Malware authors move fast. Following on from the previous blog post on Bitcoin botnet mining, we have seen a recent Trojan in the wild targeting Bitcoin wallets. The Trojan is Infostealer.Coinbit and it has one motive: to locate your Bitcoin wallet.dat file and email it to the attacker. This is not surprising considering the potential values in a Bitcoin wallet. We have also discovered source code on underground forums which locates the wallet and, using FTP, uploads it to the attacker's servers.
Figure 1. Code snippet found on underground forums to steal Bitcoin data via FTP
We expect that code similar to the techniques described above will find a way into other malware considering the amount of attention this sort of attack is currently receiving and with the amount of Bitcoins currently available for purchase. (For an overview on how Bitcoin works, view this Bitcoin overview video).
If you use Bitcoins, you have the option to encrypt your wallet and we recommend that you choose a strong password for this in the event that an attacker is attempting to brute-force your wallet open.
Thanks to Mario Ballano for his assistance in identifying the threat.
Additional thanks goes to Bernardo Quintero of Virustotal for initially locating the sample.