Topic: Bitcoin: Multibit Wallet Memory Exploit Proof of Concept (Read 1242 times)

While it is easy to say "The same results can be gotten with a keylogger".

This is obviously BS.

There is no way that a program could get whatever wallet service to send TXs like that. The "hackers" would not only need to be stupid enough to have a wallet with 100+ bicoin on the same computer that they use to hack with but also have no password on their wallet.

Looks like the exploit and proof of concept already exist. Saw this (http://www.reddit.com/r/Bitcoin/comments/27hyyl/how_i_stole_over_100_btc_from_thieves/ ) a couple of weeks ago and thought it was BS before reading the OP. My guess is that the exploit exists and is being used. I'm pretty sure that the guy that actually got refunded is a member here (nekomata).

FWIW: I suggest using blockchain.info (hot wallet), QT (heavy users), and cold storage (savings).

True and this is why I don't use any computers for any activities related to bitcoins or my accounts on various sites.

Most large companies have the ability to run a "keylogger" on any of it's computers at any time. They could simply wait until the user types in their password and have the actual password instead of a hash of a password.

   The idea behind this research on the largely unknown field of “Bitcoin Forensics” arose from analysis of a similar vulnerability found within the encryption software TrueCrypt. This susceptibility within TrueCrypt allowed anyone with administrative access, to image memory (the fixed value of physical memory within the computer) and actually find a hash of the users password within the memory dump. From here the attacker could then run the hash against a word list or other cracking attacks to retrieve the password. When I started looking into this idea I thought it would be interesting to duplicate this on an application that holds a fair amount of value in the eyes of the public. The fact that “Bitcoin Forensics” is a fairly novel field made it a great place to start exploring.

   Because I wanted a wallet that was simple and easy to use for starters, I looked up some reviews online which led me to the open source wallet Multibit. After I downloaded and played with the tool, I tried to understand which parts of the program required the user to input the password to complete a function. I found four; encrypting the wallet with a password, changing the wallet password, changing the wallets public address (it's public identity to other users on the bitcoin network), and sending bitcoins to other users on the network. Luckily what I found in memory was more than I expected (more to come on this).

   Imagine you are a network engineer/administrator/computer security *insert job title here* and you notice traffic on port 8333. You find this peculiar because you know that your company does not do any type of business with bitcoins and employees are never encouraged to download any software irrelevant to their work. You pinpoint which computer the traffic is coming from and you go to the employee’s desk to see what the employee is doing. The employee denies any use of such software, however the administrator sees that a bitcoin wallet has been installed on the computer, specifically Multibit. How can the investigator find out what the employee has been doing, why he/she is receiving money, who he/she is sending money to etc. (all on the company’s network), especially when the wallet is encrypted, and the employee refuses to give up the password?

http://sjpcomsec.blogspot.in/