Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Bitcoin Stealing Trojan Horse Called OSX/CoinThief Discovered

Posted by timothy on from the willie-sutton-principle dept.

An anonymous reader writes "SecureMac.com has discovered a new trojan horse for Mac OS X called OSX/CoinThief.A, which spies on web traffic to steal Bitcoins. This malware has been found in the wild, along with numerous reports of stolen coins. The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web traffic in order to steal login info for Bitcoin wallets."

17 of 108 comments (clear)

  1. unpossible! by Anonymous Coward · · Score: 4, Funny

    There's no such thing as malware for Mac and there never has been.

    1. Re: unpossible! by LordLimecat · · Score: 4, Informative

      In essence, its not even a trojan horse but an app that does hidden, malicious things.

      Im pretty sure you just gave us the textbook definition of what a trojan is.

      > 1 million malware

      With such accurate facts (there are more than a million "malwares" for Unix as well) Im sure you are well qualified to make such a determination.

    2. Re:unpossible! by smash · · Score: 3, Insightful

      Trojan horses / user stupidity are OS independent.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    3. Re: unpossible! by dbIII · · Score: 3, Interesting

      It's a metaphor for a big horse full of soldiers that opened a gate and let other stuff in so I think the AC has a valid point and your personal "textbook definition" does not.
      Just call it malware instead of trying to correct their use of the metaphor.

    4. Re:unpossible! by Rosyna · · Score: 3, Interesting

      To be fair, Apple does a hell of a lot to prevent user stupidity from installing Malware. Such as blacklisting known malware nearly immediately (as soon as Apple reverse engineers it, its signature is pushed out to ever mac user via a list that is updated every 24 hours).

      The sad thing is and a major security flaw of Apple's is that they create trust with third parties based on code signing. This allows code signed malware to skip the normal malware checks in Mac OS X. (It's super trivial to get multiple code signing certs from Apple and Apple doesn't verify code certs applications for individuals)

    5. Re: unpossible! by Impy+the+Impiuos+Imp · · Score: 2

      The Trojan horse aspect is the social engineering bit, where you install something thinking it is ok when it is not.

      So he does have a point after all -- that's what this is.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    6. Re:unpossible! by monzie · · Score: 2

      You're so funny! I'd give you mod points if I weren't you.

    7. Re: unpossible! by Ralph+Wiggam · · Score: 2

      There are no viruses. Learn the difference between a virus and a trojan horse.

      Your semantics aren't going to get those bitcoins back.

  2. Slashcott! by LaminatorX · · Score: 3, Insightful

    This site used to be great. Even in it's latter days, it's been good. That is poised to change. Before long, it will be mediocre, and ordinary.

    I didn't see a problem when Dice Holdings initially bought Slashdot. I figured there would be efforts to drive nerd traffic towards their job listings and such. That was fine. We all need jobs.

    Things have changed now. Beyond the shifts in story choices, the slashvertisements, and so on, something fundamental has changed: Slashdot's owners do not appreciate it.

    Their recent financials show that they have written its value as an asset down to zero. They have legally claimed it to be worthless. That is at the root of what is happening now. They want to fundamentally change the nature of this site in order to remake it into something with big growth potential.

    Beta is just the latest symptom of this disease. It will not be the last. In striving to make it into a site that will bring them a growing user base and growing revenue per user, they have shown a willingness to dumb down the interface in the name of making it more accessible to newcomers, to cast aside essential elements of decade-spanning community culture, and to plow ahead with changes in the face of overwhelmingly negative user feedback.

    This is not going to change. This will not go away. I will not support it.

    I will be gone for this entire week, in protest. While away, I will work to create a new community where things can be run with quality user discussions as the paramount objective.

    Be seeing you.

    1. Re:Slashcott! by LaminatorX · · Score: 3, Informative

      Wohoo, two minutes left, I can reply.
      http://www.soylentnews.org/wik...
      www.soylentnews.org/Forum/
      http://webchat.freenode.net/ channel ##altslashdot.

      Out.

    2. Re:Slashcott! by TubeSteak · · Score: 4, Interesting

      http://www.diceholdingsinc.com/phoenix.zhtml?c=211152&p=irol-newsArticle&ID=1896508
      Feb. 4, 2014

      Recent Developments

      Slashdot Media was acquired to provide content and services that are important to technology professionals in their everyday work lives and to leverage that reach into the global technology community benefiting user engagement on the Dice.com site. The expected benefits have started to be realized at Dice.com. However, advertising revenue has declined over the past year and there is no improvement expected in the future financial performance of Slashdot Media's underlying advertising business. Therefore, $7.2 million of intangible assets and $6.3 million of goodwill related to Slashdot Media were reduced to zero.

      Be seeing you.

      --
      [Fuck Beta]
      o0t!
  3. There can be but damage is more limiting by SuperKendall · · Score: 3, Informative

    Everyone has known forever you can have malware on a Mac. That's hardly a surprise.

    But malware is more limited on a Mac than other systems - for one thing no users run as admin as they do on Windows.

    Also with Mavericks gatekeeper would preset you with a nice juicy dialog preventing you from running this untrusted and unsigned malware. You would have to take several steps of your own volition to run it at all...

    You Mac haters are saying you don't want the Mac to turn into iOS. Well which is it? Let users run unapproved software after several "Are you sure" kinds of stopping points? Or only allow signed binaries on the system?

    Make up your mind.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:There can be but damage is more limiting by tlhIngan · · Score: 4, Informative

      Also with Mavericks gatekeeper would preset you with a nice juicy dialog preventing you from running this untrusted and unsigned malware. You would have to take several steps of your own volition to run it at all...

      You Mac haters are saying you don't want the Mac to turn into iOS. Well which is it? Let users run unapproved software after several "Are you sure" kinds of stopping points? Or only allow signed binaries on the system?

      All the Apple haters have missed the fact that Gatekeeper is remarkably balanced. You can choose - go all the way with a walled garden, all the way with unsigned binaries, or go walled garden with the option to allow people to sign the code (semi-walled garden) (the default setting, too).

      It costs a developer $99, or for orgs like Mozilla, they have two from Apple - a production signing version and a beta signing version, in case either one gets revoked for whatever reason.

      But it allows apps that doesn't require Apple to approve - the developer buys a cert and Apple has no say in what it's used to sign. Of course, if it's hacked or stolen, Apple can revoke it (happened a few times already when some trojan hijacked a developer's certificate - Apple revoked it and that trojan couldn't run easily anymore).

      Of course, there's another subtlety that is not mentioned about Gatekeeper - it only triggers on stuff downloaded from the Internet. The output of your program you just compiled? Will not trigger Gatekeeper as it's assumed the dev tools are "safe".

      And since developers need to develop, and companies like Adobe, Microsoft and others need to get around the App Store limitations (or even Autodesk, who wants to use the App Store, but finds the $999.99 max price limiting), ensures the Mac will never "close off" and be walled like iOS. After all, on a Mac, it needs to run untrusted binaries somehow in order for developers to well, develop.

      That, and it's so bloody easy to jailbreak a Mac if you really needed to - just pop out the hard drive, or plug it into the PCIe slot in your PC. Or just run Windows and a Windows based jailbreak app. Or Linux.

    2. Re:There can be but damage is more limiting by Boronx · · Score: 2

      Macs let you sudo any time an application requests, which is pretty much the same as Windows. Even an admin account in windows will at least force you to click through if an application wants to make admin privileged changes.

      In both systems a lot of legitimate installs need this, so unwary users get used to allowing new programs admin/root access.

      --
      Play Command HQ online
    3. Re:There can be but damage is more limiting by BasilBrush · · Score: 2

      Macs let you sudo any time an application requests, which is pretty much the same as Windows. Even an admin account in windows will at least force you to click through if an application wants to make admin privileged changes.

      OSX does more than make you "click through". Privileged operations require a password.

  4. Re:OSX/CoinThief ??? by mellyra · · Score: 2

    Isn't that a bit of a giveaway, if you write a Trojan and call it OSX/CoinThief? I know there are people out there who think people buying Macs do so because they are too stupid to handle real computers, but nobody could possibly think they are stupid enough to install an app called OSX/CoinThief? Is that how the trojan was found? Someone thought the name is a bit suspicious and started looking?

    OSX/CoinThief.A is the name the security reseachers gave the trojan. The actual application was called StealthBit.

  5. Re:But Bitcoin is just like currency... by Algae_94 · · Score: 2

    Said the guy who never had fraudulent charges reversed on a credit card. Try doing that with cash.

    There are definite negatives to using credit cards, but they have advantages as well.