Digital currency, mainly in the form of Bitcoin, is quickly gaining popularity these days and it is no wonder that they present a new opportunity for digital villains.
A few years ago, malware designed to steal from digital wallets or secretly mine Bitcoins was unheard of.
Today however, many of the most prevalent malware families are already targeting Bitcoins as a revenue stream. Even notorious ransomware Cryptolocker has an option to pay the ransom in this currency.
So, how can we protect our digital money? To find out, we must first understand how malware is written to manipulate our digital wallets. In this blog post, we will briefly analyze one of the latest malicious samples, which uses some of the more common malware techniques to steal from digital wallets.
The sample AVG Virus Labs received was packed in several layers of protection with the malware writers used custom packers and UPX to make the detection and analysis more difficult.
Surprisingly as we unpacked the various layers the threat team were able to find only one anti-debugging feature.
The check whether the isDebugged flag is set in the PEB (Process Environment Block) structure is performed many lines before the potential exception in debugger occurs which makes it trickier to spot.
The stealer then scans the current user’s profile folder looking for stored login credentials from various web browsers, FTP clients, e-mail clients and cryptocurrency wallets.
These wallets (usually wallet.dat file) are searched in the following subfolders of the user’s AppData folder:
Bitcoin Electrum MultiBit Litecoin Namecoin Terracoin Armory PPCoin Primecoin Feathercoin NovaCoin Freicoin Devcoin Franko ProtoShares Megacoin Quarkcoin Worldcoin Infinitecoin Ixcoin Anoncoin BBQcoin Digitalcoin Mincoin GoldCoin (GLD) Yacoin Zetacoin Fastcoin I0coin Tagcoin Bytecoin Florincoin Phoenixcoin Luckycoin Craftcoin Junkcoin
As you can see, the malware tries to steal money from several of the most well known Bitcoin clients.
- Use strong password to protect your Bitcoin wallet (weak or dictionary passwords can be easily bruteforced).
- Use different passwords for Bitcoin wallets and other web services (such as email, Google , Facebook, etc.) as these passwords can be easily harvested from your computer and used to decrypt your wallet file.
- Consider storing of your wallet file in a secure and possibly encrypted location.
As a next step, the malware tries to read other users’ profiles on the compromised system and find their credentials and wallets too.
For this purpose, trojan uses LogonUser and ImpersonateLoggedOnUser APIs to access their private folders and profiles even when the malware is executed by a non-privileged user. However, the malware has to know the password of the account it tries to impersonate to make this method work. For this case, the following passwords are hardcoded in the trojan and tried consecutively together with the user’s name (trying password “Joe” for username “Joe” as a first option). Can you see your Windows password on the following list? Time for the change if you can…
Superheroes does not seem to be the best password options after all
- Use strong Windows passwords even on your home computer as your data/money can easily be stolen even if it wasn’t your account that infected the system. It could be your kids, spouse or parents even if they use non-administrative accounts.
- Keep your security software updated as new variations of these trojans are released every day.
When all the interesting data is gathered it is packed and sent to the attacker. Finally, the malware deletes itself from the system, leaving little to no trace behind.
This makes it harder for the victim to realize that his credentials and possibly Bitcoin wallet have been compromised and take immediate actions.
By hiding their tracks, the malware writer buys more time to crack in the wallet, steal Bitcoins or misuse other gathered personal data before the victim can act.
AVG detects these malicious files as variants of Trojan horse PSW.Generic
For more information on Bitcoin, check out this video by our security expert Michael McKinnon
December 20, 2013