Topic: Possible litecoin trojan horse attack on os x (Read 1044 times)

Look in your bitcoin debug.log, search for this transaction id. If the transaction was sent from your mac, the log should contain some message about creating the transaction, before receiving the block that contains the transaction. If this is the case, it confirms that your mac was compromised.

If the transaction was sent from other nodes, then your log would show reception of the transaction from network, followed by reception of the block and then process the transaction, no transaction creation before receiving the block. Although in this case it doesn't exclude the possibility that your wallet.dat was first copied from your mac and then the transaction was sent from other nodes.

Important data should be always encrypted, unless it's off-line in secure location. I always feel dread when I have to enter password for my wallet.

I know it refers to brand new block chains, but Gavin's post was made in 2011 when Litecoin was one (can't remember exactly when LTC started).

My point isn't about age of the block chain, it's about being skeptical of anything removed from the core trust given to Bitcoin development. As the OP notes the address his funds were sent to has something like $50000 in it, so maybe more people are victims; some issues take longer than others to develop. In other words, I'd assume anything NOT Bitcoin software to contain trojans, just to be on the safe side until I could confirm that wasn't the case. That's essentially Gavin's message.

Also to improve your safety you should also encrypt it with TrueCrypt on your client side.

You really should not do that.  Dropbox has been compromised in the past as well.  If you want to use any cloud service to back up wallets be sure you use on of the ones that does zero-knowledge backups at least, like SpiderOak.

Please post a md5 checksum of the binary you downloaded and used (if you still have it, litecoin-0.6.3c-macosx.dmg, otherwise don't redownload it).

You are making a very serious claim, support it with proofs.

Edit: OP, your Mac could be infected with something else. Did you installed anything else during this incident ?

The part you bolded especially refers to brand-new blockchains. Litecoin is anything but that by now. If the software was downloaded from the official Litecoin website, then it's highly unlikely it was infected. If it was, then many people will be falling victim to it.

I'd do a thorough malware check on the machine, possibly reinstalling the OS. While there is significantly less malware for OSX compared to Windows, it does exist.

$50,000 worth??  Ouch very sorry to hear that hope you track down what happened.

I run everything I download in sandboxie to be safe

The following is an Alt-coin forum sticky from Gavin in 2011:


Just sayin

(note: this is not likely on the main litecoin app, but I think it is on the Scrypt Miner)

So I haven't opened up my bitcoin client in about 2 weeks, and I am on a Mac.

On may 8th I decide to try my hand at litecoin mining.

I installed the normal litecoin app:
https://github.com/downloads/litecoin-project/litecoin/litecoin-0.6.3c-macosx.dmg
but that didn't start mining for me (turns out I just needed to tweak some settings).

I also installed this:
https://github.com/downloads/litecoin-project/litecoin/Scrypt%20Miner%20GUI%20-%20OSX.zip
Which is Scrypt miner.

Both of these are in the download links on the litecoin website.

On may 10th, all of my bitcoins were transfered out of my wallet in this transaction
761ca847529a3087c5d71b24bd93ab242d2a7b64dd96522204cc10d233aeb0fa

Which appears to have ended up at this address
http://blockexplorer.com/address/14j73fVVomPRpfzxb9DmYQQy7sFZj626a8

Which has about $50000 worth of bitcoins on it.

Now it it totally possible that that this wasn't a trojan horse. I do backup my unencrypted wallet in dropbox, and maybe someone in dropbox has compromised it (happened in linode before).

I don't see any other practical ways I was attacked, but the timing with the litecoin thing seems way too close for me, and it could have been the scrypt miner that had the backdoor in it. The miner app crashed immediately after I ran it.

If anyone has the capabilities to test this, it would be really great for the community. I think the best test would be for someone to run the the app on a test machine and see if it makes any network requests that transfer private keys from a wallet. I am out about 20 bitcoins (or about $2000), which totally sucks for me, but it looks like this hacker is raking in a lot more than my little score.

If anyone wants to toss some replacement bitcoins my way, this address is secure:
1F7qFmjtYKCC9joH5FmeALHPNJKLscPLGZ

Thanks,
Rob