Topic: Trojan Wallet stealer be careful - page 3. (Read 25869 times)

running avast internet security..with the latest definitions+windows 7 x64 up to date..firewall set to not allow ANY incoming connections..wallet encrypted..

safe enough?

The malicious .SCR trojan private messaged to members of this forum is identified as Induc.A on all the popular A/V products. It looks for wallet.dat to send via mail relay to hotmail drop as previously discussed. 

Looks like more and more bitcoin malware is popping up... everyone is running up-to-date anti-virus, right?

do not need optar, a freshly created wallet +and 7ziped and uuencoded fit easily in a qrcode...

Quite extreme but this is something I may use myself..I'm sure you know by now why. Time to print this.

Thanks!

I too support that idea. It is an excellent idea. It works along the same lines as PayPal secure key.

I would like to give a +1 to the USB key approach already suggested in a couple of the prior posts.

Whenever a new wallet.dat is created the client forces the creation of a USB key that must be plugged in whenever bitcoins are to be sent to another wallet.

You could use a 2GB SD card with a USB adapter for this because its cheap and has the added advantage of a write protect switch.

There is no reason I can think of that one SD card can't be used with multiple wallet.dat files and you should be able to copy one SD card to another for backup purposes.

To SEND any coins you have to enter your password AND plug the SD card into a USB port.

Bitcoin is a project in Beta, exactly the reason to test the system in the real world and arrive at the best possible solution. It is slightly in danger of falling victim to its own success.

I've been thinking about a long-term value storage solution.. These recent attacks are brutal, 25k coins is horrible, but it will be much more horrible in 10 years if I'm not mistaken.

Here's my current long-term bitcoin storage plan for the 'save for later' coins. I assume here that we are not paranoid about Chinese bootloaders.

1) Purchase new laptop / install clean and fresh Ubuntu onto formatted hard drive
2) download client. Do nothing else on computer
3) download block chain.
4) download optar, (about which more in a second)
5) From current, possibly insecure computer, send "storage" coins to minty fresh computer.

6) Disconnect new computer right after address generation and you have optar, and can see the the coins at least at 0/unconfirmed in the new wallet.
7) Backup the wallet onto the netbook drive, doesn't matter where.

Use optar to print out a PAPER archive of your wallet.dat file: (more here: http://ronja.twibright.com/optar/)
9) seal paper in pouch
10) safety deposit box
11) re-format hard drive of laptop.

You could GPG encrypt the wallet before it was optared, although then you'd need to remember the password for 20 years.

A brief description of optar: it prints scannable bitmaps onto paper. You can fit a few 100k per page with good error correction rates. Low acid paper plus laser printer = long, long term archival storage.

Thoughts?

+1 

Second factor just protects you if you've lost your password already. Once you've logged in to the bank a Trojan can still send the bank fake transactions.

In the same way a second factor may help protect your encrypted wallet in bitcoin but once the wallet is open a Trojan can read the secret keys and send them.

We need a solution that places decrypting the keys and the transaction signing process in a safe place, like a dongle you plug in to your USB port. The cleartext keys are never in your computer, so a Trojan can never get to them.

The client would have to be patched to use the dongle to sign "send" transactions. The client would never handle unencrypted keys. Keys in the wallet would always be in an encrypted state. When you send coin the dongle must be plugged in and the client sends the encrypted secret key as well as the transaction that must be signed to the dongle where the signing occurs.

The dongle would have a simple LCD screen to display a transaction amount and, maybe with the press of a button, a few characters of the recipient key. If the owner agrees with the transaction he presses the ok button on the dongle and the dongle signs the transaction and sends it back to the client.

for #2:
use bitcoin client (0.3.22) with -datadir option:

bitcoin.exe -datadir="Z:\SomeRemoveableDrive\somedirectory"

Don't under, any circumstances store your wallet.dat in a directory under your Windows operating system %APPDATA% (C:\Users\youruser\AppData\Roaming\Bitcoin by default on Win 7)

Don't have bitcoin client installed on windows either.
Store both the client folder and the wallet.dat on separate media that you do NOT keep constantly mounted. Keep balances in the default wallet.dat LOW, to boot, and use a separate wallet in another location at least.

Note: these are not even adequate security measures for a determined search program. But the ftp stealer that is available on forums worldwide (and that is pictured here on Symantec blog with weird ironic name: http://www.symantec.com/connect/sites/default/files/images/bitcoininfostealer.jpg, from Symantec URL http://www.symantec.com/connect/blogs/all-your-bitcoins-are-ours )
uses code such as:


and it's a 'grab and go' ;-/

Does anybody know where the thread is for keeping track of which anti-malware progs keep track of these new Bitcoin stealers?

The larger security discussion in this thread, of course, is perfectly appropriate, esp. in light of the larger tech media outlets using the 25k theft as "yet another reason not to use bitcoin" ...yada...yada

The nice thing about the decentralization of bitcoin is that it's an option, and it allows smaller banks to get in on things easily.

It's not all about the end user, you know

-Garrett

The two things I'd really like see is

1. Encryption on my wallet file
2. The ability to move my wallet file where ever I like.

I'd then store my wallet file in a secure (probably truecrypt) container or thumb drive. I'd feel much better about everything.

I agree with EpicFail; even though a security measure is not 100% foolproof, it still helps.  Encrypting the wallet certainly helps in the case the computer is stolen and also with this Trojan Wallet stealer.

As far as a false sense of security is concerned, as long as there are reports of bitcoins being stolen, people will know the price of carelessness.

If someone has complete faith in the security of their system and they don't want to use an encrypted wallet; that's fine, they could simply use a blank password.  However, please have the option of a password for those who do want to encrypt the wallet.

Edit:
If the bitcoin developers are already working on an encrypted wallet, then ignore the beginning of this post; instead someone please post a donation address for the developers.

No holy grail is being given up here. You're just contracting out the security of your bitcoins to someone else. Not necessarily a big bank. Maybe just a geek friend who you trust who wants to earn some money. Maybe someone like Vladimir wants to start up the first secure online bitcoin vault? Come to think of it, once a trusted secure vault has been established, wallet sites could piggy back off it to produce secure wallets?

I am shocked that you think that more BTC will be lost by people forgetting their passwords. More will be lost because they'll be stolen by clever hackers. The incentive is too great for them to not try their damn hardest to get your wallet file - encrypted or otherwise. It's just that encrypting it and using a strong password (heck write that password down and store it in a safe) would make it just that much of a bother for an UNSKILLED hacker. Don't underestimate human ingenuity when there is a huge cash prize at the end of the arduous journey. Wait and see until someone else with a large BTC balance that followed all the recommended security precautions gets his BTC stolen. Or wait until the criminal underworld hears about bitcoins - they'll not be afraid to use physical force to make you produce the BTC wallet.

I'm making the following prediction: Bitcoin will evolve to become the only currency without a national government to back it up. It will be a duplicate of the existing financial system minus constant inflation. We will have major bitcoin banks and the majority of regular non uber-geek users will hold their balance with these institutions. The other portion of the userbase will be more than glad to perform an intricate dance of shuffling wallet.dat files around, moving funds from usb drive to usb drive, backing up in a gazillion locations, cause that is what geeks do - they enjoy overly complicated things which make them feel superior and smarter than the rest of the population. Meanwhile the average bitcoin user will give up the holy grail of decentralization in search of security.

I totally agree there are other tools and solutions out in the wild that will do better than just encrypting your wallet. And normally users should be aware of it. But "normall" users are more like my mother for example.

Last time i talked to here on the phone we spoke about here notebook. She mentioned something about warning messages popping up informing about infections. I hope it was the virus scanner that inform here preventing some malicious software from executing, hopefully. Believe me i tried my very best to get a clear description of the issue, it was impossibel. 

It took me hours to explain my mother some basic steps of computer security (automatic updates for OS and virus scanner). All she asked me afterwards was "Aha, do you wish another cup of coffee?".

All she sees and knows is this colorfull GUI of what ever she is using. What is working behind this is a complete mystery to this group of users. And it will be a mystery for them.

And now i shall come up with changing OS, install and using TC or other "complicate" IT stuff?

This kind of normal users are minimum more than 80% of potential users who could use crypto currency as digital payment. And this is the largest group of users you are dealing with if we are talking about spreading bitcoins under the masses.

These users i talking about will never start studying HowTo´s, manuals etc etc. They are only users and they will never be something else.

Thats why i think to give this people trust into Bitcoin its not a bad idea to implement some security features into the client.

What this sounds like to me is "As long as there are mean people making viruses, bitcoin can't work." is this really the case?

do you want it to be simple&secure to get bitcoin as widely accepted&spreaded as possible by the users or do you want bitcoin to be stigmatized as hacker-,nerd- and black market currency forever?
you can't expect the simple user to use 3 different tools just to make it secure, no none-geek will do that. a simple "choose wallet&enter password" won't bloat anything at all. the gui still can look like it was made in the 1990's for windows 3.11 ...plain, simple, not overloaded. 

windows vs. unix debate all over again

or a swiss army knife versus a professional tool set.

bloating bitcoin client with all kinds of stuff as poor innocent naive users demand versus doing one thing very well and using other tools that are doing well other things, like securing wallets.