Popular Freeware Site Download.com Found Hosting Bitcoin Stealing Malware

What is malware and How to Protect and Mitigate from it?

A dangerous bitcoin stealing malware that swaps user accounts with that of the attacker was discovered by researchers to be hosted on Download.com servers for over a year.

Researchers at security firm EST have found two trojan applications hosted on CNET’s download.cnet.com, the 163td most visited website in the world (Alexa stats), found to steal the equivalent of some $80,000. The malware had been hosted since May 2, 2016 on download.com and was downloaded from CNET 311 times just last week and over 4500 times in total.

It was a Reddit user post that first had researchers concerned after the user revealed how a simple copy and paste of their Moneo address was refused for being invalid. The malware, as it was soon discovered, was a trojan-ridden version of Win32 Disk Imager software fetched from download.com. Researchers quickly determined that the malware intercepts wallet addresses that are copied and pasted onto the clipboard before replacing them with the attacker’s own hardcoded bitcoin wallet address.

“By searching for the attacker’s bitcoin address on Google, we were able to find some victims. For instance, someone published a blogpost about a website hack (not related to this malware stealer),” researchers wrote. “However, in the text of the post, the original bitcoin address was replaced by the malware author’s address, as shown in the second picture. Thus, the blogpost author might be infected with the bitcoin stealer.”

The Win32 Disk Imager software wasn’t the only trojanized application hosted on the website, with at least two other cases from the same authors. CodeBlcoks, a popular open-source IDE used by C/C++ developers contains the same payload and has since been blocked by CNET. MinGW-w64, the other malware, contains several malicious payloads including a bitcoin thieving malware and virus. CodeBlocks, in particular, has been downloaded 103,843 times since its listing while MinGW-264 saw 33 downloads last week and 465 in total.

CNET has since removed the trojanized applications after being notified by ESET.

Image credit: LIFARS archive.