This is old news. The malware was discovered by someone on Reddit shortly after the release. I immediately contacted the ISP hosting the server used to retrieve stolen wallets and it was taken down. I doubt anyone lost any bitcoin. I'm really not sure why TC claims the malware was
"discovered" by these security researchers a couple days later.
I assume the people most likely to download the Mt. Gox data dump were ones who lost coins held by Mt. Gox. So this malware is likely preying on people who are already victims. Pretty cruel.
Could someone give me a brief overview of the what the code is doing? I see a bunch of "on ____" blocks, which I thought might be functions but then they don't seemed to be called later on (unless I am missing something). What language is this?
The code is written in LiveCode. According to the documentation, those "on" blocks appear to be message handlers. [1] They do appear to act like functions as "sW" and "sC" are called from the "doSearch" message handler block. These blocks also are what contain the malicious code.
Basically, the code is searching for bitcoin.conf and wallet.dat in the typical storage place Bitcoin-Qt stores its data. If it manages to find these files, it reads them and sends the contents of them off to two different web addresses, effectively stealing the Bitcoin wallet. The paths and filenames the code uses to find this data are Base64 encoded in the source code so a text search through the code will come up with nothing unless the strings used for searching are Base64 encoded first.
> Luckily, some were sensible enough to run it in a virtual machine.
or, that virtual machines should be more common - mum and dad's computers should have vm software installed, so that they can then be free from having to worry bout things they download. The mantra could be " run in the vm, and you'll be safe".
Using the same virtual machine for everything means its just as much of a hassle to wipe it as to wipe your real machine, and your regular activities are at risk from the crap you install into the vm -to be secure it would have to be machines that reset themselves, not just virtual. What about when mum and dad actually want to install a new program or save some files?
they may be susceptible to having fallen victim to sneaky trojans from previous file executions, but resetting a VM to a previous image state is trivial.
an infected vm is no victim. Lets say you downloaded a pirated game which also has malware in it. You play said game in a vm specifically made _for_ that game. So the malware only runs when you are actually using the vm.
You'd have a vm for each specific piece of software that is untrustworthy, and sharing of files can occur thru sanctioned channels (such as a local, safe temp directory shared by each vm, or read only mounts).
Well, you could include the standard file operations (launch program by doubleclicking that file, save that particular file; secure "save-as" selection provided by OS) as managed parts of the sandbox; and have a functional app that is unable to open&change any files that the user doesn't intentionally choose.
A monthly checkup for your parents computer is a very minor hassle, and it's made much easier when you can use remote desktop software.
It's worth while to you also, it would negatively affect you if your parents did something dumb or there was a virus on their computer that uploaded all of their banking information, or if they kept a desktop file with their passwords rather than using a secure password manager. If their identify got stolen or someone stole money from them, or their names got tarnished, that would harm you, correct?
I agree with your basic point. However the field of defensive computer security is the same age as the field of offensive computer security.
The problem is that defensive security still is not a big enough priority for customers or vendors. When customers walk in to a computer or mobile device store and ask "is this thing safe enough to store my Bitcoins?" and go elsewhere if the answer isn't good enough, we may see vendors up their game.
The same flaws that let a government see you naked let crackers steal your cryptocoins. When I'm in an optimistic mood, I think that cryptocurrency could be the thing we need to motivate more people to care about security.
> The problem is that defensive security still is not a big enough priority for customers or vendors
This is absolutely true. Most people care about price over any other variable.
Yet even areas where there are people who prioritize security consistently fail (Apple vs Jailbreakers, Open Source SSL/TLS developers vs CA validation failure). There is literally no code on this planet you can trust 100%. Even the code that sent people into space had bugs.
edit: I do like the idea of cryptocurrencies, but I don't trust software enough yet. I'm more bullish on the idea of P2P shared blockchains in the form of namecoin as a replacement for DNS etc.
> Most people care about price over any other variable.
most people (at least, in western countries) don't pour over the ingredients, or sus out the manufacturing process to see if their food products have poisons in them, or whether they are fit for eating. It's mandated by law.
I would like to see security have such measures mandated by law, so that it frees the average joe from having to worry about it. Because face it, the average person can't worry about it - it's an expert field.
Mandating something like FIPS for everything would impair startups quite badly. For the moment I'm quite happy to not have regulations on the development process or content of software.
It is a good thing all of our IRAs, 401ks, issued currencies and markets are behind it and pretty much digital as well now. The flipside is that computer security is much better than the old human security with phones and faxes of back in the day. The newer systems are at least more verifiable and higher security.
Crypto currency or not, all of our money is now digital really, it has to be to move fast enough and keep up.
Well that's the point isn't it? We've tried pretty much everything troughout the last century, and the only solutions that seem to work in practice requires being reversible in the case of errors.
Ergo, most likely working solution for the 'money of the future' would be something that's reversible. You'd try to get the other advantages of bitcoin in the proper solution, such as instant, verifiable, cheap/free and easily scriptable global transactions - but abandon those that require irreversibility.
Yes transactions between financial entities should have some reversibility but bitcoin is more like real physical cash that also can be tracked. Stolen physical cash ends up in the same non reversible predicament.
The fact that crypto currencies leave a digital trail and verification actually makes it a tad safer than cash if it was a true stable currency which it isn't yet, but one that could offer that between larger crypto currency 'banks' which is what the market does now with real money, the networks and institutions aren't there for crypto currency yet.
Eventually entities will do the exchanging for you in return for the transaction reversibility, just using another currency or crypto credit. Already happening with stored wallets, exchanges and more. Eventually they will be banks. But currently bitcoin is as safe as having actual cold hard cash in your hands.
Even cash is slightly more "marked", since bills have serial numbers, and it's more difficult to launder large amounts of cash than to send BTC through a mixer. Doesn't help much in small-time cases like having $100 stolen from your wallet. But it makes it harder to make off with a large amount of cash and then actually spend it. A common way of tracking bank thieves is to blacklist the serial numbers and wait for alerts from cash-counting machines that check the blacklist (mostly at banks and back offices of large businesses). Then investigate the areas where blacklisted serial numbers pop up. It's not foolproof, but it makes it much harder to successfully do anything with $10m in stolen cash.
I think the reference is that Karpeles does everything in PHP, so the "stolen" Windows/Mac executables are clearly not his. (Though I don't know that anyone thought they were.)
Right. A man who writes an SSH server in PHP just because he can, then immediately deploys it in production, is probably not the same man who writes a native app here.
You can trace all transactions, so you would be able to identify where the thieves sent the stolen coins, but attempting to track stolen coins in general doesn't work (the value of a wallet is a quantity, so you cannot distinguish between stolen and unstolen coins once they're in the same wallet/tumbler/etc).
I did like the jokey idea someone had a little while back of putting a (very) small wallet on servers and watching the blockchain for transactions therefrom as an intrusion detection system.
I was thinking more along the lines of wallet.dat crafted in a way that when placed in the dir of Bitcoin-qt for example will exploit it's flaws to take over the machine running Bitcoin-qt.
Does that lend credibility to the idea that part of the rest of the data dump is also fraudulent? Tampering with numbers or exploiting a 0-day could prove to be even worse, though I admit the latter is a bit far fetched.
Not really. It's pretty damn hard to fake 700+MB of data, and a great many people have found their own records in it. No, this simply emphasizes that despite the initial window dressing, the hackers are in it for the money: they get whatever they stole with the trojan, and however much they can sell the rest of the dump for.
There's also the guy who posted on pastebin that he was selling people's data and would exclude for people for 0.25 BTC. Of course, people who used fake names/email addresses also got a positive hit when asking to get removed.
They wanted to keep the domain name for branding and legal purposes, but not the association with Magic The Gathering (The domain was registered for a company for trading MTG cards eight years ago, MTG Online eXchange, but it was never used for that purpose)
So, about 2 or 3 years ago, they cleverly rebranded "MTG OX" to "Mt Gox" without changing the domain name.
http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibanneb...
http://www.reddit.com/r/Bitcoin/comments/20152d/vpsbgeu_took...