Can viruses steal people's bitcoin purses? What can be done for protection?

[ShadowOfHarbringer]

If you're using Linux for bitcoin & only install software from signed repositories & keep system up to date, then probability of infection is almost unexistant.

You should be more worried if You're using Windows however.

Sadly Linux installs with outdated patches tend to get penetrated quite often.  Hosting software, in particular, is often copied into a webspace by an "install script" and just left to rot, unpatched.

I'm not saying about hosting software, I'm saying about a Desktop computer with newest version of Firefox installed.
And contrary to some hostings which use such install scripts installing unstable & unsecure shit (by the way, what hosting companies are these ? i will know what to avoid - thx), standard desktops are not so suspectible to infections - of course only if you install software from signed repos and keep updated.

That's because "standard desktops" do not serve anything to outgoing world as hostings do.

[1715157833]

1715157833

[1715157833]

1715157833

[1715157833]

1715157833

[1715157833]

1715157833

[1715157833]

1715157833

[1715157833]

1715157833

[jgarzik]

And contrary to some hostings which use such install scripts installing unstable & unsecure shit (by the way, what hosting companies are these ? i will know what to avoid - thx),

Any web host -- it's the whole workflow that is insecure.  Install scripts are downloaded and run by the webmaster, which installs (for example) the latest version of phpBB inside their webspace.  Time passes, phpBB is not automatically updated, and the eventual intrusion occurs.

Most software offered by the webhost themselves is more likely to be patched regularly, and stay up-to-date on security.

That's because "standard desktops" do not serve anything to outgoing world as hostings do.

Quite true.

[Stephen Gornick]

I almost felt like I needed another shower after reading up on this:
  http://www.viruszoo.com

Fortunately searching for bitcoin there still returns "Found (0) viruses." but i suspect with this project's wider visibility that to become no longer true at some point.

[Stephen Gornick]

Worm_Rixobot.A

Having taken over a user’s machine the worm terminates a range of Windows and security programs and block access to websites while a splash screen demands that users pay the Russian rouble equivalent of $12 by texting a premium-rate SMS number in order to receive an unlock key.

  http://ecommerce-journal.com/node/30836

[alowm]

with newest version of Firefox installed.

http://www.mozilla.org/security/known-vulnerabilities/firefox36.html

Web browsers have proven to be one of the most difficult types of application to secure against buffer overflows, off by one errors, heap corruption, race conditions, etc.

Once local access has been obtained, the attacker can probably do what he needs to do in order to steal your wallet. How many Linux users leave bitcoind somewhere in their home directory and writable by their user account? The attacker could replace bitcoind with his own version and your wallet would be emptied the next time you restart it.

0-day exploits would become even more godly if something like bitcoin ever becomes relatively mainstream.

[Anonymous]

Backups are like condoms...if they only save you once a year...its a goodyear.

[alowm]

Backups are like condoms...if they only save you once a year...its a goodyear.

A backup of an empty wallet isn't going to be very useful, though backups, in general, are a good thing.

[ShadowOfHarbringer]

with newest version of Firefox installed.

http://www.mozilla.org/security/known-vulnerabilities/firefox36.html

Web browsers have proven to be one of the most difficult types of application to secure against buffer overflows, off by one errors, heap corruption, race conditions, etc.

Once local access has been obtained, the attacker can probably do what he needs to do in order to steal your wallet. How many Linux users leave bitcoind somewhere in their home directory and writable by their user account? The attacker could replace bitcoind with his own version and your wallet would be emptied the next time you restart it.

0-day exploits would become even more godly if something like bitcoin ever becomes relatively mainstream.

1. Use Noscript, Adblock, Flashblock
2. Run bitcoin with a different user (making this default option in bitcoin client shouldn't be very difficult, at least in Linux/UNIX), perhaps in chroot.

Problem solved.

[alowm]

1. Use Noscript, Adblock, Flashblock
2. Run bitcoin with a different user (making this default option in bitcoin client shouldn't be very difficult, at least in Linux/UNIX), perhaps in chroot.

Problem solved.

1. Noscript/Adblock/Flashblock don't protect against a large subset of the vulnerabilities found to date in Firefox. The browser itself is insecure in almost all areas (but so are all the others, too).

2. This is a good idea. To add another level of paranoia, you could compile a static version of bitcoind so that you don't have to rely on potentially compromised shared libraries.

[ShadowOfHarbringer]

1. Use Noscript, Adblock, Flashblock
2. Run bitcoin with a different user (making this default option in bitcoin client shouldn't be very difficult, at least in Linux/UNIX), perhaps in chroot.

Problem solved.

1. Noscript/Adblock/Flashblock don't protect against a large subset of the vulnerabilities found to date in Firefox. The browser itself is insecure in almost all areas (but so are all the others, too).

Incorrect.

Noscript protects against almost ALL possible vulnerabilities, because it disables simply everything that can cause security problems (Javascript, JAVA, Iframes, HTML5 storage and such).
I dare you to show me a 0-day vulnerabitilty that will still work after i install Noscript.

Also, i wouldn't call firefox a buggy/insecure browser. It is quite secure, because vulnerabilities are very quickly (48 hours AFAIK) fixed. This is the power of open source.

[alowm]

I dare you to show me a 0-day vulnerabitilty that will still work after i install Noscript.

This was 0-day at the time: http://www.mozilla.org/security/announce/2010/mfsa2010-41.html

There's more in the link I provided to Mozilla's "Security Advisories" page. NoScript is a good plugin, but it's not going to keep you 100% safe. This mentality is dangerous. Even the plugin architecture itself is not infallible.

Also, i wouldn't call firefox a buggy/insecure browser. It is quite secure, because vulnerabilities are very quickly (48 hours AFAIK) fixed. This is the power of open source.

Firefox has failed to survive (along with almost every other major browser) the last two annual Pwn2Own contests. Open Source projects generally do react more quickly to security issues than their closed source brethren, but that's a moot point when your wallet is now empty. The browsers can, also, only be patched after the vulnerabilities/exploits are public. Until then, you're screwed.

I've established in this thread that web browsers (all of them) are generally insecure and would likely be a primary attack vector. Disabling plugins (Java, Flash), using NoScript with Firefox, and keeping your browser up-to-date are your best bets for now.

I'll provide shellcode later for siphoning BTC out of the official Windows Bitcoin client if anyone is interested.

[ShadowOfHarbringer]

Open Source projects generally do react more quickly to security issues than their closed source brethren, but that's a moot point when your wallet is now empty. The browsers can, also, only be patched after the vulnerabilities/exploits are public. Until then, you're screwed.

Well, you've got a point here.

I guess that
1) There is still possibility of running Bitcoin as a different user, or
2) Perhaps everybody should keep their bitcoins on an small, specialized system which is not directly connected to internet (can only be accessed over SSH from your home). That would be a kind of "personal digital safe".

I think that once Bitcoin becomes really popular, somebody may start producing/selling such "digital personal safes" from 2) and advertise them around bitcoiners.

[alowm]

1) There is still possibility of running Bitcoin as a different user, or

Hmm, I've been thinking about this issue now that we're discussing it. Running the bitcoin process as a separate user has a few considerations:

1. The bitcoin binary/libraries/wallet cannot be writable by the main, non-root user account on the system. As I stated earlier, a modified binary could be silently slipped into place.
2. The main, non-root user cannot be allowed to interact with bitcoin in any manner. This precludes the use of setuid and setgid to force bitcoin to run as a different user and still have the GUI or command-line interfaces available. Exploit code can simply manipulate the controls of the GUI by sending them messages (I'll post a Windows example later) or communicate with the command-line client via spawning a process or some method of interprocess communication available on the OS.
3. Because of 2., you might as well just log out of the main user account completely before logging into your secondary account to run bitcoin. The only way (I can think of at the moment) for someone to interfere with that process is to have subverted your OS at the kernel level (custom kernel driver/rootkit) or to trick a privileged process into spawning another privileged process that can manipulate bitcoin or your wallet (see: Confused Deputy Problem).

This is a situation where the inversely proportional relationship between security and usability becomes evident.

I will probably use an encrypted thumbdrive with a minimalist bootable Linux image for bitcoin if we ever get to this point. For now, it's fun to speculate, though. We should create a threat flowchart.

2) Perhaps everybody should keep their bitcoins on an small, specialized system which is not directly connected to internet (can only be accessed over SSH from your home). That would be a kind of "personal digital safe".

This made me think of something interesting. In addition to having a specialised system or bootable disc image exclusively for bitcoin, you could also configure it with an inward facing firewall that only allows outbound traffic that is part of bitcoin. Maybe you'd want to allow other small exceptions for debugging network issues (like ICMP traffic), but that would greatly reduce the number of potentially exploitable applications interfacing with the network.

[ShadowOfHarbringer]

This made me think of something interesting. In addition to having a specialised system or bootable disc image exclusively for bitcoin, you could also configure it with an inward facing firewall that only allows outbound traffic that is part of bitcoin. Maybe you'd want to allow other small exceptions for debugging network issues (like ICMP traffic), but that would greatly reduce the number of potentially exploitable applications interfacing with the network.

This is completely doable using existing technologies in a reasonable time - you could create a custom Linux distro with specialized scripts & QoS software preinstalled. All the needed software already exists. Shoudln't be very difficult for an average Linux-geek.

Once bitcoin becomes mainstream, i guess we're going to see many of these.

[brocktice]

I will probably use an encrypted thumbdrive with a minimalist bootable Linux image for bitcoin if we ever get to this point. For now, it's fun to speculate, though. We should create a threat flowchart.

I understand that with root access on the host machine, very few things are impossible, but would running a VM in kvm or vmware player for example, used only for Bitcoin, provide a reasonable improvement in isolation for the required effort? I mean here a linux guest on a linux host.

[alowm]

I understand that with root access on the host machine, very few things are impossible, but would running a VM in kvm or vmware player for example, used only for Bitcoin, provide a reasonable improvement in isolation for the required effort? I mean here a linux guest on a linux host.

It would up until a large subset of people started using a system like this. Then you'd likely start to see VM-traversing code.

Running in a VM wouldn't increase security on its own (since it's just another level of indirection for an attacker to overcome once they're aware of it), but it would initially keep you safer since you'd be in a minority on which an attacker would not spend development time. Less "bang for your buck". That layer of indirection becomes less valuable when/if the minority grows.

[caveden]

it disables simply everything that can cause security problems (Javascript, JAVA, Iframes, HTML5 storage and such).

Wow, basically, it disables the web... It's comparable to live in a plastic bubble in order not to get air contagious diseases.

[ribuck]

Wow, basically, it disables the web... It's comparable to live in a plastic bubble in order not to get air contagious diseases.

It's comparable to diabetics who only inject themselves using syringes from trusted sources.

You can disable restrictions for sites that use the blocked technologies in ways that are useful to you, provided you trust those sites.

[caveden]

You can disable restrictions for sites that use the blocked technologies in ways that are useful to you, provided you trust those sites.

Ok, seems fair enough... I will give it a try.

[brocktice]

You can disable restrictions for sites that use the blocked technologies in ways that are useful to you, provided you trust those sites.

Ok, seems fair enough... I will give it a try.

I use NoScript. It's a pain, but it really reduces your exposure to attack vectors. As has been discussed in this thread, it does not completely protect you, but it's a good first step.