet.dat on a usb key in my desk drawer at home.

The usb key has a fingerprint reader on it. when i want to access my wallet,

1.  I insert key, authenticate with my middle finger
2.  copy my wallet to bitcoin dir,
3.  start bitcoin... recieve/send,
4.  close down bitcoin,
5.  recopy to a new dir ( date/time labeled ) on usb drive,
6.  remove key, place in drawer.

So thumb in the eye for linux nerds... i can do it too cos im a PC lol

So you're copying an unencrypted wallet to an online Windows box.

Wouldn't a trojan just have to wait for the file to be copied and then steal it?

Yes and thats where people are mistaken right now.
To use (send) Bitcoins you need to be connected to the web.
And it will take only a split millisecond for a trojan to execute stuff on your pc.
So unless your Chuck Norris an can click super fast your solution is not 100% trojan proof.
Nice try though with the fancy finger print reader.

[giantdragon]

I think the best solution will be storing wallet and using Bitcoin client on virtual machine with Linux as guest OS and encrypted home directory. Just install VirtualBox, download Ubuntu, and when installing enable home dir encryption.

[BitVapes]

I think the best solution will be storing wallet and using Bitcoin client on virtual machine with Linux as guest OS and encrypted home directory. Just install VirtualBox, download Ubuntu, and when installing enable home dir encryption.

a trojan could still infect your windows host machine, keylog your decryption password when you boot the linux virtual machine and download the virtual hard drive image so the attacker can steal the wallet.dat from it

[python]

   
Trojan Wallet

[Stalin-chan]

Linux is no magic bullet when it comes to security. I've seen so many compromised Linux boxes with hacked sshd, apache, bind, and running python scripts it's not even funny. The tools a typical Linux box offers to hacker is just ridiculous compared with your typical Windows box.

This isn't true at all, yes Linux can be unsecure, but overall a Linux (desktop) box is much more secure than Windows due to obscurity.
Most attacks directed at Linux are directed at server software that shouldn't be running on your machine open to the internet.
Overall most desktop attack vectors are pointed at Windows since it is the most widely used desktop OS compared to the 1% who currently use Linux.

[acolombo]

Vladimir's inference was that this 'solving' the issue at the client level would be giving a false sense of security, which is the worst of all worlds.

An age-old fallacy. Anything that helps, helps.

Do you not install locks and burglar alarms because they aren't 100 % proof?
Should we not install airbags in cars even though they don't guarantee survival?
etc etc
I could come up with hundreds of examples.

Having wallet.dat encrypted is just the last wall of defence, which could potentially give its owner enough time to realize his computer has been compromised, and allow him to move the coins to a safe wallet. The private keys really only need to be unencrypted when payments are made, so the attack surface is reduced by much more than most people probably realize. It also requires the thief to target Bitcoin specifically, pretty much eliminating opportunity-made-thieves, and reducing the risk from random break-ins.

It's also somewhat easy to implement.

No, it's not 100 % hacker-proof, but to have any usability wallet.dat needs to be available relatively easily. All the suggestions of having an extra computer not routed to the internet, or booting from a thumbdrive, just to make the occasional online payment are laughable. Make those kinds of requirements, and Bitcoin is guaranteed to not take off, ever.

+1