Mac OS X Bitcoin Stealing Trojan Horse Called OSX/CoinThief Discovered

← Back to Stories (view on slashdot.org)

Mac OS X Bitcoin Stealing Trojan Horse Called OSX/CoinThief Discovered

Posted by timothy on Sunday February 9, 2014 @05:35PM from the willie-sutton-principle dept.

An anonymous reader writes "SecureMac.com has discovered a new trojan horse for Mac OS X called OSX/CoinThief.A, which spies on web traffic to steal Bitcoins. This malware has been found in the wild, along with numerous reports of stolen coins. The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web traffic in order to steal login info for Bitcoin wallets."

55 of 108 comments (clear)

unpossible! by Anonymous Coward · 2014-02-09 17:39 · Score: 4, Funny

There's no such thing as malware for Mac and there never has been.
1. Re: unpossible! by Anonymous Coward · 2014-02-09 18:10 · Score: 1, Insightful
  
  Said no one ever. Not even Steve Jobs.
  There are no viruses. Learn the difference between a virus and a trojan horse.
  In essence, its not even a trojan horse but an app that does hidden, malicious things.
  Now compare that to the > 1 million malwares for Windows (adding dozens and hundreds every day) and tell me which one is safer?
2. Re: unpossible! by LordLimecat · 2014-02-09 18:25 · Score: 4, Informative
  
  In essence, its not even a trojan horse but an app that does hidden, malicious things.
  Im pretty sure you just gave us the textbook definition of what a trojan is.
  
  > 1 million malware
  With such accurate facts (there are more than a million "malwares" for Unix as well) Im sure you are well qualified to make such a determination.
3. Re: unpossible! by houstonbofh · 2014-02-09 18:38 · Score: 1
  
  oooh yes let's split hairs! while we're at it the Anonymous "hackers" are actually not hackers, they are "crackers"!
  Kind of a big hair there... One installs itself, and the other has to be installed by a user.
4. Re:unpossible! by smash · 2014-02-09 18:52 · Score: 3, Insightful
  
  Trojan horses / user stupidity are OS independent.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
5. Re: unpossible! by Anonymous Coward · 2014-02-09 20:09 · Score: 1
  
  oooh yes let's split hairs! while we're at it the Anonymous "hackers" are actually not hackers, they are "crackers"!
  Kind of a big hair there... One installs itself, and the other has to be installed by a user.
  That old distinction isn't really relevant anymore. What would you call Mac Flashback? (btw. the biggest malware epidemic in modern times in terms of percentage of user base infected, beat even Windows Conficker). There were versions of Mac Flashback that installed completely without user intervention or notice. And, "virus" of old isn't really the problem for Windows these days either.
6. Re: unpossible! by dbIII · 2014-02-09 20:39 · Score: 3, Interesting
  
  It's a metaphor for a big horse full of soldiers that opened a gate and let other stuff in so I think the AC has a valid point and your personal "textbook definition" does not.
  Just call it malware instead of trying to correct their use of the metaphor.
7. Re: unpossible! by Chrisq · 2014-02-09 20:52 · Score: 1
  
  In essence, its not even a trojan horse but an app that does hidden, malicious things.
  Im pretty sure you just gave us the textbook definition of what a trojan is.
  .
  Perhaps he was expecting a condom
8. Re:unpossible! by Rosyna · 2014-02-09 23:50 · Score: 3, Interesting
  
  To be fair, Apple does a hell of a lot to prevent user stupidity from installing Malware. Such as blacklisting known malware nearly immediately (as soon as Apple reverse engineers it, its signature is pushed out to ever mac user via a list that is updated every 24 hours).
  The sad thing is and a major security flaw of Apple's is that they create trust with third parties based on code signing. This allows code signed malware to skip the normal malware checks in Mac OS X. (It's super trivial to get multiple code signing certs from Apple and Apple doesn't verify code certs applications for individuals)
9. Re:unpossible! by StripedCow · 2014-02-09 23:53 · Score: 1
  
  The platform is so locked-down, you can't even run malware.
  
  --
  If Pandora's box is destined to be opened, *I* want to be the one to open it.
10. Re:unpossible! by Number42 · 2014-02-10 00:16 · Score: 1
  
  Locked down? Only if you can't configure GateKeeper and/or can't read a few guides.
11. Re: unpossible! by Impy+the+Impiuos+Imp · 2014-02-10 01:09 · Score: 2
  
  The Trojan horse aspect is the social engineering bit, where you install something thinking it is ok when it is not.
  So he does have a point after all -- that's what this is.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
12. Re:unpossible! by monzie · 2014-02-10 02:25 · Score: 2
  
  You're so funny! I'd give you mod points if I weren't you.
13. Re: unpossible! by danceswithtrees · 2014-02-10 03:09 · Score: 1
  
  Horse size?
14. Re:unpossible! by smash · 2014-02-10 04:00 · Score: 1
  
  The whole point of code signing is that it relies on a chain of trust. As soon as your cert is used for any malware and that gets back to apple it will be revoked. This is the same for Windows.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
15. Re: unpossible! by Ralph+Wiggam · 2014-02-10 04:17 · Score: 2
  
  There are no viruses. Learn the difference between a virus and a trojan horse.
  Your semantics aren't going to get those bitcoins back.
16. Re:unpossible! by slashmydots · 2014-02-10 05:22 · Score: 1
  
  Just like there are no proper removal or diagnostic tools for Mac either! Well, that one's actually true. Good luck to all you overpaying, elitist douchebags who bought a mac. Still think you're so much better than everyone else? All I have to say is Abra-cadabra-CUDA-support...POOF, there went your alleged advantage almost a decade ago. It's magic!
17. Re: unpossible! by Ralph+Wiggam · 2014-02-10 05:33 · Score: 1
  
  The fact is that a bunch of Mac users who thought their systems were secure, rightly or wrongly, lost a bunch of money.
18. Re: unpossible! by BasilBrush · 2014-02-10 05:44 · Score: 1
  
  What, that's the only fact you can see? How small minded of you.
19. Re:unpossible! by Anonymous Coward · 2014-02-10 06:10 · Score: 1
  
  They are! Let's see the victims try to get their money back. They can't, it's securely stolen.
  No chargebacks, bitch!
20. Re: unpossible! by LordLimecat · 2014-02-10 10:25 · Score: 1
  
  The widespread definition of a trojan is an application with a known function which has been repackaged with hidden, malicious / subversive functionality in addition to the normal functionality. Think AIM.exe which allows you to chat with buddies, but also opens a reverse SSH connection to the attacker.
  I wasnt being facetious: GP was literally describing what a trojan "malware" is. The term is ancient, and so is the definition. Malware is a relatively recent, fairly ambiguous term: I'm not sure Ive ever heard a solid definition for what is and is not malware. AFAIK malware is "stuff I dont like" and sometimes includes spyware/adware, and sometimes does not.
  
  instead of trying to correct their use of the metaphor.
  So because some ignorant AC wants to misuse technical terms, I should simply abandon all precise terminology so that he doesnt feel totally left out? Yea, sorry, no thanks.
21. Re: unpossible! by Plumpaquatsch · 2014-02-19 04:01 · Score: 1
  
  The fact is that a bunch of Mac users who thought their systems were secure, rightly or wrongly, lost a bunch of money.
  Those would be the handful of morons who bought into BitCoins in the first place.
  
  --
  Of course news about a fake are Fake News.
Slashcott! by LaminatorX · 2014-02-09 17:43 · Score: 3, Insightful

This site used to be great. Even in it's latter days, it's been good. That is poised to change. Before long, it will be mediocre, and ordinary.
I didn't see a problem when Dice Holdings initially bought Slashdot. I figured there would be efforts to drive nerd traffic towards their job listings and such. That was fine. We all need jobs.
Things have changed now. Beyond the shifts in story choices, the slashvertisements, and so on, something fundamental has changed: Slashdot's owners do not appreciate it.
Their recent financials show that they have written its value as an asset down to zero. They have legally claimed it to be worthless. That is at the root of what is happening now. They want to fundamentally change the nature of this site in order to remake it into something with big growth potential.
Beta is just the latest symptom of this disease. It will not be the last. In striving to make it into a site that will bring them a growing user base and growing revenue per user, they have shown a willingness to dumb down the interface in the name of making it more accessible to newcomers, to cast aside essential elements of decade-spanning community culture, and to plow ahead with changes in the face of overwhelmingly negative user feedback.
This is not going to change. This will not go away. I will not support it.
I will be gone for this entire week, in protest. While away, I will work to create a new community where things can be run with quality user discussions as the paramount objective.
Be seeing you.
1. Re:Slashcott! by Anonymous Coward · 2014-02-09 17:53 · Score: 1
  
  I will work to create a new community where things can be run with quality user discussions as the paramount objective..
  Where? I might want to join.
2. Re:Slashcott! by LaminatorX · 2014-02-09 17:59 · Score: 3, Informative
  
  Wohoo, two minutes left, I can reply.
  http://www.soylentnews.org/wik...
  www.soylentnews.org/Forum/
  http://webchat.freenode.net/ channel ##altslashdot.
  Out.
3. Re:Slashcott! by pitchpipe · 2014-02-09 18:00 · Score: 1
  
  I will be gone for this entire week, in protest.
  Same. I hope that we can then see incremental improvements to this site taking into consideration feedback from the users/contributors, and that they can then drop the mentality that we are just eyeballs to put as many advertising dollars in front of. Sadly, I'm not hopeful.
  See you in a week, I'm out.
  
  --
  Look where all this talking got us, baby.
4. Re:Slashcott! by gnoshi · 2014-02-09 18:29 · Score: 1
  
  Call me when soylentnews.org points to a news site.
5. Re:Slashcott! by dbIII · 2014-02-09 20:41 · Score: 1
  
  How many times do we have to read this "final message"?
6. Re:Slashcott! by TubeSteak · 2014-02-09 21:00 · Score: 4, Interesting
  
  http://www.diceholdingsinc.com/phoenix.zhtml?c=211152&p=irol-newsArticle&ID=1896508
  Feb. 4, 2014
  
  Recent Developments
  Slashdot Media was acquired to provide content and services that are important to technology professionals in their everyday work lives and to leverage that reach into the global technology community benefiting user engagement on the Dice.com site. The expected benefits have started to be realized at Dice.com. However, advertising revenue has declined over the past year and there is no improvement expected in the future financial performance of Slashdot Media's underlying advertising business. Therefore, $7.2 million of intangible assets and $6.3 million of goodwill related to Slashdot Media were reduced to zero.
  
  Be seeing you.
  
  --
  [Fuck Beta]
  o0t!
7. Re:Slashcott! by rainhill · 2014-02-09 21:05 · Score: 1
  
  >> I will work to create a new community where things can be run with quality user discussions as the paramount objective.
  and before long, you will be cashing out too... CmdrTaco did.
  oooh the $weet money.
  change is the only constant, as someone once said. Dice saw the high-flying twitters and facebooks, and said; hey, how to increase slashdot users, to make more money? how? how? howwww?
  all this, is only natural.
8. Re:Slashcott! by drinkypoo · 2014-02-10 01:36 · Score: 1
  
  I read that over and over again and I figured out what that paragraph actually means. It means that they are liars. Advertising revenue has declined, so they are claiming that it is zero. Meanwhile, they have grossly overvalued Slashdot, so this lie follows an earlier lie. Send in the clowns [at the SEC!]
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
9. Re:Slashcott! by gnoshi · 2014-02-10 14:24 · Score: 1
  
  If the net effect of beta is fucktards like you going elsewhere, it might be a net positive outcome.
10. Re:Slashcott! by Raenex · 2014-02-11 14:56 · Score: 1
  
  Slashdot is dying. Diceholdings Inc. confirms it.
There can be but damage is more limiting by SuperKendall · 2014-02-09 18:28 · Score: 3, Informative

Everyone has known forever you can have malware on a Mac. That's hardly a surprise.
But malware is more limited on a Mac than other systems - for one thing no users run as admin as they do on Windows.
Also with Mavericks gatekeeper would preset you with a nice juicy dialog preventing you from running this untrusted and unsigned malware. You would have to take several steps of your own volition to run it at all...
You Mac haters are saying you don't want the Mac to turn into iOS. Well which is it? Let users run unapproved software after several "Are you sure" kinds of stopping points? Or only allow signed binaries on the system?
Make up your mind.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:There can be but damage is more limiting by tlhIngan · 2014-02-09 18:44 · Score: 4, Informative
  
  Also with Mavericks gatekeeper would preset you with a nice juicy dialog preventing you from running this untrusted and unsigned malware. You would have to take several steps of your own volition to run it at all...
  You Mac haters are saying you don't want the Mac to turn into iOS. Well which is it? Let users run unapproved software after several "Are you sure" kinds of stopping points? Or only allow signed binaries on the system?
  All the Apple haters have missed the fact that Gatekeeper is remarkably balanced. You can choose - go all the way with a walled garden, all the way with unsigned binaries, or go walled garden with the option to allow people to sign the code (semi-walled garden) (the default setting, too).
  It costs a developer $99, or for orgs like Mozilla, they have two from Apple - a production signing version and a beta signing version, in case either one gets revoked for whatever reason.
  But it allows apps that doesn't require Apple to approve - the developer buys a cert and Apple has no say in what it's used to sign. Of course, if it's hacked or stolen, Apple can revoke it (happened a few times already when some trojan hijacked a developer's certificate - Apple revoked it and that trojan couldn't run easily anymore).
  Of course, there's another subtlety that is not mentioned about Gatekeeper - it only triggers on stuff downloaded from the Internet. The output of your program you just compiled? Will not trigger Gatekeeper as it's assumed the dev tools are "safe".
  And since developers need to develop, and companies like Adobe, Microsoft and others need to get around the App Store limitations (or even Autodesk, who wants to use the App Store, but finds the $999.99 max price limiting), ensures the Mac will never "close off" and be walled like iOS. After all, on a Mac, it needs to run untrusted binaries somehow in order for developers to well, develop.
  That, and it's so bloody easy to jailbreak a Mac if you really needed to - just pop out the hard drive, or plug it into the PCIe slot in your PC. Or just run Windows and a Windows based jailbreak app. Or Linux.
2. Re:There can be but damage is more limiting by Plumpaquatsch · 2014-02-09 20:11 · Score: 1
  
  "You Mac haters are saying you don't want the Mac to turn into iOS."
  That statement doesn't make sense. It implies that the "haters" think that Mac OS X is a good thing.
  Who ever said Mac haters make any sense? It is their claim after all.
  
  --
  Of course news about a fake are Fake News.
3. Re:There can be but damage is more limiting by Boronx · 2014-02-10 01:29 · Score: 2
  
  Macs let you sudo any time an application requests, which is pretty much the same as Windows. Even an admin account in windows will at least force you to click through if an application wants to make admin privileged changes.
  In both systems a lot of legitimate installs need this, so unwary users get used to allowing new programs admin/root access.
  
  --
  Play Command HQ online
4. Re:There can be but damage is more limiting by BasilBrush · 2014-02-10 05:01 · Score: 2
  
  Macs let you sudo any time an application requests, which is pretty much the same as Windows. Even an admin account in windows will at least force you to click through if an application wants to make admin privileged changes.
  OSX does more than make you "click through". Privileged operations require a password.
Using unsigned apps to handle your money? by Burz · 2014-02-09 20:01 · Score: 1

Brilliant!
OK, I'm assuming here that the app is unsigned. Its interesting that reporters at security news sites don't seem to care.
Doing it the lazy way by dbIII · 2014-02-09 20:31 · Score: 1

The obvious way to corner the bitcoin "market" now is distributed malware to "mine" the coins instead of stealing them.
Two Step by Cruciform · 2014-02-09 21:45 · Score: 1

Any of the big exchanges (and most of the medium sized ones) offer two step authentication. If someone is storing coins online, whether at an exchange or in an online wallet, then two step auth is mandatory.
Seeing how sites can vanish overnight I wouldn't advise using an online wallet anyway. Keep a personal encrypted wallet, and only move coins on to exchanges long enough to do transactions.
No... by SuperKendall · 2014-02-09 22:18 · Score: 1

That statement doesn't make sense. It implies that the "haters" think that Mac OS X is a good thing.
Mac haters use any possible excuse why they do not run a Mac, and that is one of them (they claim it is "turning into iOS" when plainly that is not the case).
Also as the other responder noted, the traditional Apple Hater is short of reason as it is so you attempt to apply logic to behavior is dubious at best.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
OSX/CoinThief ??? by gnasher719 · 2014-02-09 22:21 · Score: 1

Isn't that a bit of a giveaway, if you write a Trojan and call it OSX/CoinThief? I know there are people out there who think people buying Macs do so because they are too stupid to handle real computers, but nobody could possibly think they are stupid enough to install an app called OSX/CoinThief? Is that how the trojan was found? Someone thought the name is a bit suspicious and started looking?
1. Re:OSX/CoinThief ??? by silverdr · 2014-02-09 23:01 · Score: 1
  
  Some people are too stupid to handle "real" computers and some are too stupid to learn how malware is classified and what a malware index is. Hint: OSX/CoinThief.A is NOT a name of the program in question.
  
  --
  Now, mod me down freely. My karma can't get any worse...
2. Re:OSX/CoinThief ??? by mellyra · 2014-02-10 01:43 · Score: 2
  
  Isn't that a bit of a giveaway, if you write a Trojan and call it OSX/CoinThief? I know there are people out there who think people buying Macs do so because they are too stupid to handle real computers, but nobody could possibly think they are stupid enough to install an app called OSX/CoinThief? Is that how the trojan was found? Someone thought the name is a bit suspicious and started looking?
  OSX/CoinThief.A is the name the security reseachers gave the trojan. The actual application was called StealthBit.
3. Re:OSX/CoinThief ??? by Farmer+Pete · 2014-02-10 02:07 · Score: 1
  
  I don't think I would install an application called StealthBit either. Sounds like an accident waiting to happen.
Bitcoins? Thank God! by oscrivellodds · 2014-02-10 00:39 · Score: 1

For a moment I thought we were talking about MONEY!
Re:Beta Fightback by ITMagic · 2014-02-10 00:44 · Score: 1

Whilst I, like every else here, seem to hate the changes being made here, are all the people here who post complaints here totally IT incapable?
If anyone here reads /. using firefox, it doesn't take a huge degree of effort to edit the HTML 'on the fly', and strip out all the offensive code. Has anyone looked at the RSS feed lately? It is abominable!
SOLUTION: Install Stylish, and voila. Complete control to throw away all the crap.
We probably should set up a community-driven recipe that everyone can download without the hassle of writing their own recipe. I *might* try to get round to doing this in a day or so... No promises, though.
But Bitcoin is just like currency... by Jawnn · 2014-02-10 04:47 · Score: 1

...only better.

Uh-huh. Sure.
1. Re:But Bitcoin is just like currency... by dk20 · 2014-02-10 07:44 · Score: 1
  
  Seems its "Greatest strength" is also its greatest weakness (anonymous transfers)?
  
  Had this been a case of your money being stolen from a real bank you would have several methods of recourse.
2. Re:But Bitcoin is just like currency... by Algae_94 · 2014-02-10 08:28 · Score: 2
  
  Said the guy who never had fraudulent charges reversed on a credit card. Try doing that with cash.
  
  There are definite negatives to using credit cards, but they have advantages as well.
Re:Bitcoins? Thank God! by tompaulco · 2014-02-10 05:04 · Score: 1

Yes, as we all well know, bitcoins are worthless and so therefore nobody would ever steal them and so therefore this whole article is a lie from Satan.

--
If you are not allowed to question your government then the government has answered your question.
No, some things will not run by SuperKendall · 2014-02-10 18:51 · Score: 1

Macs let you sudo any time an application requests
Some things will not launch at all unless you disable, or work around gatekeeper. If I download an unsigned executable I cannot just run it, I have to right-click and select open to force Gatekeeper to run it. That's a pretty good default level of security.
Then after that point - yes an application can request further access, but it's a pretty glaring thing to pull up the password prompt. Even non technical users would think a little about why that was happening.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Bitcoins? Thank God! by mark_reh · 2014-02-11 06:20 · Score: 1

A few misguided or otherwise benighted induhviduals who believe Bitcoin is money doesn't make it so.
Re:Buck feta by bkcallahan · 2014-02-11 07:27 · Score: 1

"Do you mean WinXP or Win8?"
Yes.