OSX malware - BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker.

[E.Sam]

Last summer, I lost quite a substantial number of BTCs to a Mac malware named Bitvanity (the story is explained here https://bitcointalk.org/index.php?topic=266813.0)

I would seem that the same coder came up with a new app/malware; StealthBit.

The Reddit post: http://www.reddit.com/r/Bitcoin/comments/1wqljr/i_was_bored_so_i_made_bitcoin_stealth_addresses/

Why I believe it's the same person who wrote previous malware Bitvanity and StealthBit:

I would recommend extreme caution when using such software.

I just registered to reddit after seeing this post so to warn people.

Last summer, in my infinite wisdom, I downloaded a Mac app call Bitvanity from Github (https://github.com/trevory/bitvanity). It came out to be a malware that empties your Bitcoin wallet. (lost more then 20 BTCs).

(...)

The OP of this thread is called trevorscool, his github account https://github.com/thomasrevor/StealthBit is under the name Thomasrevor.

Bitvanity github account was under the name Trevory (T.Revor.Y you get the drift). Thomas Revor - Trevorscool - Trevory…. Looks a bit suspect.

Also, looks like trevorscool has been deleting a few posts of his from 7 months ago:
http://webcache.googleusercontent.com/search?q=cache:3cbWKz_lDXoJ:webby.hazasite.com/user/trevorscool+&cd=24&hl=en&ct=clnk&gl=uk
compared to:
https://pay.reddit.com/user/trevorscool?count=25&after=t1_cetbxnn

The 3 deleted post are inciting people to download/use Bitvanity + link to Bitvanity Github:

• http://webby.hazasite.com/r/Bitcoin/comments/1d0pd2/bitvanity_bitcoin_just_got_more_beautiful/
  
• http://webby.hazasite.com/r/BitcoinBeginners/comments/1d2rhz/super_easytouse_vanity_address_generator_for_mac/
  
• https://github.com/trevory/bitvanity

Of course, all this could be just pure coincidence... but the odds are quite slim (Thomasrevor has been silent to my accusations for 4 days now - on Reddit & Github).

[1714057841]

1714057841

[1714057841]

1714057841

[1714057841]

1714057841

[Allinfinite]

No!!! It got me!! Lost 20 btc! Can't believe it.. in shock.. what do I do? DO I have to reinstall everything? WHy is there no warning on that thread?

[E.Sam]

No!!! It got me!! Lost 20 btc! Can't believe it.. in shock.. what do I do? DO I have to reinstall everything? WHy is there no warning on that thread?

Hi Allinfinite,

I m really sorry for your loss. I suppose there is no warning as nobody was sure of anything yet.

This said, I have contacted Reedit and Github, but nothing of substance has been done. In Reedit bitcoinprojects' section, mods did loot into it:

I didn't see any hard-coded bitcoin addresses when I looked through. But, I didn't exactly understand how the code worked either. If you're typing in a private key, it may be transmitting that key to another server that runs code to quickly move funds to a hard coded wallet. So, I can't say we need to take it down, but I say we leave it for others more experienced to test out.

I contacted /r/bitcoin section moderator aw well (Theymos), but got no answer.

I contacted Github days ago to let them know, but except them asking me way I thought this was a malware nothing was done. Last time I contacted Github to warn them about Bitvanity being a malware, their answer was:

"Hi *****,

If the project in question doesn't behave as expected, I'd suggest opening an issue and discussing it with the maintainer.

Cheers,
Steven!

Seeing their previous performance in preventing further diffusion of malware even when told about it, I directly posted a warning in Githup Repo https://github.com/thomasrevor/StealthBit/issues.

To tell you the truth, it doesn't look like anyone gives a shit (there was a Reddit thread about Bitvanity being a malware, but no one took the time to inform Github). And this is a bit disappointing.

I ll renew my plea here to anyone that has some knowledge in OSX app coding to have a look at Stealthbit and see how it operates.

Regarding your theft, could you give us some more infos?  txid, if any other app where running in the backgroud, or any other relevant infos would be much appreciated.

Again, I m really sorry that happened to you.

[E.Sam]

OK, I found your Reedit post.

http://www.reddit.com/r/Bitcoin/comments/1xf2qj/my_wallet_just_emptied_into_this_address/

[ABISprotocol]

Thanks to the bitcointalk and reddit communit(ies) for making this known.  I'll make sure and make a post about it to the Unsystem list, where the developer of sx (which is not malware, but was used by the Stealthbit author(s) apparently) will I'm sure address it and provide some advice.  Fortunately, I didn't touch the Bitvanity or Stealthbit stuff - and it's obvious that the person(s) who designed Bitvanity/Stealthbit are thieves, now I guess the question is, what does the community of developers do about it.  Time to pop that question.

[daibasen]

So SecureMac is reporting "multiple" wallet thefts on its blog:
http://www.securemac.com/CoinThief-BitCoin-Trojan-Horse-MacOSX.php

Has anyone else here come across other known victims of this?

[E.Sam]

Thanks to the bitcointalk and reddit communit(ies) for making this known.  I'll make sure and make a post about it to the Unsystem list, where the developer of sx (which is not malware, but was used by the Stealthbit author(s) apparently) will I'm sure address it and provide some advice.  Fortunately, I didn't touch the Bitvanity or Stealthbit stuff - and it's obvious that the person(s) who designed Bitvanity/Stealthbit are thieves, now I guess the question is, what does the community of developers do about it.  Time to pop that question.

Yes, this cannot be stressed enough. Devs of sx (used for Stealthbit app) and Vanitygen (used for Bitvanity app) had nothing to do with mentioned malwares. Trevor just recompiled their code  while introducing some malicious binary.

Look like the Reedit community is way more active than this forum. After 6 months, 2 threads and various posts, not much has happened on bitcointalk. On reedit, in 48 hours 2 guys have been working on deciphering the code.

ref. http://www.reddit.com/r/Bitcoin/comments/1xf2qj/my_wallet_just_emptied_into_this_address/cfbhip5

Finally made an account on Reddit just to reply to this. After seeing this post early this morning I spent the day analyzing the malware and the preliminary analysis is available here[1] . Basically, the pre-compiled StealthBit app acted as a dropper for a disguised payload which installed the background process to check in with the server for updates, send information, etc, and a browser extension for Safari and/or Google Chrome (depending on what you've got installed) that slurps up all your browsing data (which is where they got your wallet info from). I'm hoping to have more time to analyze it further tomorrow, but I've been at it for almost 10 hours straight and I'm exhausted!

So SecureMac is reporting "multiple" wallet thefts on its blog:
http://www.securemac.com/CoinThief-BitCoin-Trojan-Horse-MacOSX.php

Has anyone else here come across other known victims of this?

Thanks for the link. I m not aware of multiple thefts, although victims might just not be aware these apps were to be blamed.

[E.Sam]

Just wrote to securemac.com to let them know about the correlation between Bitvanity and Stealthbit. Hopefully they will have a look at Bitvanity code and give us more insights as to what it does.

[dave3k]

  I was had by this too, I guess I had a false sense of security (mac os, using yubikey and last pass etc).
Thank god I keep most my btc in cold storage, however as well as losing half a coin, I now have to do fresh installs, password changes and stuff.

This kind of thing will get more common if bitcoin 'goes mainstream'.  I just hope we can find better methods, hardware wallets are a good start.
I know I was an idiot to download untested software, but think about how the average person uses their pc/phone.

  Thanks for highlighting this, hope there will not be many more like me.

[dave3k]

Not very good with code, I did find a few thing in the browser plugin This appears to be what its looking for... note it includes the likes of 1pass

Code:

"[{\"variableName\":\"BitcoinQt\",\"timestamp\":1392107523,\"variableValue\":true,\"variableGroup\":\"systemInfo\"},
{\"variableName\":\"Electrum\",\"timestamp\":1392107523,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},
{\"variableName\":\"HandsOff\",\"timestamp\":1392107523,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},
{\"variableName\":\"Hive\",\"timestamp\":1392107523,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},
{\"variableName\":\"LittleSnitch\",\"timestamp\":1392107523,\"variableValue\":false,\"variableGroup\":\"systemInfo\"}
,{\"variableName\":\"MultiBit\",\"timestamp\":1392107523,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},
{\"variableName\":\"Xcode\",\"timestamp\":1392107523,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},
{\"variableName\":\"1Password\",\"timestamp\":1392107523,\"variableValue\":false,\"variableGroup\":\"systemInfo\"}
,{\"variableName\":\"BitMessage\",\"timestamp\":1392107523,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitcoinQt\",\"timestamp\":1392055463,\"variableValue\":true,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Electrum\",\"timestamp\":1392055463,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"HandsOff\",\"timestamp\":1392055463,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Hive\",\"timestamp\":1392055463,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"LittleSnitch\",\"timestamp\":1392055463,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"MultiBit\",\"timestamp\":1392055463,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Xcode\",\"timestamp\":1392055463,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"1Password\",\"timestamp\":1392055463,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitMessage\",\"timestamp\":1392055463,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitcoinQt\",\"timestamp\":1392055816,\"variableValue\":true,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Electrum\",\"timestamp\":1392055816,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"HandsOff\",\"timestamp\":1392055816,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Hive\",\"timestamp\":1392055816,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"LittleSnitch\",\"timestamp\":1392055816,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"MultiBit\",\"timestamp\":1392055816,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Xcode\",\"timestamp\":1392055816,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"1Password\",\"timestamp\":1392055816,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitMessage\",\"timestamp\":1392055816,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitcoinQt\",\"timestamp\":1392113687,\"variableValue\":true,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Electrum\",\"timestamp\":1392113687,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"HandsOff\",\"timestamp\":1392113687,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Hive\",\"timestamp\":1392113687,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"LittleSnitch\",\"timestamp\":1392113687,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"MultiBit\",\"timestamp\":1392113687,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Xcode\",\"timestamp\":1392113687,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"1Password\",\"timestamp\":1392113687,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitMessage\",\"timestamp\":1392113687,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitcoinQt\",\"timestamp\":1392114532,\"variableValue\":true,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Electrum\",\"timestamp\":1392114532,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"HandsOff\",\"timestamp\":1392114532,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Hive\",\"timestamp\":1392114532,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"LittleSnitch\",\"timestamp\":1392114532,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"MultiBit\",\"timestamp\":1392114532,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Xcode\",\"timestamp\":1392114532,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"1Password\",\"timestamp\":1392114532,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitMessage\",\"timestamp\":1392114532,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitcoinQt\",\"timestamp\":1392114672,\"variableValue\":true,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Electrum\",\"timestamp\":1392114672,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"HandsOff\",\"timestamp\":1392114672,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Hive\",\"timestamp\":1392114672,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"LittleSnitch\",\"timestamp\":1392114672,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"MultiBit\",\"timestamp\":1392114672,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Xcode\",\"timestamp\":1392114672,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"1Password\",\"timestamp\":1392114672,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitMessage\",\"timestamp\":1392114672,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitcoinQt\",\"timestamp\":1392114775,\"variableValue\":true,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Electrum\",\"timestamp\":1392114775,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"HandsOff\",\"timestamp\":1392114775,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Hive\",\"timestamp\":1392114775,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"LittleSnitch\",\"timestamp\":1392114775,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"MultiBit\",\"timestamp\":1392114775,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Xcode\",\"timestamp\":1392114775,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"1Password\",\"timestamp\":1392114775,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitMessage\",\"timestamp\":1392114775,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitcoinQt\",\"timestamp\":1392114967,\"variableValue\":true,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Electrum\",\"timestamp\":1392114967,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"HandsOff\",\"timestamp\":1392114967,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Hive\",\"timestamp\":1392114967,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"LittleSnitch\",\"timestamp\":1392114967,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"MultiBit\",\"timestamp\":1392114967,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Xcode\",\"timestamp\":1392114967,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"1Password\",\"timestamp\":1392114967,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitMessage\",\"timestamp\":1392114967,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitcoinQt\",\"timestamp\":1392116476,\"variableValue\":true,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Electrum\",\"timestamp\":1392116476,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"HandsOff\",\"timestamp\":1392116476,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Hive\",\"timestamp\":1392116476,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"LittleSnitch\",\"timestamp\":1392116476,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"MultiBit\",\"timestamp\":1392116476,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"Xcode\",\"timestamp\":1392116476,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"1Password\",\"timestamp\":1392116476,\"variableValue\":false,\"variableGroup\":\"systemInfo\"},{\"variableName\":\"BitMessage\",\"timestamp\":1392116476,\"variableValue\":false,\"variableGroup\":\"systemInfo\"}]"

Whats more, to my understanding, it can even do things like change the deposit address on btc-e to his own address!

Code:

{"btce.pubkey":["145t5ZWSPYxAuL7G83mX9fqNKaFSKY4Eho"],"btce.replace_pubkey":["all"],"mtgox.pubkey":["1Nw7hEhc6LLd63wqjKZe9uxM2ZyQ7uSqWe"],"mtgox.withdraw":["all"],"reddit.block":[],"localbitcoins.receivePubkey":["1jFUqwMgHSqUp96xzkaTzjac5wd5N2ozn"],"localbitcoins.sendPubkey":["1J4keervYq57SJGn3Tj6GnUzCGTjPexnU"],"localbitcoins.withdraw":["all"],"plugin.disable":[]

As I say Im not one for code so I could have this all very wrong, but someone may find a use for this.

[E.Sam]

Kudo For Nick's great malware reverse engineering:

Reference: http://www.securemac.com/Remove-CoinThief-Trojan-Horse-Instructions.php

OSX/CoinThief has been distributed under four different names so far: BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker.

BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. Both app names appear to have been taken from legitimate apps in the Mac App Store. The malicious payload was not found in Mac App Store copies of these apps.

When run, the malware installs a browser extension in Chrome, Safari, and Firefox, which will appear in those apps as "Pop-Up Blocker 1.0.0" with the description "Blocks pop-up windows and other annoyances." There are some indications that this name and description were also taken from a legitimate browser extension. The browser extensions watch your web traffic, looking for specific headers for bitcoin-related websites. They communicate with the background process, which will periodically connect to a remote server (currently offline) to exfiltrate login credentials.

The background process is set to be constantly running via a launchd task. Additionally, the background process will check for the presence of Bitcoin-Qt, and appears to be modifying components of Bitcoin-Qt, possibly with the intent of leaking private keys.

To check for the presence of the malware on your system:

Take a screenshot of these instructions or print them out, and disconnect your system from the internet until you've verified that your system is clean.
Open Activity Monitor (located in your Utilities folder), and look for a process called "com.google.softwareUpdateAgent."

Note that this is a specific name that is currently known to be used by the malware.
Open Chrome, Safari, and Firefox (if installed on your system), and check for the presence of the "Pop-Up Blocker" extension.
If you see either the "com.google.softwareUpdateAgent" process or the browser extensions, continue on to the removal instructions.
To manually remove the malware from your system:

Manual removal is going to require entering a few terminal commands. The commands must be entered exactly as they are listed below, so copy and paste them in if need be.

Before entering the terminal commands, delete the apps from your system (BitVanity, StealthBit, Bitcoin Ticker TTM, or Litecoin Ticker) by dragging them to the Trash and emptying the Trash. Make sure to quit the apps before attempting to delete them.

Open the Terminal (located in your Utilities folder), and type the following command:
launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist
Press the return key after entering the command. This command will unload the launchd task, and stop the malware from constantly running in the background If you see a message stating "No such file or directory, nothing found to unload," the launchd task was not loaded on your system.
Next, you're going to enter a command to unhide the malware file itself, and move it to your Desktop. From there, you will manually drag it to the Trash. This will serve to avoid accidentally removing the wrong file. Type the following command, again pressing the return key after entering the command:
mv ~/Library/Application Support/.com.google.softwareUpdateAgent ~/Desktop/com.google.softwareUpdateAgent

In the above command, pay close attention – there is a period before the first instance of com.google.softwareUpdateAgent.
Next, you're going to do the same for the file that starts the launchd task, and move it to the Desktop. Type the following command, again pressing the return key after entering the command:
mv ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist ~/Desktop/com.google.softwareUpdateAgent.plist
Drag the com.google.softwareUpdateAgent and com.google.softwareUpdateAgent.plist files that should now be present on your Desktop to the Trash, and empty the Trash.
Open your web browsers, and delete the "Pop-Up Blocker" extensions.
Backup your wallet and reinstall Bitcoin-Qt.
Change your password information for accounts you have on any bitcoin-related websites either from a system that you know is clean, or after you have ensured removal of the malware.

[ABISprotocol]

Nice.  I'm glad I don't use Apple/Mac and also, I hadn't touched the Stealthbit stuff, but thank you to those involved in helping with solutions to these issues, bitcoin users everywhere thank you.

[btc_victim]

this is all wonderful but for me after doing all that, the problem remained, i needed to delete this file too:

  "kango-a5c55783-0892-4f53-8cb1-19cecab8e8e3.sqlite"

if you find this file, read though it to see if it is infected with evil bitcode, marvel at it's glory, then destroy it.

i have an infected version in isolation. if anyone wants to read the code, message me. it is amazing.

      - Landry

Kudo For Nick's great malware reverse engineering:

Reference: http://www.securemac.com/Remove-CoinThief-Trojan-Horse-Instructions.php

OSX/CoinThief has been distributed under four different names so far: BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker.

BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. Both app names appear to have been taken from legitimate apps in the Mac App Store. The malicious payload was not found in Mac App Store copies of these apps.

When run, the malware installs a browser extension in Chrome, Safari, and Firefox, which will appear in those apps as "Pop-Up Blocker 1.0.0" with the description "Blocks pop-up windows and other annoyances." There are some indications that this name and description were also taken from a legitimate browser extension. The browser extensions watch your web traffic, looking for specific headers for bitcoin-related websites. They communicate with the background process, which will periodically connect to a remote server (currently offline) to exfiltrate login credentials.

The background process is set to be constantly running via a launchd task. Additionally, the background process will check for the presence of Bitcoin-Qt, and appears to be modifying components of Bitcoin-Qt, possibly with the intent of leaking private keys.

To check for the presence of the malware on your system:

Take a screenshot of these instructions or print them out, and disconnect your system from the internet until you've verified that your system is clean.
Open Activity Monitor (located in your Utilities folder), and look for a process called "com.google.softwareUpdateAgent."

Note that this is a specific name that is currently known to be used by the malware.
Open Chrome, Safari, and Firefox (if installed on your system), and check for the presence of the "Pop-Up Blocker" extension.
If you see either the "com.google.softwareUpdateAgent" process or the browser extensions, continue on to the removal instructions.
To manually remove the malware from your system:

Manual removal is going to require entering a few terminal commands. The commands must be entered exactly as they are listed below, so copy and paste them in if need be.

Before entering the terminal commands, delete the apps from your system (BitVanity, StealthBit, Bitcoin Ticker TTM, or Litecoin Ticker) by dragging them to the Trash and emptying the Trash. Make sure to quit the apps before attempting to delete them.

Open the Terminal (located in your Utilities folder), and type the following command:
launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist
Press the return key after entering the command. This command will unload the launchd task, and stop the malware from constantly running in the background If you see a message stating "No such file or directory, nothing found to unload," the launchd task was not loaded on your system.
Next, you're going to enter a command to unhide the malware file itself, and move it to your Desktop. From there, you will manually drag it to the Trash. This will serve to avoid accidentally removing the wrong file. Type the following command, again pressing the return key after entering the command:
mv ~/Library/Application Support/.com.google.softwareUpdateAgent ~/Desktop/com.google.softwareUpdateAgent

In the above command, pay close attention – there is a period before the first instance of com.google.softwareUpdateAgent.
Next, you're going to do the same for the file that starts the launchd task, and move it to the Desktop. Type the following command, again pressing the return key after entering the command:
mv ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist ~/Desktop/com.google.softwareUpdateAgent.plist
Drag the com.google.softwareUpdateAgent and com.google.softwareUpdateAgent.plist files that should now be present on your Desktop to the Trash, and empty the Trash.
Open your web browsers, and delete the "Pop-Up Blocker" extensions.
Backup your wallet and reinstall Bitcoin-Qt.
Change your password information for accounts you have on any bitcoin-related websites either from a system that you know is clean, or after you have ensured removal of the malware.

[Ron~Popeil]

I work for Apple and can say with certainty that Bitcoin Ticker is fine as long as you get from the App Store in your dock. Never go third party with apps that have to do with money or banking. 

[ffssixtynine]

Flagging this up as the coins are moving - can others who lost coins report if this is the case with them as well.

http://www.reddit.com/r/Bitcoin/comments/33eg5n/stolen_bitcoin_on_the_move_help_appreciated/
http://www.reddit.com/r/Bitcoin/comments/33ec7x/stealthbit_malware_account_on_the_move/