DevilRobber trojan steals Bitcoins and data

While software piracy may be enticing for some people, its drawbacks, besides theft, not only include running potentially unstable software, but also provide an avenue for malware to wreak havoc on your system and your personal information.

Many times when software packages are offered for free, they are done so by thieves as a lure to spread Trojans and other malware among the systems of unsuspecting people who are trying to get away without paying for software.

This practice is nothing new, and a couple of years ago a Trojan horse called iServices was found embedded in pirated copies of Apple's iWork '09 suite, which, as with most Trojan horses, attempted to contact remote servers to send personal information and download malicious files to the infected systems.

In the past week, another similar Trojan (called DevilRobber or Miner-D) has been found embedded in pirated copies of the image manipulation tool called Graphic Converter, which is a popular program that Apple even bundled with Mac systems for a while. The Graphic Converter program is legitimate software, but the malware developers are releasing compromised versions of it on file-sharing networks that contain their malware.

As with other Trojan horses, this new one also attempts to steal personal information and data; however, its main purpose is to use use infected computers to generate counterfeit copies of the Bitcoin online currency.

Bitcoins are a concept that uses a peer-based economy to generate and balance an online currency. Each bitcoin is similar to a certificate that is given an encrypted signature for an individual and is stored in a virtual "wallet" for that user. When you transfer a bitcoin to another individual, the signature encryption is passed to the new user and is store in that user's wallet, offering in essence a similar value transfer as state-sponsored monetary systems like the Dollar or Euro.

In order to balance the system, the Bitcoin network has programs called miners that take into account the number of transactions being done with Bitcoins, and creates new ones at rates based on how they are being used. In essence the miners are similar to the Federal bank in that they keep track of the number of coins in circulation to prevent artificial inflation or deflation.

The Bitcoin currency is a clever idea that has promise, but as with counterfeiting any currency, there are attempts to counterfeit Bitcoins, especially since services already exist that exchange the coins for goods and can even convert them into dollars, Euros, or other conventional currency.

Since the Bitcoin mining operation requires the tracking of numerous transactions over time, the DevilRobber malware developers attempt to simulate this by distributing the malware to numerous computers and using infected systems' CPUs and GPUs to run massive amounts of the parallel-processing tasks that are required for Bitcoin mining.

As a result, systems that are running the rogue Bitcoin miner programs will be bogged down as the CPU and GPU are used extensively.

In addition to generating Bitcoins, the DevilRobber searches an infected system for a user's Bitcoin wallet and attempts to steal it. It also takes screenshots of the system, and sends them to remote servers along with other information it can round up, including the following:

• Browser histories that can contain Web sites that require user accounts
• Unlocked data from the TrueCrypt drive encrytion software
• The Terminal's .bash_history file, which may contain usernames and server addresses
• Information from the Vidalia plug-in for Firefox, which is part of the "Tor" anonymous browsing project.

In addition to theft activities, analysis of the malware by Sophos suggests the malware also searches for underground and child pornography cues.

This Trojan is a fairly complex one, and while for now it has been found in compromised versions of Graphic Converter, the malware developers can easily use other packages; however, in order to pose a threat, all of these would have to be obtained from underground Web sites and illegitimate software distribution services.

Should you worry?
The description of this Trojan as stealing, counterfeiting, and dealing with child pornography sounds scary and troubling, but ultimately it is nothing new to malware. Overall do not let it obscure the fact that this malware is being distributed only in pirated software.

If you purchase software legitimately and do not steal it, then you have nothing to worry about. The easiest way to protect yourself from Trojan horses like this one is to avoid software piracy and only download software directly from developers or from legitimate software download sites and services like CNET's Download.com.

However, it is always a good idea to approach any software package with an air of caution. If you find a downloaded installer package on your system and are uncertain where it came from, then simply remove it and visit the developer's Web site to redownload the package again. Even if it takes a while to redownload, it's better to be safe than sorry.

In addition to observing safe browsing and computing practices, even though the malware situation on the Mac is still minimal in comparison to Windows, it is growing a little at a time. I recommend that people keep a good updated malware scanner on their systems.

While it is not necessary to set scanners to frequently check the entire system or enable on-demand scanning for all files (which is primarily useful for worms, viruses, and other self-replicating malware), having a scanner periodically check any newly downloaded content will not hurt. Some recommended malware scanners include Sophos, VirusBarrier, and ClamXav, but there are plenty of other options available for you to choose from and try out.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.