Posts tagged Malware

New Mac OS X Malware Steals Your Bitcoins

There’s a new piece of Mac malware that can spy on your web browser to steal your bitcoins.

The trojan, which was discovered by SecureMac on Sunday, is disguised as a downloadable Bitcoin app called “StealthBit,” which says it can send and receive anonymous bitcoin payments. The trojan horse is named “OSX/CoinThief.A.”

The malware’s author may be connected to reddit user “trevorscool,” who advertised StealthBit on reddit on February 1. That username is similar to the one used to upload StealthBit to GitHub—”Thomasrevor.” (At the time of this writing, the GitHub account for “Thomasrevor” has been deleted—but here’s a web cache from Google.) This same user advertised a similar Mac app called “BitVanity” in 2013, which also reportedly emptied out bitcoin wallets. According to more Google web caches, “trevorscool” has also been deleting old posts that invite people to download and use his new Bitcoin apps.

I’ve reached out to this individual and will update this story if we get a response.

A number of users have already reported infected systems. Over the weekend, one Reddit user claimed to lose 20 Bitcoins (worth upward of $12,000 at the time of writing) as a result of the “Coin Thief” trojan embedded in StealthBit.

The StealthBit app was first posted on the open-source repository GitHub, but the precompiled version of the app contained a malicious payload. When users download the app, the trojan quietly installs extensions into the Google Chrome or Safari web browsers (we’ve inquired about Mozilla’s Firefox), and then sifts through those browsers looking for login credentials for Bitcoin-related websites like Mt. Gox, BTC-e, and Blockchain. Once the “StealthBit” app finds a set of login credentials, it sends that information back to remote servers owned by the malware’s developer.

The data that’s sent back to the developer’s remote servers isn’t limited to Bitcoin login information, however. The usernames and unique identifiers (UUIDs) for infected Macs are also transmitted to the servers, in addition to any Bitcoin-related apps already installed on the system.

If you’ve already downloaded the StealthBit app, it’s important to isolate the extensions that spy on your browser’s activity to prevent data theft or loss. The author of this malware gave the extensions the name “Pop-Up Blocker,” with the description “Blocks pop-up windows and other annoyances.” If you find these files on your browser, delete them, and report the issue directly to Apple.

Speaking of Apple, we’ve reached out to the company to see if they’re aware of the reported trojan horse, and what steps the company is taking to solve this issue, and we’ll update the story as soon as we learn more.

Although OS X has long had a reputation as a secure platform, malware and adware attacks that target it have been on the rise over the last two years. In April 2012, more than 600,000 Mac computers were affected by the Flashback Trojan, which exploited several vulnerabilities in Java to similarly install itself onto user’s browsers without any action on the user’s part.

Last March, a piece of adware called the Yontoo Trojan was found installing itself directly onto users’ browsers as a plug-in, embedding third-party code onto any pages viewed by those users.

Lead image by fdecomite on Flickr. Right image courtesy of Wikimedia Commons

View full post on ReadWrite

Don’t Download StealthBit: New Mac OS X Malware Steals Your Bitcoins

There’s a new piece of Mac malware that can spy on your web browser to steal your bitcoins.

The trojan, which was discovered by SecureMac on Sunday, is disguised as a downloadable Bitcoin app called “StealthBit,” which says it can send and receive anonymous bitcoin payments. The trojan horse is named “OSX/CoinThief.A.”

The malware’s author may be connected to reddit user “trevorscool,” who advertised StealthBit on reddit on February 1. That username is similar to the one used to upload StealthBit to GitHub—”Thomasrevor.” (At the time of this writing, the GitHub account for “Thomasrevor” has been deleted—but here’s a web cache from Google.) This same user advertised a similar Mac app called “BitVanity” in 2013, which also reportedly emptied out bitcoin wallets. According to more Google web caches, “trevorscool” has also been deleting old posts that invite people to download and use his new Bitcoin apps.

I’ve reached out to this individual and will update this story if we get a response.

A number of users have already reported infected systems. Over the weekend, one Reddit user claimed to lose 20 Bitcoins (worth upward of $12,000 at the time of writing) as a result of the “Coin Thief” trojan embedded in StealthBit.

The StealthBit app was first posted on the open-source repository GitHub, but the precompiled version of the app contained a malicious payload. When users download the app, the trojan quietly installs extensions into the Google Chrome or Safari web browsers (we’ve inquired about Mozilla’s Firefox), and then sifts through those browsers looking for login credentials for Bitcoin-related websites like Mt. Gox, BTC-e, and Blockchain. Once the “StealthBit” app finds a set of login credentials, it sends that information back to remote servers owned by the malware’s developer.

The data that’s sent back to the developer’s remote servers isn’t limited to Bitcoin login information, however. The usernames and unique identifiers (UUIDs) for infected Macs are also transmitted to the servers, in addition to any Bitcoin-related apps already installed on the system.

If you’ve already downloaded the StealthBit app, it’s important to isolate the extensions that spy on your browser’s activity to prevent data theft or loss. The author of this malware gave the extensions the name “Pop-Up Blocker,” with the description “Blocks pop-up windows and other annoyances.” If you find these files on your browser, delete them, and report the issue directly to Apple.

Speaking of Apple, we’ve reached out to the company to see if they’re aware of the reported trojan horse, and what steps the company is taking to solve this issue, and we’ll update the story as soon as we learn more.

Although OS X has long had a reputation as a secure platform, malware and adware attacks that target it have been on the rise over the last two years. In April 2012, more than 600,000 Mac computers were affected by the Flashback Trojan, which exploited several vulnerabilities in Java to similarly install itself onto user’s browsers without any action on the user’s part.

Last March, a piece of adware called the Yontoo Trojan was found installing itself directly onto users’ browsers as a plug-in, embedding third-party code onto any pages viewed by those users.

Lead image by fdecomite on Flickr. Right image courtesy of Wikimedia Commons

View full post on ReadWrite

Yahoo Confirms Its Ads Spread Malware to Users

Hundreds of thousands of Yahoo users in European countries may have been infected with malware injected into advertising hosted on Yahoo websites. The ads were served in iframes by Yahoo’s advertising service, and were hosted on external sites.

View full post on Search Engine Watch – Latest

How To Protect Against PrisonLocker, The Next Major Malware Threat

Just when you’ve guarded your computer against CryptoLocker, there’s a newer threat that’s capable of holding gigabytes of your computer’s data hostage at a time.

Unlike Cryptolocker, which was custom-made for one ring of thugs, any criminal with $100 and a computer can easily purchase a copy of PrisonLocker—alternately called PowerLocker—for themselves.

See also: How To Fight CryptoLocker And Evade Its Ransomware Demands

Make no mistake: PrisonLocker is ransomware. It encrypts your personal data until you cough up hundreds of dollars for the decryption key, and even then, since you’re negotiating with criminals, there’s no guarantee they’ll make good on their promise.

Malware Must Die, an independent group of security analysis vigilantes based in India, said it had been monitoring a discussion about PowerLocker on a forum for hackers, where its anonymous programmer was selling licenses of the ransomware for $100 apiece.

Aside from being more easily accessible than CryptoLocker, PrisonLocker also boasts additional deterrents to security analysis like the ability to disable functions built into the Windows OS, according to the researchers. 

Last October, CryptoLocker, which was run by just one group, netted 10,000 victims in one week. Since PowerLocker is up for sale, it has the potential to wreak exponentially more havoc. 

How To Protect Yourself

Fortunately, the threat of PrisonLocker is, so far, just that—a threat. Nobody has been infected with the malware yet because its criminal creator is still developing it. 

According to Harry Sverdlove, CTO of threat assessment company Bit9, this is both good and bad for users. On the one hand, we have an advantage since it isn’t out yet. But on the other hand, all the press and hype about CryptoLocker meant hackers had plenty of information to improve the program. 

For example, with CryptoLocker, users could preemptively protect themselves by regularly backing up their data. But with PrisonLocker, even data backups might not be enough to save you, according to Sverdlove. PrisonLocker is designed to seek out connected drives with even more power and accuracy than its predecessor. 

“Depending on the backup policy and user access, your backups also could be encrypted and unusable,” he said. “If your backups are inaccessible to the system in question, then yes, it can save your data, at least since your last backup. But it can’t save your time. If you have to restore your entire system from a backup and possibly reinstall Windows and all your applications, well then you can kiss your weekend goodbye.”

In other words, there’s an additional step to staying safe. You don’t just need to make regular backups; you need to keep your backups on a drive that isn’t connected to your computer at all times, like an external hard drive that you keep offline. 

But more importantly, Sverdlove says to be very careful about which links you click and which files you download. PrisonLocker can’t work if it can’t trick you into installing it. Even if you’re too tech savvy to fall for this (or simply not running a Windows computer), be sure to let your less geeky friends, family, and coworkers know. It’s a reminder we can’t share often enough.

Photo by Don Jenkins

View full post on ReadWrite

Go to Top
Copyright © 1992-2014, DC2NET All rights reserved