Bitcoin has been a magnet for commentary about the future of payment security and privacy. At the same time, it's attracted a lot of attention from criminals, with several exchanges shutting down after possible thefts. This level of malicious activity is perhaps unsurprising, given the high stakes of protecting a completely digital currency. Bitcoin is still a very new and immature technology, making it ripe for all sorts of disruption, including classic malware attacks, which have been on the uptick as the public has become more interested in cryptocurrencies.
Most of the Bitcoin-specific threats are designed to steal currency from digital "wallets," or to take over computers so that their processors can be enlisted into bitcoin mining. This process entails performing incredibly CPU- and GPU-intensive operations so that a few bitcoins can be obtained from the limited global supply. There have been several pieces of malware that take this approach, most notably adware served by compromised Yahoo display ads in Europe.
However, the rise of malicious software that steals bitcoins is also of great concern right now, in light of the recent shuttering of Mt. Gox, the world's most prominent Bitcoin exchange. Its closure followed the theft of more than $400 million in Bitcoin, underscoring the soaring level of interest and investment in this nascent technology. Recent security research indicated that there may be as many as 100 malware families primarily designed to steal bitcoins from wallets and exchanges.
As Bitcoin rises, malware takes off
Bitcoin malware isn't a new thing. In 2011, security researchers discovered a threat that could scan machines for bitcoins and then transmit them to other networks, and it wasn't long until mining-related malware began to pop up. One of the more novel early pieces of malware hijacked an infected computer's GPU in order to speed up mining. Since modern GPUs often have substantial parallel computing capabilities, they can grind through the Bitcoin mining operation much faster than most CPUs.
At the time, though, there wasn't much incentive for criminals to seriously pursue Bitcoin malware. Botnet resources could be more efficiently deployed in efforts such as Blackhole spamming or denial-of-service attacks, and the price of Bitcoin was far too low to make even a serious effort worthwhile. A GPU-powered mining computer could generate roughly $150 a month in Bitcoin in 2011.
Since then, the price of Bitcoin has fluctuated wildly, occasionally reaching stratospheric heights. Naturally, along the way there's been increased interest in obtaining more Bitcoin, whether through legitimate or malicious means, and malware has certainly been an important tool for cybercriminals trying to get in on the Bitcoin gold rush.
On a technical level, most Bitcoin malware isn't that different from threats that target other assets. Cybersecurity researchers have discovered that it may be delivered via malicious shortened Twitter links, packaged with other viruses or downloaded from untrustworthy websites. There's been at least one known instance of Bitcoin malware being included in a fake Adobe Flash Player installer. Some other strains exploit network vulnerabilities to enlist systems into a mining pool.
Currently, many of the most high-profile Bitcoin threats take a similar tack and hijack CPU/GPU resources to mine digital currency. A recently identified piece of malware called Linkup puts an unusual twist on this formula by combining mining coercion with ransomware tactics.
Whereas most ransomware locks a user's files until he/she pays a fee – or, in the case of CryptoLocker, not only cuts you off but employs strong encryption along the way – Linkup blocks Internet access by modifying DNS settings and then turns the computer into a Bitcoin-mining machine that is connected to a botnet. It's not clear whether paying the small fee – $0.01 – actually removes the malware, especially in light of how much information is requested while filling out the submission form.
"This combination of ransomware and Bitcoin mining is a new and fascinating development," stated the researchers who discovered the malware. "At this point, however, its functionality is still quite limited as the downloaded jhProtominer only works on 64-bit operating systems. In time, it will be interesting to see if Linkup is modified to download more flexible variants."
Using a "split wallet" to protect bitcoins from malware
The basic way that most Bitcoin is stored – digitally, in unregulated exchanges – invites attention from attackers who often correctly believe that they can exploit a vulnerability and make off with a good haul. To better protect Bitcoin assets, some security experts have recommended using a split wallet.
This setup involves storing some bitcoins online but keeping others on a system that isn't connected to the Internet. Doing so confers a couple of benefits. The computer with network access can keep track of balances and conduct transactions with other Bitcoin holders. At the same time, the private key needed to authorize any exchange is kept safely offline.
"To make a payment you generate the transaction on the online computer, bring it to the offline computer (on a USB stick) for signing with the private key, and then bring it back to the online computer to complete the transaction," stated Dell SecureWorks' Joe Stewart.
The need for greater Bitcoin security has even inspired some hardware solutions. Unlike software wallets, hardware ones are hardened against viruses and typically store the key in a protected part of the microcontroller. This means that they can't transmit it in plaintext.
Using a split or hardware wallet is two ways to improve Bitcoin security in the face of mounting pressure from malware. Bitcoin owners should also consider using Linux-based OSes for both online and offline computers, due to their historical resistance to USB-based attacks that can compromise transactions.
While Bitcoin began as a hobby for tech-savvy early adopters, it may eventually find a home in businesses, a growing number of which accept bitcoins as payment. Organizations will need to be wary of malware and unauthorized activity, both of which can be difficult to address unless they use hardware wallets and implement other security mechanisms. For example, it may make sense to create individual, encrypted wallets for each employee so that someone can't anonymously remove funds from a shared account.