We're always asking our analysts the following question: seen anything interesting? And yesterday, the answer to our query was this: Gameover ZeuS has some additional strings.
Bitcoin wallet stealing has really moved up from the bush leagues. Gameover ZeuS is a pro.
Analysis is ongoing.
Here's the SHA1: 657b1dd40a4addc1a6da0fb50ee6e325fff84dc4
Analysis by — Mikko Suominen
Updated to add:
Gameover ZeuS can now steal both Bitcoin wallets and the passwords used to encrypt them.
Theft is accomplished by hooking two functions in processes named bitcoin-qt.exe (the normal GUI client) and bitcoind.exe (the client used for Bitcoin mining). The hooked functions are:
• The Windows API NtCreateFile • A function in the Bitcoin process that is called when the user encrypts his Bitcoin wallet
The first hook enables Gameover ZeuS to steal the content of the Bitcoin wallet as the Bitcoin client accesses it. The second hook enables Gameover ZeuS to steal the password the victim uses to encrypt his wallet.
