Contrary to popular belief, Macs do in fact get viruses. It’s just that 91% of the world uses Windows while only 7% of the world uses OSX (The remaining percentage uses Linux). As such, virus makers have more incentive to create malware for Windows, because it simply makes sense to target the majority of computer users. This is generally great news for Mac users, since they remain virtually virus free. However, it can make them pretty complacent about security, and when a Mac virus does come along, it causes a lot of havoc.
The implementation of stealth addresses for Mac that I tweeted about last week turned out to be wallet-stealing malware. Crap.
— AndreasMAntonopoulos (@aantonop) February 11, 2014
Take this new virus for example. It’s called CoinThief, and as the name implies, it steals users’ Bitcoins. It’s already affected several users, including one reddit user who lost 20 Bitcoins (worth over $12,000 at the time of this post). This story is still developing, but there’s a lot we already know about CoinThief, including how it’s spread, how it works, how to detect it, and how to remove it. If you use OSX, you definitely want to read the “How to Detect Cointhief” section even if you skip the rest of the article, because losing 20 BTC is a serious matter.
How it’s Spread
Cointhief was actually being distributed by CNET’s Download.com and MacUpdate, two otherwise reputable and respectable websites. It was first distributed on GitHub and promoted by reddit user trevorscool. While the source code on Github seemed clean, the pre-compiled binaries were malicious. There are several variants of Cointhief floating around under different names, including Bitcoin Ticker TTM, Litecoin Ticker, BitVanity, and StealthBit.
How it Works
CoinThief is pretty elaborate. Upon launch, the first thing the malware does is install browser extensions for Safari, Chrome, and Firefox. The extension is given the generic name “Pop-Up Blocker” and even more generic description “Blocks pop-up windows and other annoyances.”In reality, the extension begins monitoring web traffic and specifically targets popular Bitcoin sites like Mt.Gox, BTC-e, and Blockchain.info. CoinThief also installs a background application that constantly monitors for login credentials for the above mentioned websites. So when a user logs in to his/her account, the username and password are captured and sent to a remote server.
The background process also seems to check for the presence of Bitcoin-Qt and patches certain components, probably with the intent of extracting private keys. It also sends information such as the Mac’s user name and UUID (unique hardware code) to the remote servers.
How to Detect CoinThief
If you’ve got a Mac, it’s a good idea to make sure you don’t have CoinThief installed on your system.
How to Remove CoinThief
As with almost all malware, manually removing CoinThief is going to be a bit of a pain. But then again, it’s better to go through with it than risk losing all your Bitcoins. Reddit user nptacek provides these instructions on removing CoinThief from your system.
Type “launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist” without quotation marks and hit the enter/return key. (Note, earlier variants of CoinThief use the name “com.google.xupdater,” so be sure to try that as well as “com.google.softwareUpdateAgent” in the command above). This stops the background process that monitors your account credentials and sends them to the malware author(s)’ servers. If you see the message, “No such file or directory, nothing found to unload,” then the background process was not loaded on your computer. Continue to step 4.
Many people argue that a huge issue with Bitcoin is that unlike traditional money, there’s really no FDIC-style Bitcoin insurance. So if someone has their wallet compromised, there’s really no way to recover the stolen Bitcoins. It’s difficult to deny this point. With the complete independence that Bitcoin offers, users are forced to protect themselves with little to no leeway for errors. Sure there are ways to protect oneself like using encrypted backups, not downloading untrusted software, etc. But at the end of the day, it’s still something to think about.