One good way to measure the popularity of an emerging technology or trend is to see how much attention attackers and malware authors are paying it. Using that as a yardstick, Bitcoin is moving its way up the charts in a hurry. The latest indication is some malware that researchers at Arbor Networks identified that is masquerading as a utility to alert Bitcoin owners of shifts in the currency’s value, but is actually marked as a Trojan.
The utility, named Bitcoin Alarm, is being sent out right now via email and has the ability to find and allegedly take victims’ Bitcoins. Researchers at Arbor found the utility in several spam messages they received, and their initial investigation found that there are several layers of deception and obfuscation in the file that’s downloaded and its behavior is a little difficult to analyze at first. Perhaps that’s why only a handful of antimalware applications are able to identify it as malicious.
“The download BitcoinAlarm.exe (MD5: edfa12d4a454b0eb786bbe92050ab88a) had just 1 hit on VirusTotal when I first scanned it (from Kaspersky). Is it a false positive on a nice free tool? Lets dig deeper,” Kenny Macdermid of Arbor wrote in an analysis of the malware.
The downloads includes an RAR archive that includes a script that has a file called “winupdate.exe”.
“A quick check of winupdate.exe with VirusTotal shows that it’s the valid (and non-malicious) AutoIt executable. AutoIt is a great little scripting language for Windows, it’s especially useful for automating GUI related tasks. So if winupdate.exe is AutoIt that would make 5943564.IFW an AutoIt script. It looks like it was obfuscated somewhat though,” Macdermid said.
One of the things the script does is check to see whether there’s a specific antimalware application running, and if so, it will sleep for 20 seconds. The check for running antimalware is a classic behavior of a malicious application, and Macdermid said that after the check is completed the app performs a number of other operations designed to disable security functionality. The app then decrypts and runs a file named 20070.RQT.
“The decrypted file had 30/48 hits of VirusTotal when I scanned it (MD5: 224c73f8172123e5ddca2302425664a6). It’s called NetWiredRC and is a remote access trojan made for stealing login information, and likely in this case being used to steal Bitcoins. It connect to bitcoins.dd-dns.de on port 3360,” Macdermid said.
The link to download the Bitcoin Alarm app is now returning a 404 error and Macdermid said that many more antimalware tools are now detecting it as a piece of malware.