Bitcoin malware symptoms?

[Nat Philosopher]

I've read that there is malware that specifically infects machines looking for bitcoin wallets and stealing the bitcoins. This is the reason
for offline wallets and the like.
Is there somewhere a list of symptoms your computer would display if it had such malware, so I can check before I load more bitcoins into my wallet?
Like files the malware writes?

[Kluge]

There're a lot of them, now.

There are two parts to the theft you're describing. The attacker plants a keylogger (since almost all wallets are encrypted, now -- if yours isn't, it ought to be), and then does something to lift the .wallet itself. In most cases, you can protect against a keylogger by entering your password in with a virtual keyboard application (at least Armory has this by default).

There are all sorts of variations to this method, though... some clients may not demand a wallet password if you did a transaction in the last, say, 10 minutes. Running an insecure VNC server (or having one unwittingly installed) can result in a very potent attack in such case, since the attacker would need neither the wallet file nor the password, assuming the client is left open on the victim's computer.

Another attack (probably the most effective) will scan your computer's clipboard for bitcoin addresses. When detected, it will switch the text in the clipboard to the attacker's address. This way, if you are, say, depositing coins on Gox, when you paste the Gox deposit address in the client, you will instead end up sending coins to the attacker unless you closely checked what you pasted against the Gox deposit address (it's a good habit to ALWAYS triple-check pasted addresses).

Another possible attack would be to distribute compromised clients from the start. Most clients are released with various methods to verify the contents are what the host put there, but there is still some risk there, especially since it's doubtful more than maybe .5% of people actually verify.

I don't think anyone's compiled any firm list of things to look for, maybe because there are just so many different vectors. AV software, at the very least, should catch the keylogger, and most maintained AV definitions have protections against common Bitcoin wallet attacks, too.

In all cases, though, a cold wallet or paper wallet provides the best defense.

[ajax3592]

Another attack (probably the most effective) will scan your computer's clipboard for bitcoin addresses. When detected, it will switch the text in the clipboard to the attacker's address. This way, if you are, say, depositing coins on Gox, when you paste the Gox deposit address in the client, you will instead end up sending coins to the attacker unless you closely checked what you pasted against the Gox deposit address (it's a good habit to ALWAYS triple-check pasted addresses).

That exactly happened to me 3 days back, I was pasting my address on some faucets and all together different address pasted. Copy pasting anything else worked just fine. It seemed the clipboard had been programmed to change the default address to attackers whenever used. Got rid of it though with Malwarebytes.

[PrintMule]

Another attack (probably the most effective) will scan your computer's clipboard for bitcoin addresses. When detected, it will switch the text in the clipboard to the attacker's address. This way, if you are, say, depositing coins on Gox, when you paste the Gox deposit address in the client, you will instead end up sending coins to the attacker unless you closely checked what you pasted against the Gox deposit address (it's a good habit to ALWAYS triple-check pasted addresses).

Props to whomever came up with that idea This is so simple, and accessing clipboard is not hard to permit. Good thing I always doublecheck the address, because even without malware we are prone to errors.

Another possible attack would be to distribute compromised clients from the start. Most clients are released with various methods to verify the contents are what the host put there, but there is still some risk there, especially since it's doubtful more than maybe .5% of people actually verify.

I'm very suspicious of those linux mining distros being passed around. It's kinda like "provably fair" thing. People which lack the understanding behind "provably fair" are thinking that someone has bothered to check if it really is provably fair, and just trust it. Same goes to those distros.

[ajax3592]

A strong paid antivirus+malware software is a must and is highly recommended if you have large sums of Bitcoins on a desktop client that is connected to the internet.

[monkeypay]

Fully agree with Kluge, online cold storage will really ensure safety of your wallet. (and make that two, for redundancy)
Av is nice to have, but only catches "known" malware. Also malware could check your favorites/browser history, and prepare an html injection, to change recipient address.
Also, good malware can hide pretty deep inthe system (root kit) and w/out serious forensic, will  not be found
And I am sure other scams apply too, like Search engine optimisation: "donate to phillipines victims to this address",
or pretending to be from your favorite trading site: " as requested, here the CORRECT address from the transaction, that you initiated and failed at 2:34 pm today"

And yes, always triple check the address, (simply checking last 4 charactes should do, because fraudster can not generate addresses that look even slightly the same)

So it all depends on how much value you want to protect and how much effort the attacker wants to put in, to rob you.

[ajax3592]

Another attack (probably the most effective) will scan your computer's clipboard for bitcoin addresses. When detected, it will switch the text in the clipboard to the attacker's address. This way, if you are, say, depositing coins on Gox, when you paste the Gox deposit address in the client, you will instead end up sending coins to the attacker unless you closely checked what you pasted against the Gox deposit address (it's a good habit to ALWAYS triple-check pasted addresses).

That exactly happened to me 3 days back, I was pasting my address on some faucets and all together different address pasted. Copy pasting anything else worked just fine. It seemed the clipboard had been programmed to change the default address to attackers whenever used. Got rid of it though with Malwarebytes.

F**k man ! You won't believe I just saw my address in my signature was all together different than what is mine. Only the first two digits "14" were same which tricked me while edit the signature a week ago. Just corrected it.