
The “Stolen” Mt. Gox Data Contained Malware That Robbed Users Of Bitcoin - smileyborg
http://techcrunch.com/2014/03/14/the-stolen-mt-gox-data-contained-malware-that-robbed-users-of-bitcoin/
======
olalonde
This is old news. The malware was discovered by someone on Reddit shortly
after the release. I immediately contacted the ISP hosting the server used to
retrieve stolen wallets and it was taken down. I doubt anyone lost any
bitcoin. I'm really not sure why TC claims the malware was "discovered" by
these security researchers a couple days later.

[http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibanneb...](http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibannebackofficeexe_executab)

[http://www.reddit.com/r/Bitcoin/comments/20152d/vpsbgeu_took...](http://www.reddit.com/r/Bitcoin/comments/20152d/vpsbgeu_took_down_tibannebackofficeexe_malware/)

------
smileyborg
I assume the people most likely to download the Mt. Gox data dump were ones
who lost coins held by Mt. Gox. So this malware is likely preying on people
who are already victims. Pretty cruel.

~~~
mwilcox
Plenty of people had accounts & personal info at Mt Gox but didn't have any
money there.

~~~
duskwuff
"Didn't lose any money in the MtGox closure? Don't worry! We can fix that!"

------
kramerc
ultra0 on Reddit [1] posted the source code, which was dumped from memory, of
TibanneBackOffice.exe [2] that shows it is stealing Bitcoin-Qt wallets.

The analysis on Securelist the TechCrunch post is referring to is located at
[3].

[1]
[http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibanneb...](http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibannebackofficeexe_executable_is_wallet/)

[2]
[https://3d3.ca/ijKOh.vbs#eV7i3HIliI93y+UR](https://3d3.ca/ijKOh.vbs#eV7i3HIliI93y+UR)

[3]
[http://www.securelist.com/en/blog/8196/Analysis_of_Malware_f...](http://www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_leak_archive)

~~~
hellogoodby3
Could someone give me a brief overview of the what the code is doing? I see a
bunch of "on ____" blocks, which I thought might be functions but then they
don't seemed to be called later on (unless I am missing something). What
language is this?

~~~
kramerc
The code is written in LiveCode. According to the documentation, those "on"
blocks appear to be message handlers. [1] They do appear to act like functions
as "sW" and "sC" are called from the "doSearch" message handler block. These
blocks also are what contain the malicious code.

Basically, the code is searching for bitcoin.conf and wallet.dat in the
typical storage place Bitcoin-Qt stores its data. If it manages to find these
files, it reads them and sends the contents of them off to two different web
addresses, effectively stealing the Bitcoin wallet. The paths and filenames
the code uses to find this data are Base64 encoded in the source code so a
text search through the code will come up with nothing unless the strings used
for searching are Base64 encoded first.

[1]
[http://livecode.com/developers/api/6.0.2//on/](http://livecode.com/developers/api/6.0.2//on/)

------
runn1ng
> Hey, there is an .exe file from a self-admitted group of bitcoin hackers.
> Better run it to see what it does!

~~~
sillysaurus3
This was the logic of many on Reddit. I was pretty shocked.

"Yeah, I just wanted to see what it did."

Luckily, some were sensible enough to run it in a virtual machine.

~~~
chii
> Luckily, some were sensible enough to run it in a virtual machine.

or, that virtual machines should be more common - mum and dad's computers
should have vm software installed, so that they can then be free from having
to worry bout things they download. The mantra could be " run in the vm, and
you'll be safe".

~~~
jacalata
Using the same virtual machine for everything means its just as much of a
hassle to wipe it as to wipe your real machine, and your regular activities
are at risk from the crap you install into the vm -to be secure it would have
to be machines that reset themselves, not just virtual. What about when mum
and dad actually want to install a new program or save some files?

~~~
hayksaakian
If we had something like incognito mode for the operating system that would be
ideal.

~~~
woodson
Knoppix has been around since 2000 :-)

[https://en.wikipedia.org/wiki/Knoppix](https://en.wikipedia.org/wiki/Knoppix)

------
kalleboo
The field of computer security is still too young to handle cash. The biggest
barrier for cryptocurrency.

~~~
msgilligan
I agree with your basic point. However the field of defensive computer
security is the same age as the field of offensive computer security.

The problem is that defensive security still is not a big enough priority for
customers or vendors. When customers walk in to a computer or mobile device
store and ask "is this thing safe enough to store my Bitcoins?" and go
elsewhere if the answer isn't good enough, we may see vendors up their game.

The same flaws that let a government see you naked let crackers steal your
cryptocoins. When I'm in an optimistic mood, I think that cryptocurrency could
be the thing we need to motivate more people to care about security.

~~~
kalleboo
> The problem is that defensive security still is not a big enough priority
> for customers or vendors

This is absolutely true. Most people care about price over any other variable.

Yet even areas where there are people who prioritize security consistently
fail (Apple vs Jailbreakers, Open Source SSL/TLS developers vs CA validation
failure). There is literally _no_ code on this planet you can trust 100%. Even
the code that sent people into space had bugs.

edit: I do like the idea of cryptocurrencies, but I don't trust software
enough yet. I'm more bullish on the idea of P2P shared blockchains in the form
of namecoin as a replacement for DNS etc.

~~~
chii
> Most people care about price over any other variable.

most people (at least, in western countries) don't pour over the ingredients,
or sus out the manufacturing process to see if their food products have
poisons in them, or whether they are fit for eating. It's mandated by law.

I would like to see security have such measures mandated by law, so that it
frees the average joe from having to worry about it. Because face it, the
average person can't worry about it - it's an expert field.

~~~
pjc50
Mandating something like FIPS for _everything_ would impair startups quite
badly. For the moment I'm quite happy to not have regulations on the
development process or content of software.

------
TazeTSchnitzel
Well, that explains why the _PHP can do everything_ guy had a native app.

~~~
Fr0styMatt
What's this in reference to? (genuinely curious)

~~~
neurobro
I think the reference is that Karpeles does everything in PHP, so the "stolen"
Windows/Mac executables are clearly not his. (Though I don't know that anyone
thought they were.)

~~~
TazeTSchnitzel
Right. A man who writes an SSH server in PHP just because he can, then
immediately deploys it in production, is probably not the same man who writes
a native app here.

------
jxf
Is there any reason why a sensible BTC client implementation wouldn't encrypt
wallet.dat by default?

~~~
tlrobinson
No, but that may only delay the inevitable if the malware is smart enough to
silently wait until the user decrypts their wallet.

------
hristov
Is there a way to create a trojan wallet.dat file that would identify thieves
if stolen?

~~~
dogecoinbase
You can trace all transactions, so you would be able to identify where the
thieves sent the stolen coins, but attempting to track stolen coins in general
doesn't work (the value of a wallet is a quantity, so you cannot distinguish
between stolen and unstolen coins once they're in the same
wallet/tumbler/etc).

I did like the jokey idea someone had a little while back of putting a (very)
small wallet on servers and watching the blockchain for transactions therefrom
as an intrusion detection system.

~~~
scotty79
I was thinking more along the lines of wallet.dat crafted in a way that when
placed in the dir of Bitcoin-qt for example will exploit it's flaws to take
over the machine running Bitcoin-qt.

------
Shank
Does that lend credibility to the idea that part of the rest of the data dump
is also fraudulent? Tampering with numbers or exploiting a 0-day could prove
to be even worse, though I admit the latter is a bit far fetched.

~~~
gwern
Not really. It's pretty damn hard to fake 700+MB of data, and a great many
people have found their own records in it. No, this simply emphasizes that
despite the initial window dressing, the hackers are in it for the money: they
get whatever they stole with the trojan, and however much they can sell the
rest of the dump for.

~~~
kalleboo
There's also the guy who posted on pastebin that he was selling people's data
and would exclude for people for 0.25 BTC. Of course, people who used fake
names/email addresses also got a positive hit when asking to get removed.

------
dgfvd
The data didn't contain malware. There was an executable that did.

------
FatalLogic
Did anyone actually get money stolen by this?

The headline says "Users" were "Robbed of Bitcoin", but does not give us any
proof. I suspect the writer, John Biggs, could not find anyone.

------
EGreg
When did MTGox start being written as Mt. Gox and pictures of mountains
appearing in blog posts about it?

~~~
FatalLogic
They wanted to keep the domain name for branding and legal purposes, but not
the association with Magic The Gathering (The domain was registered for a
company for trading MTG cards eight years ago, MTG Online eXchange, but it was
never used for that purpose)

So, about 2 or 3 years ago, they cleverly rebranded "MTG OX" to "Mt Gox"
without changing the domain name.

Then they cleverly lost $500 million.

------
Cless
I wonder: this kind of malware doesn't require admin permissions, does it?

