Bitcoin malware count soars as cryptocurrency value climbs

Gregg Keizer

As bitcoin values jumped in the last months of 2013, malware designed to steal the virtual currency exploded, security researchers from Dell SecureWorks said this week.

In a presentation at the RSA Conference, which ends today, and in an interview with Computerworld prior to that presentation, researchers from Atlanta-based SecureWorks outlined the project they'd conducted to count and classify the malware that targets cryptocurrencies.

The report was particularly important in light of news today the Mt. Cox, a major bitcoin trading exchange, has filed for bankruptcy protection in a Japanese court, and implied that hackers stole approximately 850,000 bitcoins, worth nearly $475 million at current values.

Joe Stewart, director of malware research at SecureWorks, and his colleague Pat Litke, a security analysis advisor at the company's Counter Threat Unit (CTU), did not analyze the defenses employed by trading exchanges like Mt. Cox, where bitcoin owners store their digital currencies for easier trading. But their report on the malware aimed at individuals who hoard their own bitcoins painted a frightening picture.

"The problem is that most people are unprepared," said Stewart in an interview. "With bitcoins and altcoins, you're essentially acting as your own bank."

But unlike commercial financial institutions — or presumably bitcoin exchanges, although Mt. Cox's demise implies otherwise — that have multi-layer professional-grade security defenses guarding their funds, individuals, especially those new to the concept of digital currencies, are on their own. And as Stewart said, they're often woefully unprepared to defend their virtual "wallets."

Hackers know this better than most, said Stewart and Litke, who tracked a rapid increase in the number of cryptocurrency-stealing malware families in the last four months.

"As the value [of bitcoins] goes up, bad actors match that with an increase in malware," said Litke. Not surprisingly, their analysis showed a strong correlation between bitcoin values and the number of new malware families.

One reason the pair decided to dive into bitcoin-related malware was the poor detection skills of most traditional antivirus software. But they also hoped that counting and categorizing the malware would show what kind of opportunity security vendors had to improve their defenses, and whether the lessons leaned from cryptocurrency protection would carry over into better defending traditional online banking.

But it was clear that hackers see the value of bitcoins and its ilk.

"We counted more than 100 unique families of bitcoin malware," said Litke. Many of them appeared in June [2013] as the value of bitcoin went up."

Some of that malware is relatively unsophisticated, relies on more-or-less traditional malware practices and tools, and is often tossed into multi-threat toolkits or multi-exploit packages by opportunistic cyber criminals.

The most common kind of currency-stealing malware targets the software "wallets" that store and generate the cryptographic keys used to verify and transfer bitcoins. Such malware often does little more than look for known wallet filenames and file locations. They're usually bundled with a keylogger of some kind — attack code that records keystrokes — to snatch the pass phrase used to unlock the wallet.

1  2  Next Page