Author

Topic: Possible litecoin trojan horse attack on os x (Read 1046 times)

legendary
Activity: 1205
Merit: 1010

On may 10th, all of my bitcoins were transfered out of my wallet in this transaction
761ca847529a3087c5d71b24bd93ab242d2a7b64dd96522204cc10d233aeb0fa


Look in your bitcoin debug.log, search for this transaction id. If the transaction was sent from your mac, the log should contain some message about creating the transaction, before receiving the block that contains the transaction. If this is the case, it confirms that your mac was compromised.

If the transaction was sent from other nodes, then your log would show reception of the transaction from network, followed by reception of the block and then process the transaction, no transaction creation before receiving the block. Although in this case it doesn't exclude the possibility that your wallet.dat was first copied from your mac and then the transaction was sent from other nodes.
member
Activity: 65
Merit: 10
Now it it totally possible that that this wasn't a trojan horse. I do backup my unencrypted wallet in dropbox, and maybe someone in dropbox has compromised it (happened in linode before).
Important data should be always encrypted, unless it's off-line in secure location. I always feel dread when I have to enter password for my wallet.
legendary
Activity: 1050
Merit: 1002
The following is an Alt-coin forum sticky from Gavin in 2011:


[...]

Just sayin

The part you bolded especially refers to brand-new blockchains. Litecoin is anything but that by now. If the software was downloaded from the official Litecoin website, then it's highly unlikely it was infected. If it was, then many people will be falling victim to it.

I'd do a thorough malware check on the machine, possibly reinstalling the OS. While there is significantly less malware for OSX compared to Windows, it does exist.

I know it refers to brand new block chains, but Gavin's post was made in 2011 when Litecoin was one (can't remember exactly when LTC started).

My point isn't about age of the block chain, it's about being skeptical of anything removed from the core trust given to Bitcoin development. As the OP notes the address his funds were sent to has something like $50000 in it, so maybe more people are victims; some issues take longer than others to develop. In other words, I'd assume anything NOT Bitcoin software to contain trojans, just to be on the safe side until I could confirm that wasn't the case. That's essentially Gavin's message.
hero member
Activity: 540
Merit: 500
The future begins today
You really should not do that.  Dropbox has been compromised in the past as well.  If you want to use any cloud service to back up wallets be sure you use on of the ones that does zero-knowledge backups at least, like SpiderOak.

Also to improve your safety you should also encrypt it with TrueCrypt on your client side.
sr. member
Activity: 574
Merit: 250

Now it it totally possible that that this wasn't a trojan horse. I do backup my unencrypted wallet in dropbox, and maybe someone in dropbox has compromised it (happened in linode before).


You really should not do that.  Dropbox has been compromised in the past as well.  If you want to use any cloud service to back up wallets be sure you use on of the ones that does zero-knowledge backups at least, like SpiderOak.
hero member
Activity: 540
Merit: 500
The future begins today
Please post a md5 checksum of the binary you downloaded and used (if you still have it, litecoin-0.6.3c-macosx.dmg, otherwise don't redownload it).

You are making a very serious claim, support it with proofs.

Edit: OP, your Mac could be infected with something else. Did you installed anything else during this incident ?
hero member
Activity: 728
Merit: 500
The following is an Alt-coin forum sticky from Gavin in 2011:


[...]

Just sayin

The part you bolded especially refers to brand-new blockchains. Litecoin is anything but that by now. If the software was downloaded from the official Litecoin website, then it's highly unlikely it was infected. If it was, then many people will be falling victim to it.

I'd do a thorough malware check on the machine, possibly reinstalling the OS. While there is significantly less malware for OSX compared to Windows, it does exist.
hero member
Activity: 1395
Merit: 505
$50,000 worth??  Ouch very sorry to hear that hope you track down what happened.

I run everything I download in sandboxie to be safe
legendary
Activity: 1050
Merit: 1002
The following is an Alt-coin forum sticky from Gavin in 2011:

I haven't seen anybody post about what would be my biggest worry if I were trying out alternative block chains. I realize this may be perceived as "Gavin is FUD'ding anything that isn't bitcoin!"  (FUD == Fear, Uncertainty and Doubt)  But I think some of you might be forgetting some basic computer security fundamentals in the excitement to be early adopters.

When I first heard about bitcoin, my questions were:

1) Can it possibly work (do the ideas for how it works make sense)?
2) Is it a scam?
3) If it is not a scam, could it open my computer up to viruses/trojans if I run it?

I answered those questions by:

1) Reading and understanding Satoshi's whitepaper.  Then thinking about it for a day or two and reading it again.
2) Finding out everything I could about the project.  I read every forum thread here (there were probably under a hundred threads back then) and read Satoshi's initial postings on the crypto mailing list.
3) Downloaded and skimmed the source code to see if it looked vulnerable to buffer overflow or other remotely exploitable attacks.

If I were going to experiment with an alternative block-chain, I'd go through the same process again. But I'm an old conservative fuddy-duddy.

If you want to take a risk on a brand-new alternative block-chain, I'd strongly suggest that you:

1) Run the software in a virtual machine or on a machine that doesn't contain anything valuable.
2) Don't invest more money or time than you can afford to lose.
3) Use a different passphrase at every exchange site.



Just sayin
hero member
Activity: 533
Merit: 501
(note: this is not likely on the main litecoin app, but I think it is on the Scrypt Miner)

So I haven't opened up my bitcoin client in about 2 weeks, and I am on a Mac.

On may 8th I decide to try my hand at litecoin mining.

I installed the normal litecoin app:
https://github.com/downloads/litecoin-project/litecoin/litecoin-0.6.3c-macosx.dmg
but that didn't start mining for me (turns out I just needed to tweak some settings).

I also installed this:
https://github.com/downloads/litecoin-project/litecoin/Scrypt%20Miner%20GUI%20-%20OSX.zip
Which is Scrypt miner.

Both of these are in the download links on the litecoin website.

On may 10th, all of my bitcoins were transfered out of my wallet in this transaction
761ca847529a3087c5d71b24bd93ab242d2a7b64dd96522204cc10d233aeb0fa

Which appears to have ended up at this address
http://blockexplorer.com/address/14j73fVVomPRpfzxb9DmYQQy7sFZj626a8

Which has about $50000 worth of bitcoins on it.

Now it it totally possible that that this wasn't a trojan horse. I do backup my unencrypted wallet in dropbox, and maybe someone in dropbox has compromised it (happened in linode before).

I don't see any other practical ways I was attacked, but the timing with the litecoin thing seems way too close for me, and it could have been the scrypt miner that had the backdoor in it. The miner app crashed immediately after I ran it.

If anyone has the capabilities to test this, it would be really great for the community. I think the best test would be for someone to run the the app on a test machine and see if it makes any network requests that transfer private keys from a wallet. I am out about 20 bitcoins (or about $2000), which totally sucks for me, but it looks like this hacker is raking in a lot more than my little score.

If anyone wants to toss some replacement bitcoins my way, this address is secure:
1F7qFmjtYKCC9joH5FmeALHPNJKLscPLGZ

Thanks,
Rob
Jump to: