NEWS FROM THE LAB - Friday, June 17, 2011

Pickpocket Targets Wallets at Bitcoin Forum Posted by Sean @ 10:36 GMT

Our Threat Research team analyzed a Bitcoin wallet.dat trojan today. Bitcoin is a digital currency created in 2009.

We detect the threat as Trojan-PSW:W32/CoinBit.A.

Here's a screenshot of the GUI:

(SHA-1 c4f6c921aa77fbb7f2b616a22ee7d4578f8ccf44)

It's not very professional looking.

But that's not the real point. This is a snatch and grab. Before the window is rendered, the application will fetch the Bitcoin wallet.dat file (if it exists) from this location:

%Documents and Settings%\\AppData\Roaming\Bitcoin\wallet.dat

Coinbit.A then attempts to send the wallet.dat to a @hotmail address via a Polish SMTP server. The .pl server address is hardcoded. Reportedly, the password of the server account has been changed so this variant is no longer effective.

Performing a search for the hardcoded @hotmail recipient e-mail address leads one to this thread at bitcoin.org's forum.

It appears the pickpocket posted links in the forum's chat application. If the forum members clicked the link and downloaded the trojan, they risked losing their wallets.

To quote a forum member:

"No doubt that sucker is going straight for your wallet.dat"
"People will loose coins from this!"

Very possibly.

Read more from Kevin Poulsen at Wired.