On Fri, Jun 17, 2011 at 4:50 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
Is it a sign that your e-Monopoly-money has arrived when trojans start targeting it?
http://www.net-security.org/malware_news.php?id=1752
(My guess is that since trojans already steal everything they can, including lots of stuff with no obvious value, that the authors just added Bitcoin wallets because they could).
i checked this out when it dropped. it was delivered in haste, and not something overly impression (like a pro kit re-tailored for bitcoin wallets.) the day before this dropped wallet encryption was released in the official bitcoin client. the attackers had to rush deployment of this malware before too many potential targets upgraded to encrypted wallets (thus making them less accessible to attacker using this method.) the interesting aspect is how this following a significant crackdown on the bitcoin.org forums and was sent as a mass phish via private message to all the members. i've pasted the content below. note that clicking on the image went to a ....JPG/ directory which in turn sent the screensaver malware payload that is not identified in most browsers as potentially malicious (unlike .EXE or .COM, .BAT, .PDF, etc.) once you click, it rather clumsily traversed the disk looking for the first wallet.dat to deliver via an open relay to a drop box at hotmail. they'd clearly spent more time on the delivery aspects than on the smarts within the wallet stealing code. as said, a rush job due to the client update the day before. waiting for the next trojan to target RPC port on running bitcoind's... --- You have just been sent a personal message by MoonShadow- on Bitcoin Forum. IMPORTANT: Remember, this is just a notification. Please do not reply to this email. The message they sent you was: Hello Statements which should not be generally offensive, be excessively repeated or have bad formatting (spam), contain forbidden advertising or political or religious views, not be non-English when English is required, disclose personal data of others, or support any other rule violation. Proof can be seen at: http://images4u.hostil.pl/DSC00054.jpg One more warning and your account might be banned. Reply to this Personal Message here: http://forum.bitcoin.org/index.php?action=pm;... _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE