CoinThief Malware Stealing Bitcoins from Mac Users

Journalist:
February 15, 2014
A trojan called CoinThief is stealing tens of thousands of dollars worth of BTC from unsuspecting Mac users.

Contrary to popular belief, Macs do in fact get viruses. It’s just that 91% of the world uses Windows while only 7% of the world uses OSX (The remaining percentage uses Linux). As such, virus makers have more incentive to create malware for Windows, because it simply makes sense to target the majority of computer users. This is generally great news for Mac users, since they remain virtually virus free. However, it can make them pretty complacent about security, and when a Mac virus does come along, it causes a lot of havoc.

Take this new virus for example. It’s called CoinThief, and as the name implies, it steals users’ Bitcoins. It’s already affected several users, including one reddit user who lost 20 Bitcoins (worth over $12,000 at the time of this post). This story is still developing, but there’s a lot we already know about CoinThief, including how it’s spread, how it works, how to detect it, and how to remove it. If you use OSX, you definitely want to read the “How to Detect Cointhief” section even if you skip the rest of the article, because losing 20 BTC is a serious matter.

How it’s Spread

Cointhief was actually being distributed by CNET’s Download.com and MacUpdate, two otherwise reputable and respectable websites. It was first distributed on GitHub and promoted by reddit user trevorscool. While the source code on Github seemed clean, the pre-compiled binaries were malicious. There are several variants of Cointhief floating around under different names, including Bitcoin Ticker TTM, Litecoin Ticker, BitVanity, and StealthBit.

How it Works

CoinThief is pretty elaborate. Upon launch, the first thing the malware does is install browser extensions for Safari, Chrome, and Firefox. The extension is given the generic name “Pop-Up Blocker” and even more generic description “Blocks pop-up windows and other annoyances.”In reality, the extension begins monitoring web traffic and specifically targets popular Bitcoin sites like Mt.Gox, BTC-e, and Blockchain.info. CoinThief also installs a background application that constantly monitors for login credentials for the above mentioned websites. So when a user logs in to his/her account, the username and password are captured and sent to a remote server.

The background process also seems to check for the presence of Bitcoin-Qt and patches certain components, probably with the intent of extracting private keys. It also sends information such as the Mac’s user name and UUID (unique hardware code) to the remote servers.

How to Detect CoinThief

If you’ve got a Mac, it’s a good idea to make sure you don’t have CoinThief installed on your system.

  1. Start by opening Activity Monitor (in Applications/Utilities) and search for “com.google.softwareUpdateAgent”in the list of processes.

    Like Task Manager on Windows, Activity Monitor displays all running processes.

  2. Open your browsers and check if “Pop-Up Blocker” is installed as an extension.

    If you see “Pop-up Blocker” in the list of extensions, you’ve probably got CoinThief installed.

  3. If you’ve got the extension installed or see the rogue process in Activity Monitor, go on to the next section. Otherwise, you should be clean.

How to Remove CoinThief

As with almost all malware, manually removing CoinThief is going to be a bit of a pain. But then again, it’s better to go through with it than risk losing all your Bitcoins. Reddit user nptacek provides these instructions on removing CoinThief from your system.

  1. First, if you’ve got BitcoinTicker TTM, Litecoin Ticker, BitVanity, or StealthBit installed on your system, delete it from the Applications folder and clear the Trash.
  2. Next, fire up Terminal (from Applications/Utilities). You’re going to have to enter several Terminal commands and it is imperative that you enter them exactly as they’re shown here. Feel free to copy+paste the commands.
  3. Enter the commands exactly as shown in the article.

    Type “launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist” without quotation marks and hit the enter/return key. (Note, earlier variants of CoinThief use the name “com.google.xupdater,” so be sure to try that as well as “com.google.softwareUpdateAgent” in the command above). This stops the background process that monitors your account credentials and sends them to the malware author(s)’ servers. If you see the message, “No such file or directory, nothing found to unload,” then the background process was not loaded on your computer. Continue to step 4.

  4. Now we’re going to unhide the file and move it to the Desktop. From there it can be dragged into the Trash and safely deleted. In Terminal, type “mv ~/Library/Application Support/.com.google.softwareUpdateAgent ~/Desktop/com.google.softwareUpdateAgent” (without quotes) and hit enter. (Remember to use “com.google.xupdater” in the command above if needed). The file should now show up on your Desktop. Throw that file in the Trash.
  5. Let’s do the same thing for the file that launches the background process. In Terminal, type “mv ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist ~/Desktop/com.google.softwareUpdateAgent.plist” (no quotes) and press the return key. (Again, use “com.google.xupdater” in the above command if you’ve got an earlier variant of CoinThief installed). Once you see that file on the Desktop, throw it into the Trash. Now empty the Trash.
  6. We’re almost done. Open all your web browsers and uninstall the “Pop-Up Blocker extensions”. Different browsers have different instructions for deleting extensions. For Safari, go here. For Chrome, here’s your guide. For Firefox, read this.
  7. If you’ve got Bitcoin-Qt installed on your system, back up the wallet and reinstall Bitcoin-Qt.
  8. Finally, change your passwords for any Bitcoin-related websites you use. It’s also a good idea to set up two-factor or two-step authentication for sites like Blockchain.info to better protect yourself. If you’re feeling particularly paranoid, you can reinstall OSX, but the above process should be effective.

Final Thoughts

Many people argue that a huge issue with Bitcoin is that unlike traditional money, there’s really no FDIC-style Bitcoin insurance. So if someone has their wallet compromised, there’s really no way to recover the stolen Bitcoins. It’s difficult to deny this point. With the complete independence that Bitcoin offers, users are forced to protect themselves with little to no leeway for errors. Sure there are ways to protect oneself like using encrypted backups, not downloading untrusted software, etc. But at the end of the day, it’s still something to think about.

Neil Sardesai @@neilsardesai

I enjoy keeping up with the latest stuff in science and technology and have been following Bitcoin for a few years now. I also occasionally post cool stuff on twitter.