New Instance of Pony Botnet Steals Virtual Currencies

New Instance of Pony Botnet Stealing Bitcoins and Other Virtual Currencies
New Instance of Pony Botnet Stealing Bitcoins and Other Virtual Currencies

In just four months from September 3013 to January 2014, this new Pony botnet stole 600,000 websites, 100,000 emails, 6,000 FTP, 900 secure shell, and 800 remote desktop credentials. It did this primarily through its keylogging capability which records the data before sending it back to the criminals' server. The difference now, however, is that Pony has been modified to further steal 31 different virtual currencies; and has successfully stolen primarily Bitcoins (355), Litecoins (280), Primecoins (33) and Feathercoins (46).

Just over a year ago bitcoins were valued at around £30. Since then they peaked at around $1000 and are currently valued at about $600. As their value has increased, so has the interest of thieves. Trustwave explains that the attraction is heightened by the ease of theft, and automatically hidden trail: there is no such thing as 'marked money', registered owner or audit trail of accounts with bitcoins.

Bitcoins are held in virtual wallets, which, explain Trustwave's researchers, "are essentially pairs of private and public keys.  Whoever holds the private key to a wallet is the owner of that wallet and no name, ID or history is associated with the wallet." 

So stealing bitcoins requires nothing more than stealing the private key associated with the virtual wallet. Once done, the content of the wallet can be transferred to another wallet and kept or cashed via a trading website. This can be done in complete safety by the criminal since bitcoin trades are both irreversible and anonymous – and as far as the currency is concerned, by pwning the private key, the criminal legitimately owns the bitcoins.

Since the Pony botnet is geared to steal credentials, it is an easy leap to stealing virtual currency credentials. In theory, notes Trustwave, "The owner can encrypt the wallet with a password that they must then enter in order to use their wallet, this helps protect their private key.  If the wallet.dat file is encrypted this way, a thief still cannot obtain the private key from within it, but… Sadly, it seems that most users do not encrypt their wallets with a password."

The total value of virtual currency stolen by this Pony amounts to $220,000 – which could perhaps be considered small potatoes by modern cybercriminal thefts, but is nevertheless indicative of a growing trend. Bitcoins and other virtual currencies will be increasingly targeted as they increase in value – and users will need to understand that protecting their wallets is the only way they can protect their money.

What’s hot on Infosecurity Magazine?