New malware to steal bitcoin by replacing addresses

[arnoudk]

I've just finished reading the following article on bravenewcoin.com: http://bravenewcoin.com/news/bitcoin-st ... ves-again/

This article warns users that a new strain of malware exists that replaces bitcoin addresses when they are being copied and pasted. They are changed when they are temporarily stored on the clipboard.

The malware has a list of thousands of addresses and will choose the one closest to the address you are actually trying to send money to.

So be careful, simply manually check that the address you are sending to has not changed - check some sequence in the middle, or at 1/3 of the address, too. And for large transactions, it may be a good idea to verify (ie with a quick phone call) with the person receiving the funds if the address is correct.

A new iteration of this malware will probably change addresses in emails and web pages themselves.

[iFixBTCmemoryIssues]

I've just finished reading the following article on bravenewcoin.com: http://bravenewcoin.com/news/bitcoin-st ... ves-again/

This article warns users that a new strain of malware exists that replaces bitcoin addresses when they are being copied and pasted. They are changed when they are temporarily stored on the clipboard.

The malware has a list of thousands of addresses and will choose the one closest to the address you are actually trying to send money to.

So be careful, simply manually check that the address you are sending to has not changed - check some sequence in the middle, or at 1/3 of the address, too. And for large transactions, it may be a good idea to verify (ie with a quick phone call) with the person receiving the funds if the address is correct.

A new iteration of this malware will probably change addresses in emails and web pages themselves.

While this sounds mad, I dedicated a netbook that is solely used for Bitcoin banking.

Boot up, login, do the transactions, logout, power-down.

[arnoudk]

While this sounds mad, I dedicated a netbook that is solely used for Bitcoin banking.

Boot up, login, do the transactions, logout, power-down.

Doesn't sound mad at all for larger bitcoin holdings.

This new attack vector was predicted a long time ago (I'm surprised it took this long!). It can mean that security devices such as Trezor do not provide protection from this.

A simple solution (I am sure there would be others, this is just from the top of my head) is to do the following:
- Register a public PGP key
- Sign payment requests with this PGP key
- Trezor (or software wallet) checks the PGP key, signatures and shows an error if anything is not right.

Now, malware can't just do a Man In The Middle attack, it would have to compromise every source to obtain the PGP key.

[ronnieb]

I've just finished reading the following article on bravenewcoin.com: http://bravenewcoin.com/news/bitcoin-st ... ves-again/

This article warns users that a new strain of malware exists that replaces bitcoin addresses when they are being copied and pasted. They are changed when they are temporarily stored on the clipboard.

The malware has a list of thousands of addresses and will choose the one closest to the address you are actually trying to send money to.

So be careful, simply manually check that the address you are sending to has not changed - check some sequence in the middle, or at 1/3 of the address, too. And for large transactions, it may be a good idea to verify (ie with a quick phone call) with the person receiving the funds if the address is correct.

A new iteration of this malware will probably change addresses in emails and web pages themselves.

Again, bit thanks and good looking out! Great to have Bitcoiners like you on the forum!!!

[arnoudk]

Again, bit thanks and good looking out! Great to have Bitcoiners like you on the forum!!!

Thanks, and you are most welcome!

[BitcoinNewsMagazine]

Thanks for the heads up. Can this new malware steal bitcoin if one is using a Trezor?

[arnoudk]

Thanks for the heads up. Can this new malware steal bitcoin if one is using a Trezor?

I assume that it can, if you copy and paste an address into your Trezor software.

If you manually check the address as displayed in your Trezor from the original, then you should be OK... until the next iteration that changes what is displayed on your screen. Then there will need to be a signed message with a known key.

[defcon23]

I had recently occasion to get the source code of this malware in hands. it's really Scary to see what simplicity it can be compiled and diffused. The real problem is also that it is absolutely not detected as a virus.

So, basically ALWAYS double check the address you paste in the fields!

also, never install any .exe or jar file you are not absolutely sure of the source