Trojan Wallet stealer be careful

[twobits]

If you have more than 1000 Bitcoins in your wallet:

1. get yourself a low cost netbook.
2. Install not bloated linux (like archlinux) or FreeBSD or OpenBSD (in order of growing paranoia).

Damn, I used NetBSD,  time to reformat!

I was wondering though,  how well would a cheap android tablet work?  They seem even cheaper then netbooks these
days, but no idea yet how secure they are, nor even if you can run bitcoin on them.

[1713498491]

1713498491

[1713498491]

1713498491

[disposablecode]

Greetings,

I believe the simplest approach to mitigate risks associated with contracting trojans would to only engage in BitCoin transactions from the security of a VMWARE image that's sole purpose is for just that.


What do you all think?

[mr-sk]

The thing about this trojan is that it looks in the default dir for the wallet.dat file. It doesn't do an exhaustive search of the filesystem. So a simple fix is to not install the bitcoin client in the default location.

[peedee]

The thing about this trojan is that it looks in the default dir for the wallet.dat file. It doesn't do an exhaustive search of the filesystem. So a simple fix is to not install the bitcoin client in the default location.

By the time your were typing that it will have probably evolved to something more smart and will keep doing so.

[mr-sk]

Possibly, but it needs a propagation method and a new C&C server or destination address since that's been blocked. Its an arms race I agree.

Keep your wallet encrypted and only decrypt for transactions, use TrueCrypt.

[Desu]

If there is fear of hack through a computer source, put a savings wallet it on a usb only decrypt it when needed.

[Coolty]

It only makes sense that a trojan specializing in this would pop up.

[Quantus]

can you put an encrypted file inside another encrypted file?

[Desu]

can you put an encrypted file inside another encrypted file?

I once asked if you can zip a bunch of zip files. Lol

[im3w1l]

I have a simpler method than the netbook one, almost as safe. Make yourself a lot of wallets, with a fixed amount per wallet. Whenever you need to buy something, unencrypt the first wallet, send btc. Then proceed with the others. In this way, you can only lose one wallets worth.
Another advantage, which of course could also be gotten by with multiple addresses in a single wallet, is that your holdings wont stand out in block explorer (could potentially make you a target)

[nikitasister]

Thanks for the advices. I'm using the last portable version of FreeOTFE http://strcpy.ueuo.com/FreeOTFEExplorer_3_53.zip

[Run BTC]

Be sure to check out  http://www.bitprotection.info  - wallet backup 100 percent coverage protection ... you can encrypt all day but once you loose it there is noway of getting the value of your BTC back until now ...

Bookmarked. Thanks for the heads-up.

[bsd]

I'm loving all the talk here about BSD. FreeBSD ftw.

OpenCL mining on GPUs isn't supported in FreeBSD though

[Seiks]

Yeah... It bothers me not being able to mine opencl on GPU in freebsd :/

[Saint Cad]

Within an hour after downloading the client, Spyware Doctor found a trojan on my computer.  Coincidence?

[Tech-Boy]

Wow 25kbtc Wow

[kuloch]

mmmmm, would've been helpful to describe the trojan scam.

You can read it here. https://forum.bitcoin.org/index.php?topic=16457.0

As a Newbie, I can't post on that thread.

So, here's my thought on the subject.

If Bitcoins are a set of digital Alpha/numerric characters for each Bitcoin, then each REAL transaction should add the sellers 'input' characters to the code that verify that the seller ACTUALLY sold them to a Specific buyer, who know has them in his Account/s. They need to be traceable, that way.
So, stealing them would not add any verifiable characters to each Bitcoin, which should render them worthless to the thief, but still holding their value for the owner they were 'stolen' from.
IF he was SMART enough to keep them backed-up, then he'd still have his version of the digital docs, that have his code attached to them,

NO?

No.

Part of the point of BitCoin is that everything is completely traceable.  Check out blockexplorer.com.  The "seller" does provide a uniquely identifiable piece of information with every transaction.  That is your digital signature, which only the account's owner can create.  However, the issue with wallet-stealing is that the private key used (in tandem with the public key or address) to create that digital signature is compromised, making the original account owner no longer the only account owner.

E.g., if you tell me your private key, I now own your account just as much as you do, for all intents and purposes.

[chicki]

Sigh.  Always a pickpocket in the crowd.

[apflux]

You should also encrypt your wallet when not in use.
http://www.freeotfe.org/

In fact encryption is useless if you enter your password with your keyboard. If your computer gets compromised by a trojan it can read your password with a keylogger.

Part of the point of BitCoin is that everything is completely traceable.  Check out blockexplorer.com.  The "seller" does provide a uniquely identifiable piece of information with every transaction.  That is your digital signature, which only the account's owner can create.  However, the issue with wallet-stealing is that the private key used (in tandem with the public key or address) to create that digital signature is compromised, making the original account owner no longer the only account owner.

I wonder if it is possible to store my bitcoin private key on smart card.

[joepie91]

Possibly, but it needs a propagation method and a new C&C server or destination address since that's been blocked. Its an arms race I agree.

Keep your wallet encrypted and only decrypt for transactions, use TrueCrypt.

These stealers typically get run once (bound to a legit application) and then exit and never run again. They only need to steal your wallet once. So no C&C is involved.