The rise of bitcoin over the last year has piqued the interest of cybercrooks, who have created more than 100 unique families of malware designed to steal virtual currencies, according to Dell SecureWorks.
The crypto-currency community is currently reeling from news that troubled exchange MT. Gox appears to have lost nearly 750,000 bitcoins - worth hundreds of millions of dollars - to malleability-related theft.
While the MT-Gox case may be unusual for its scale, research from Dell SecureWorks suggests that theft is rife as crooks look to cash in on the skyrocketing value of bitoin and other currencies.
The research shows that the number of Windows-compatible cryptocurrency-stealing malware (CCSM) families has broadly tracked bitcoin's value, shooting up over the last six months.
The most common type of CCSM is the wallet stealer, which searches for well-known wallet software key storage locations, either by checking known file locations or by searching all hard drives for matching filenames. Typically, the file is uploaded to a remote FTP, HTTP, or SMTP server where the thief can extract the keys and steal the coins by signing a transaction, transferring the coins to their address.
Many wallet-stealer families also steal credentials for Web-based wallets, such as Bitcoin exchanges. Although several exchanges have implemented two-factor authentication using one-time PINs to combat unauthorised account logins, advanced malware can bypass this by intercepting the OTP as it is used and creating a second hidden browser window to log the thief into the account from the victim's computer.
The researchers also warn that once malware is installed on a computer there is a good chance it will fail to be spotted, with an average unweighted detection rate across major antivirus providers of a little under 50%.
With two-factor authentication and antivirus software largely ineffective at protecting virtual currency holders, Dell SecureWorks suggests using alternative wallets such as Armory and Electrum, which can protect against theft-by-malware by using a tricky split arrangement for key storage.
Splitting involves one computer, disconnected from any network, running a copy of the software and holding the private key that can sign transactions, while a second PC connected to the Internet holds only a master public key of which addresses belong to the offline wallet.
This computer can generate transactions, but it cannot sign them because it does not have the private key. A user wishing to transfer coins generates an unsigned transaction on the online computer, carries the transaction to the offline computer, signs the transaction, and then carries it to the online computer to broadcast the transaction to the Bitcoin network.