ComboJack:
Never say never

silhouette-3129148_1280Never trust an absolute. (Irony intended.)

The historical floor is littered with axioms once immune to challenge because, according to circular reasoning at the time, everyone knew they were true. Take, for instance: Running a mile in under four minutes is physiologically impossible, we’ll never put a human on the moon, only people use tools, guitar bands are on their way out, and there is no reason anyone would want a computer in their home.

Thanks to the ingenuity of the criminal mind, we now have a more recent absolute to discard: Blockchain technology is secure.

Blockchain technology’s roots stretch back to a 1992 idea for combatting junk email, later dubbed a Proof-of-Work system (POW). The original idea was to present challenges daunting to computer but not human processing. Everyone’s favorite annoyance, CAPTCHA, is an example. This in time led to Hashcash, a spam-stopper notably used by Microsoft in various applications. Full-fledged blockchain technology emerged when “Satoshi Nakamoto,” whose true identity remains a mystery, used Hashcash’s proof-of-work function as the mining core for Bitcoin. Medium’s Aleksandr Bulkin wrote:

… the way Satoshi combined [Hashtag’s POW] and other existing concepts — cryptographic signatures, merkle chains, and P2P networks — into a viable distributed consensus system, of which cryptocurrency is the first and basic application, was quite innovative.

Blockchain is “similar to an enormous ledger,” reports Fraedom, that “… stores transaction data across vast networks of computers that constantly check and verify information with each other.” To hack innumerable, identical copies of a transaction spread around the globe is a near impossibility at this time. That is the essence of the technology’s imperviousness to mischief.

It wasn’t long before industries with no interest in Bitcoin nonetheless showed an interest in blockchain. Since its essential features—distribution, transparency, and permission—made online counterfeiting and fraud pretty much impossible, blockchain seemed to promise an ideal way to conduct secure transactions online.

The problem with “pretty much impossible” are those words “pretty much.” Blockchain has not turned out to be invulnerable.

Enter ComboJack

ComboJack may sound like a cholesterol-laden breakfast offering on the menu at Denny’s, but in fact it’s a malware application designed to steal online currency—including Bitcoin, Ethereum, Litecoin and Monero. Self-described next-generation security company Palo Alto Networks discovered the app and named it ComboJack “… because of how it attempts to hijack a combination of digital currencies.”

According to Palo Alto, ComboJack targets cryptocurrencies and online wallets …

… by replacing clipboard addresses with an attacker-controlled address which sends funds into the attacker’s wallet. This technique relies on victims not checking the destination wallet prior to finalizing a transaction … ComboJack targets both a range of cryptocurrencies as well as digital currencies such as WebMoney and Yandex Money.

ComboJack finds its ways into computers via an innocent-looking email and is unleashed by clicking on an attached PDF. The malware relies on the fact that humans aren’t fond of typing and retyping digital wallet addresses, preferring to copy and paste them. I wouldn’t call the preference laziness, but pragmatism. Just yesterday, as I moved some cryptocurrency from my coinbase account to a hardware wallet, I saw for myself how cumbersome those strands of code are for anyone self-punishing enough not to use copy-and-paste.

On the reassuring side, according to SC Magazine, CrytoJack’s “… early results don’t appear impressive.” Still, there is prudence in looking at malware the likes of ComboJack as an initial foray. Nastier iterations are likely coming. For that matter, ComboJack is itself something of an iteration of CyptoShuffler, a trojan that, as also reported by SC Magazine last October, had by then absconded with $145,000 worth of Bitcoin.

As I have noted before, cyber security is an arms race. The moment the good guys come up with new levels of security, the bad guys rise to the challenge and look for ways to beat them. If I had to come up with something positive out of that, I suppose I could say that the perpetual nature of the arms race provides job insurance for both sides.

All of which spells an opportunity in the wallet software space. I’m betting that operating system manufacturers the likes of Microsoft, Apple, Google, and others will not be long in offering support for labeling, or at least simplifying, wallet address management.

Leave a Comment