The “Stolen” Mt. Gox Data Contained Malware That Robbed Users Of Bitcoin (opens in new tab)

(techcrunch.com)

105 pointssmileyborg12y ago63 comments

63 comments

40 comments · 13 top-level

smileyborgOP12y ago· 6 in thread

I assume the people most likely to download the Mt. Gox data dump were ones who lost coins held by Mt. Gox. So this malware is likely preying on people who are already victims. Pretty cruel.

Lerc12y ago

I received a phishing spam that was advertising a 'Scam victim's compensation fund'.

From a scammer point of view, it is a pretty clever way to select targets.

rayiner12y ago

Seems to me like they just did a good job identifying easy targets.

mwilcox12y ago

Plenty of people had accounts & personal info at Mt Gox but didn't have any money there.

duskwuff12y ago

"Didn't lose any money in the MtGox closure? Don't worry! We can fix that!"

kzrdude12y ago

The indefensible part is bitcoin wallet software storing the keys unencrypted.

google-serf12y ago

Supposedly it's off by default because loss of key is of a higher probability than theft. The software has supported encrypted wallets for years...

kalleboo12y ago· 5 in thread

The field of computer security is still too young to handle cash. The biggest barrier for cryptocurrency.

msgilligan12y ago

I agree with your basic point. However the field of defensive computer security is the same age as the field of offensive computer security.

The problem is that defensive security still is not a big enough priority for customers or vendors. When customers walk in to a computer or mobile device store and ask "is this thing safe enough to store my Bitcoins?" and go elsewhere if the answer isn't good enough, we may see vendors up their game.

The same flaws that let a government see you naked let crackers steal your cryptocoins. When I'm in an optimistic mood, I think that cryptocurrency could be the thing we need to motivate more people to care about security.

kalleboo12y ago

> The problem is that defensive security still is not a big enough priority for customers or vendors

This is absolutely true. Most people care about price over any other variable.

Yet even areas where there are people who prioritize security consistently fail (Apple vs Jailbreakers, Open Source SSL/TLS developers vs CA validation failure). There is literally no code on this planet you can trust 100%. Even the code that sent people into space had bugs.

edit: I do like the idea of cryptocurrencies, but I don't trust software enough yet. I'm more bullish on the idea of P2P shared blockchains in the form of namecoin as a replacement for DNS etc.

1 more reply

maxerickson12y ago

Credit cards work fairly well with pretend security. That cuts way down on the purposes where an irreversible digital currency is interesting.

drawkbox12y ago

It is a good thing all of our IRAs, 401ks, issued currencies and markets are behind it and pretty much digital as well now. The flipside is that computer security is much better than the old human security with phones and faxes of back in the day. The newer systems are at least more verifiable and higher security.

Crypto currency or not, all of our money is now digital really, it has to be to move fast enough and keep up.

kalleboo12y ago

None of those are cash. All of those are reversible in the case of errors. Even the NASDAQ has reversed trades.

2 more replies

kramerc12y ago· 4 in thread

ultra0 on Reddit [1] posted the source code, which was dumped from memory, of TibanneBackOffice.exe [2] that shows it is stealing Bitcoin-Qt wallets.

The analysis on Securelist the TechCrunch post is referring to is located at [3].

[1] http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibanneb...

[2] https://3d3.ca/ijKOh.vbs#eV7i3HIliI93y+UR

[3] http://www.securelist.com/en/blog/8196/Analysis_of_Malware_f...

hellogoodby312y ago

Could someone give me a brief overview of the what the code is doing? I see a bunch of "on ____" blocks, which I thought might be functions but then they don't seemed to be called later on (unless I am missing something). What language is this?

kramerc12y ago

The code is written in LiveCode. According to the documentation, those "on" blocks appear to be message handlers. [1] They do appear to act like functions as "sW" and "sC" are called from the "doSearch" message handler block. These blocks also are what contain the malicious code.

Basically, the code is searching for bitcoin.conf and wallet.dat in the typical storage place Bitcoin-Qt stores its data. If it manages to find these files, it reads them and sends the contents of them off to two different web addresses, effectively stealing the Bitcoin wallet. The paths and filenames the code uses to find this data are Base64 encoded in the source code so a text search through the code will come up with nothing unless the strings used for searching are Base64 encoded first.

[1] http://livecode.com/developers/api/6.0.2//on/

maxerickson12y ago

It's http://livecode.com/

Whoever dumped it is talking about it in the reddit thread, start there. Those are definitely function like things.

TrainedMonkey12y ago

Code linked in 2 and 3 looks like VB. Link 3 gives overview of how it works.

TazeTSchnitzel12y ago· 4 in thread

Well, that explains why the PHP can do everything guy had a native app.

alexnking12y ago

Exactly - I could have believed one back office app even, but cross platform? Yeah right...

Fr0styMatt12y ago

What's this in reference to? (genuinely curious)

neurobro12y ago

I think the reference is that Karpeles does everything in PHP, so the "stolen" Windows/Mac executables are clearly not his. (Though I don't know that anyone thought they were.)

1 more reply

ZoF12y ago

The old lead developer at MtGox who's internet handle is "MagicalTux" is a big fan of PHP :).

1 more reply

runn1ng12y ago· 2 in thread

> Hey, there is an .exe file from a self-admitted group of bitcoin hackers. Better run it to see what it does!

sillysaurus312y ago

This was the logic of many on Reddit. I was pretty shocked.

"Yeah, I just wanted to see what it did."

Luckily, some were sensible enough to run it in a virtual machine.

chii12y ago

> Luckily, some were sensible enough to run it in a virtual machine.

or, that virtual machines should be more common - mum and dad's computers should have vm software installed, so that they can then be free from having to worry bout things they download. The mantra could be " run in the vm, and you'll be safe".

1 more reply

hristov12y ago· 2 in thread

Is there a way to create a trojan wallet.dat file that would identify thieves if stolen?

dogecoinbase12y ago

You can trace all transactions, so you would be able to identify where the thieves sent the stolen coins, but attempting to track stolen coins in general doesn't work (the value of a wallet is a quantity, so you cannot distinguish between stolen and unstolen coins once they're in the same wallet/tumbler/etc).

I did like the jokey idea someone had a little while back of putting a (very) small wallet on servers and watching the blockchain for transactions therefrom as an intrusion detection system.

scotty7912y ago

I was thinking more along the lines of wallet.dat crafted in a way that when placed in the dir of Bitcoin-qt for example will exploit it's flaws to take over the machine running Bitcoin-qt.

Shank12y ago· 2 in thread

Does that lend credibility to the idea that part of the rest of the data dump is also fraudulent? Tampering with numbers or exploiting a 0-day could prove to be even worse, though I admit the latter is a bit far fetched.

gwern12y ago

Not really. It's pretty damn hard to fake 700+MB of data, and a great many people have found their own records in it. No, this simply emphasizes that despite the initial window dressing, the hackers are in it for the money: they get whatever they stole with the trojan, and however much they can sell the rest of the dump for.

kalleboo12y ago

There's also the guy who posted on pastebin that he was selling people's data and would exclude for people for 0.25 BTC. Of course, people who used fake names/email addresses also got a positive hit when asking to get removed.

jxf12y ago· 1 in thread

Is there any reason why a sensible BTC client implementation wouldn't encrypt wallet.dat by default?

tlrobinson12y ago

No, but that may only delay the inevitable if the malware is smart enough to silently wait until the user decrypts their wallet.

EGreg12y ago· 1 in thread

When did MTGox start being written as Mt. Gox and pictures of mountains appearing in blog posts about it?

FatalLogic12y ago

They wanted to keep the domain name for branding and legal purposes, but not the association with Magic The Gathering (The domain was registered for a company for trading MTG cards eight years ago, MTG Online eXchange, but it was never used for that purpose)

So, about 2 or 3 years ago, they cleverly rebranded "MTG OX" to "Mt Gox" without changing the domain name.

Then they cleverly lost $500 million.

olalonde12y ago

This is old news. The malware was discovered by someone on Reddit shortly after the release. I immediately contacted the ISP hosting the server used to retrieve stolen wallets and it was taken down. I doubt anyone lost any bitcoin. I'm really not sure why TC claims the malware was "discovered" by these security researchers a couple days later.

http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibanneb...

http://www.reddit.com/r/Bitcoin/comments/20152d/vpsbgeu_took...

dgfvd12y ago

The data didn't contain malware. There was an executable that did.

FatalLogic12y ago

Did anyone actually get money stolen by this?

The headline says "Users" were "Robbed of Bitcoin", but does not give us any proof. I suspect the writer, John Biggs, could not find anyone.

Cless12y ago

I wonder: this kind of malware doesn't require admin permissions, does it?

j / k navigate · click thread line to collapse

63 comments

40 comments · 13 top-level

smileyborgOP12y ago· 6 in thread

I assume the people most likely to download the Mt. Gox data dump were ones who lost coins held by Mt. Gox. So this malware is likely preying on people who are already victims. Pretty cruel.

Lerc12y ago

I received a phishing spam that was advertising a 'Scam victim's compensation fund'.

From a scammer point of view, it is a pretty clever way to select targets.

rayiner12y ago

Seems to me like they just did a good job identifying easy targets.

mwilcox12y ago

Plenty of people had accounts & personal info at Mt Gox but didn't have any money there.

duskwuff12y ago

"Didn't lose any money in the MtGox closure? Don't worry! We can fix that!"

kzrdude12y ago

The indefensible part is bitcoin wallet software storing the keys unencrypted.

google-serf12y ago

Supposedly it's off by default because loss of key is of a higher probability than theft. The software has supported encrypted wallets for years...

kalleboo12y ago· 5 in thread

The field of computer security is still too young to handle cash. The biggest barrier for cryptocurrency.

msgilligan12y ago

I agree with your basic point. However the field of defensive computer security is the same age as the field of offensive computer security.

kalleboo12y ago

> The problem is that defensive security still is not a big enough priority for customers or vendors

This is absolutely true. Most people care about price over any other variable.

edit: I do like the idea of cryptocurrencies, but I don't trust software enough yet. I'm more bullish on the idea of P2P shared blockchains in the form of namecoin as a replacement for DNS etc.

1 more reply

maxerickson12y ago

Credit cards work fairly well with pretend security. That cuts way down on the purposes where an irreversible digital currency is interesting.

drawkbox12y ago

Crypto currency or not, all of our money is now digital really, it has to be to move fast enough and keep up.

kalleboo12y ago

None of those are cash. All of those are reversible in the case of errors. Even the NASDAQ has reversed trades.

2 more replies

kramerc12y ago· 4 in thread

ultra0 on Reddit [1] posted the source code, which was dumped from memory, of TibanneBackOffice.exe [2] that shows it is stealing Bitcoin-Qt wallets.

The analysis on Securelist the TechCrunch post is referring to is located at [3].

[1] http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibanneb...

[2] https://3d3.ca/ijKOh.vbs#eV7i3HIliI93y+UR

[3] http://www.securelist.com/en/blog/8196/Analysis_of_Malware_f...

hellogoodby312y ago

kramerc12y ago

[1] http://livecode.com/developers/api/6.0.2//on/

maxerickson12y ago

It's http://livecode.com/

Whoever dumped it is talking about it in the reddit thread, start there. Those are definitely function like things.

TrainedMonkey12y ago

Code linked in 2 and 3 looks like VB. Link 3 gives overview of how it works.

TazeTSchnitzel12y ago· 4 in thread

Well, that explains why the PHP can do everything guy had a native app.

alexnking12y ago

Exactly - I could have believed one back office app even, but cross platform? Yeah right...

Fr0styMatt12y ago

What's this in reference to? (genuinely curious)

neurobro12y ago

I think the reference is that Karpeles does everything in PHP, so the "stolen" Windows/Mac executables are clearly not his. (Though I don't know that anyone thought they were.)

1 more reply

ZoF12y ago

The old lead developer at MtGox who's internet handle is "MagicalTux" is a big fan of PHP :).

1 more reply

runn1ng12y ago· 2 in thread

> Hey, there is an .exe file from a self-admitted group of bitcoin hackers. Better run it to see what it does!

sillysaurus312y ago

This was the logic of many on Reddit. I was pretty shocked.

"Yeah, I just wanted to see what it did."

Luckily, some were sensible enough to run it in a virtual machine.

chii12y ago

> Luckily, some were sensible enough to run it in a virtual machine.

1 more reply

hristov12y ago· 2 in thread

Is there a way to create a trojan wallet.dat file that would identify thieves if stolen?

dogecoinbase12y ago

I did like the jokey idea someone had a little while back of putting a (very) small wallet on servers and watching the blockchain for transactions therefrom as an intrusion detection system.

scotty7912y ago

I was thinking more along the lines of wallet.dat crafted in a way that when placed in the dir of Bitcoin-qt for example will exploit it's flaws to take over the machine running Bitcoin-qt.

Shank12y ago· 2 in thread

gwern12y ago

kalleboo12y ago

jxf12y ago· 1 in thread

Is there any reason why a sensible BTC client implementation wouldn't encrypt wallet.dat by default?

tlrobinson12y ago

No, but that may only delay the inevitable if the malware is smart enough to silently wait until the user decrypts their wallet.

EGreg12y ago· 1 in thread

When did MTGox start being written as Mt. Gox and pictures of mountains appearing in blog posts about it?

FatalLogic12y ago

So, about 2 or 3 years ago, they cleverly rebranded "MTG OX" to "Mt Gox" without changing the domain name.

Then they cleverly lost $500 million.

olalonde12y ago

http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibanneb...

http://www.reddit.com/r/Bitcoin/comments/20152d/vpsbgeu_took...

dgfvd12y ago

The data didn't contain malware. There was an executable that did.

FatalLogic12y ago

Did anyone actually get money stolen by this?

The headline says "Users" were "Robbed of Bitcoin", but does not give us any proof. I suspect the writer, John Biggs, could not find anyone.

Cless12y ago

I wonder: this kind of malware doesn't require admin permissions, does it?

j / k navigate · click thread line to collapse