Bitcoin malware count soars as cryptocurrency value climbs

Bitcoin malware count soars as cryptocurrency value climbs

Hackers, from the opportunistic to bitcoin-stealing specialists, try to get in on the action, say researchers who tallied malware targeting the virtual currencies

As bitcoin values jumped in the last months of 2013, malware designed to steal the virtual currency exploded, security researchers from Dell SecureWorks said this week.

In a presentation at the RSA Conference, which ends today, and in an interview with Computerworld prior to that presentation, researchers from Atlanta-based SecureWorks outlined the project they'd conducted to count and classify the malware that targets cryptocurrencies.

The report was particularly important in light of news today the Mt. Gox, a major bitcoin trading exchange, has filed for bankruptcy protection in a Japanese court, and implied that hackers stole approximately 850,000 bitcoins, worth nearly $475 million at current values.

Joe Stewart, director of malware research at SecureWorks, and his colleague Pat Litke, a security analysis advisor at the company's Counter Threat Unit (CTU), did not analyze the defenses employed by trading exchanges like Mt. Gox, where bitcoin owners store their digital currencies for easier trading. But their report on the malware aimed at individuals who hoard their own bitcoins painted a frightening picture.

"The problem is that most people are unprepared," said Stewart in an interview. "With bitcoins and altcoins, you're essentially acting as your own bank."

But unlike commercial financial institutions -- or presumably bitcoin exchanges, although Mt. Gox's demise implies otherwise -- that have multi-layer professional-grade security defenses guarding their funds, individuals, especially those new to the concept of digital currencies, are on their own. And as Stewart said, they're often woefully unprepared to defend their virtual "wallets."

Hackers know this better than most, said Stewart and Litke, who tracked a rapid increase in the number of cryptocurrency-stealing malware families in the last four months.

"As the value [of bitcoins] goes up, bad actors match that with an increase in malware," said Litke. Not surprisingly, their analysis showed a strong correlation between bitcoin values and the number of new malware families.

One reason the pair decided to dive into bitcoin-related malware was the poor detection skills of most traditional antivirus software. But they also hoped that counting and categorizing the malware would show what kind of opportunity security vendors had to improve their defenses, and whether the lessons leaned from cryptocurrency protection would carry over into better defending traditional online banking.

But it was clear that hackers see the value of bitcoins and its ilk.

"We counted more than 100 unique families of bitcoin malware," said Litke. Many of them appeared in June [2013] as the value of bitcoin went up."

Some of that malware is relatively unsophisticated, relies on more-or-less traditional malware practices and tools, and is often tossed into multi-threat toolkits or multi-exploit packages by opportunistic cyber criminals.

The most common kind of currency-stealing malware targets the software "wallets" that store and generate the cryptographic keys used to verify and transfer bitcoins. Such malware often does little more than look for known wallet filenames and file locations. They're usually bundled with a keylogger of some kind -- attack code that records keystrokes -- to snatch the pass phrase used to unlock the wallet.

More sophisticated malware -- Litke used the word "elegant" -- simply monitors the Windows clipboard, watches for a valid Bitcoin address, then replaces it with the hacker's Bitcoin address. (Bitcoin owners often use the clipboard when composing the digitally-signed emails for bitcoin transfers.)

Classified as a kind of "man in the middle" attack, the clipboard-focused malware has very little traditional malware functionality, making it even harder for antivirus vendors to detect. "It flies under the AV radar even more than most," said Litke.

The best defense against bitcoin malware, said Stewart and Litke, are the still-in-the-works "hardware wallets," small specialized devices that store the private keys and verify transactions. They're not foolproof -- they don't prevent problems incurred by accessing a Web-based wallet or exchange from an infected PC, for example -- but they can't be hacked like a software wallet.

Bitcoin malware will only continue to grow, Stewart and Litke predicted, because for all the missteps by exchanges like Mt. Gox, the two are convinced that digital currencies re here to stay and will only grow in popularity and use.

And unlike during the early days of financially-motivated malware, when the two sides -- hackers and security professionals -- were both starting from scratch in their attacks and defenses, the cyber criminals have the upper hand at the moment.

"This time they have a head start," said Stewart, referring to the hackers. "They have had years of practice making Trojans and password stealers, they have a huge arsenal of code primed and ready to go. Security companies have to bring some kind of order [to Bitcoin protection] with best practices. It's not terribly hard, once you understand how the whole thing works."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags DellDell SecureWorkse-commerceMalware and Vulnerabilitiese-businessinternet



Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments