Bitcoin malware count soars as cryptocurrency value climbs

Bitcoin malware count soars as cryptocurrency value climbs

Hackers, from the opportunistic to bitcoin-stealing specialists, try to get in on the action, say researchers who tallied malware targeting the virtual currencies

As bitcoin values jumped in the last months of 2013, malware designed to steal the virtual currency exploded, security researchers from Dell SecureWorks said this week.

In a presentation at the RSA Conference, which ends today, and in an interview with Computerworld prior to that presentation, researchers from Atlanta-based SecureWorks outlined the project they'd conducted to count and classify the malware that targets cryptocurrencies.

The report was particularly important in light of news today the Mt. Gox, a major bitcoin trading exchange, has filed for bankruptcy protection in a Japanese court, and implied that hackers stole approximately 850,000 bitcoins, worth nearly $475 million at current values.

Joe Stewart, director of malware research at SecureWorks, and his colleague Pat Litke, a security analysis advisor at the company's Counter Threat Unit (CTU), did not analyze the defenses employed by trading exchanges like Mt. Gox, where bitcoin owners store their digital currencies for easier trading. But their report on the malware aimed at individuals who hoard their own bitcoins painted a frightening picture.

"The problem is that most people are unprepared," said Stewart in an interview. "With bitcoins and altcoins, you're essentially acting as your own bank."

But unlike commercial financial institutions -- or presumably bitcoin exchanges, although Mt. Gox's demise implies otherwise -- that have multi-layer professional-grade security defenses guarding their funds, individuals, especially those new to the concept of digital currencies, are on their own. And as Stewart said, they're often woefully unprepared to defend their virtual "wallets."

Hackers know this better than most, said Stewart and Litke, who tracked a rapid increase in the number of cryptocurrency-stealing malware families in the last four months.

"As the value [of bitcoins] goes up, bad actors match that with an increase in malware," said Litke. Not surprisingly, their analysis showed a strong correlation between bitcoin values and the number of new malware families.

One reason the pair decided to dive into bitcoin-related malware was the poor detection skills of most traditional antivirus software. But they also hoped that counting and categorizing the malware would show what kind of opportunity security vendors had to improve their defenses, and whether the lessons leaned from cryptocurrency protection would carry over into better defending traditional online banking.

But it was clear that hackers see the value of bitcoins and its ilk.

"We counted more than 100 unique families of bitcoin malware," said Litke. Many of them appeared in June [2013] as the value of bitcoin went up."

Some of that malware is relatively unsophisticated, relies on more-or-less traditional malware practices and tools, and is often tossed into multi-threat toolkits or multi-exploit packages by opportunistic cyber criminals.

The most common kind of currency-stealing malware targets the software "wallets" that store and generate the cryptographic keys used to verify and transfer bitcoins. Such malware often does little more than look for known wallet filenames and file locations. They're usually bundled with a keylogger of some kind -- attack code that records keystrokes -- to snatch the pass phrase used to unlock the wallet.

More sophisticated malware -- Litke used the word "elegant" -- simply monitors the Windows clipboard, watches for a valid Bitcoin address, then replaces it with the hacker's Bitcoin address. (Bitcoin owners often use the clipboard when composing the digitally-signed emails for bitcoin transfers.)

Classified as a kind of "man in the middle" attack, the clipboard-focused malware has very little traditional malware functionality, making it even harder for antivirus vendors to detect. "It flies under the AV radar even more than most," said Litke.

The best defense against bitcoin malware, said Stewart and Litke, are the still-in-the-works "hardware wallets," small specialized devices that store the private keys and verify transactions. They're not foolproof -- they don't prevent problems incurred by accessing a Web-based wallet or exchange from an infected PC, for example -- but they can't be hacked like a software wallet.

Bitcoin malware will only continue to grow, Stewart and Litke predicted, because for all the missteps by exchanges like Mt. Gox, the two are convinced that digital currencies re here to stay and will only grow in popularity and use.

And unlike during the early days of financially-motivated malware, when the two sides -- hackers and security professionals -- were both starting from scratch in their attacks and defenses, the cyber criminals have the upper hand at the moment.

"This time they have a head start," said Stewart, referring to the hackers. "They have had years of practice making Trojans and password stealers, they have a huge arsenal of code primed and ready to go. Security companies have to bring some kind of order [to Bitcoin protection] with best practices. It's not terribly hard, once you understand how the whole thing works."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags internetDelle-commercee-businessMalware and VulnerabilitiesDell SecureWorks

Show Comments