Bitcoin blockchain allegedly infected by ancient 'Stoned' virus A curious and probably accidental artefact has popped up in the Bitcoin blockchain, with a user reporting that it's identified as containing a virus by Microsoft's Security Essentials. The reason El Reg is inclined to think it's accidental: in this discussion on a Microsoft discussion board, user edc678 says MSE is identifying …
I'd bet that this is the chaos of MS' software interacting with random data to produce... random non-functional rubbish output. Even if it did replicate the entire sequence of bytes in order, without the applied intelligence and the context of a floppy disk boot mechanism, those bits have no meaning.
GIGO: unlike the moneys, this has some evidence.
Also, mow many many mips are expended looking for "stoned" on a daily basis?
"Also, how many many mips are expended looking for "stoned" on a daily basis?"
Probably, remarkably few. The days when AV was 'search target for pattern 1, search target for pattern 2, …' were over within 5 years of Stoned. More efficient search techniques are used, so Stoned and thousands of other malware sharing some pattern will be eliminated high up in the decision tree.
Those were the days, indeed. I'm just surprised that no one has figured out how to fiddle with the bitcoin code such that they can call the bitcoins home to their wallet... or even such that once the coin is mined, the person who ran the mining operation doesn't get the coin, the miscreant does.
"I'm just surprised that no one has figured out how to fiddle with the bitcoin code such that they can call the bitcoins home to their wallet"
Doing this is trivial - all that is needed is more computing power than every other machine on the Bitcoin network combined in order to fork the blockchain, or control over more than 50% of the machines on the network.
The latter is actually conceivable if any of the mining pools or massive mining datacentres ever reaches 50% of the network hash-rate. (This could not be done in secret, as the address of the machine calculating the next block forms part of the block chain).
Of course, the moment anyone tried to subvert the block-chain in this way, to give themselves an arbitrary number of bitcoins, or take bitcoins from other wallets, it would render the blockchain itself worthless, so could not actually be used for any material gain.
"Doing this is trivial - all that is needed is more computing power than every other machine on the Bitcoin network combined in order to fork the blockchain, or control over more than 50% of the machines on the network."
No, it is not trivial. Have you ever tried to do this on the testnet or on an altcoin?
Second, you can't just do arbitrary shit if you have 51% of the network hashrate. You can fork it and double-spend, you can instamine a shitload of blocks with the timewarp attack, but you can't just do whatever you want.
"The latter is actually conceivable if any of the mining pools or massive mining datacentres ever reaches 50% of the network hash-rate. (This could not be done in secret, as the address of the machine calculating the next block forms part of the block chain)."
Your IP address is not contained in the block you mine. In fact, it's possible to be rather anonymous when mining. This is another reason why it's so hard to find the founder of Bitcoin.
More a semantic point than anything, but a bitcoin wallet does not contain any bitcoins, it is simply an identifier that can be cross referenced against the ledger (blockchain), which is what allows you to make a transaction (signed with your private key). At the moment it still requires far more computing power to brute force the wallet keys (either through collision or chancing on the duplicate of someone's private key) than finding a block by mining directly.
I still have a warm spot in my heart for the Cookie Monster virus. DOS-based, it would eventually put up a message saying "gimme cookie" and do nothing else. After a while, the message would come back. Again and again, each time with less time between the message until eventually your PC would freeze.
To get rid of it? You typed COOKIE on the command line and it would sanitize itself from your system.
Benign, but fun.
so, without the infector portion, how can it be seen as something to be concerned about? is MSE searching for only the known visible part of the text? why is MSE even searching for Stoned when it is ineffective on systems these days?
BONUS: who knows the rest of the output of Stoned?
quote: "So this virus (presumably written by pot smokers) infected a machine which then stopped working, without even 'taking care of business' first. Why am I not surprised?"
Compared to some government IT procurement projects, Stoned was both more functional and more complete, even taking the fact that functionality was missing into account. It was also several million pounds less expensive to have developed.
Stoner programmers being as effective as multinationals as well as cheaper? Who'd have thought? ;)
So this virus (presumably written by pot smokers) infected a machine which then stopped working, without even 'taking care of business' first. Why am I not surprised?
Nah, it worked. It's just that it lived so close to the top of memory that the stack area overlapped the area for the stored message (so regular subroutine calls and interrupts garbled it). For something that couldn't even "take care of business" as you put it, it was remarkably successful, bugs and all.
(this comment based on actually disassembling the code and figuring out how it worked; I'm sure I have a copy of this still filed away somewhere)
Anti-virus only cares about the payload itself as most viruses have multiple infection vectors so there is no point in detecting those when payload scanning has worked just fine for many years.
MSSE still scans for DOS viruses as Microsoft still supports DOS 6.22 and Windows 3.11 due to their wide spread use in various embedded systems and industrial control computers.
Anti-virus only cares about the payload itself as most viruses have multiple infection vectors so there is no point in detecting those when payload scanning has worked just fine for many years.
Not so much. AV products look for, or can be set to look for, where a file is run from, where the executable resides, and other parameters. They also scan for payload. In fact one of the basic tests for AV functionality, the EICAR "virus," takes advantage of this.
"why is MSE even searching for Stoned when it is ineffective on systems these days?"
For a few reasons:
* because, as someone pointed out above, it's cheap to add more signatures (things are much better than O(n) complexity we had in the very early days). If you can scan for it, and it's cheap to do so, then why not?
* because it's one of those viruses that your scanner is expected to pick up (and virus scanner manufacturers used to use number of viruses detected as a marketing tool)
* there are such things as virus droppers that will install all sorts of malware. The blockchain (or any random data file) mightn't be (isn't) a virus in itself, but if it contains the virus (which it doesn't) a dropper can pull it out and use it to infect something (so if I had an SQL database with lots of virus code, it would be nice if the av software could detect it in the db file)
* who says that it's ineffective? Some people still use floppies. (true, its not much of a risk, but the infection mechanism still works)
* by catching the floppy-only variant, you might also catch derived versions (like NoInt) that can infect hard disk boot sectors
Mostly, though, it's probably just a combination of inertia and anti-virus writers liking to keep old signatures around for historical/completist reasons. Maybe they should drop these old signatures, but imagine the embarrassment should one of these apparently "extinct" viruses have a high-profile outbreak and MS's program failed to detect it?
Just coincidence, and the million monkeys effect - but it is possible to put data into the blockchain, if you've enough processing power or a whole lot of luck. That means this could be done deliberately, and is the type of prank many people might like.
The good news is that the blockchain is separate from private keys, so even if your AV wipes the file your coins will stll be safe. You'll just have to download it all again.
In reply to "This is not good"
'... put data into the blockchain, if you've enough processing power ...'
Heard of "social connections"? How's this for a chain of them?:
Big Banking <==> Government <==> FBI etc <==> NSA/GCHQ <==> Enough processing power?
"Of course, when everyone's out to get you, you must expect to feel a bit paranoid"
Since half the conspiracy theorists are on the extreme right (the other half on the extreme left, there aren't many moderate/center conspiracy theorists as far as I can tell) one wonders how they can assign such amazing powers to a government they think is too incompetent to be trusted with anything?
Hmm, not only potential viri, but fundamentally how can we even know that Bitcoin is not already pre-programmed to suddenly start churning out more coins, stop altogether, or some other surprising "feature". We have no idea as to who is behind Bitcoin yet we have put as much, or more, trust in them than we have in buying REAL gold and silver coins which have inherent value. It would not surprise me if Bitcoin turns out to be a complete scam - I am not saying that it will be and in fact I did buy a very small amount to see where this journey ends, but I am completely prepared for the theft of my coins, or it being a scam, or some other "surprise".
Then I suppose you will be surprised to hear that Bitcoin is open source.
Not only that, but also programmed by well-known and trusted developers like Wladimir J. van der Laan or Gavin Andresen
More than once a month there's a story on here pretty much proving de facto what I've been posting for a decade.
AV is so CRUDE it will match random cryptographic strings as viruses that haven't even been in the wild for over TWENTY FIVE YEARS.
It does not catch ANY 'current' viruses. Virus writers TEST THEIR CODE to make sure AV PROGRAMS DO NOT FIND IT.
Maybe if you thumb this post down enough times maybe you will deny reality so hard that your AV will actually start being useful, but I doubt it.
You are PAYING MONEY for a USELESS CATALOGUE OF OLD DOS VIRUSES, and little else.
As another has said, the MS AV is free and I'd argue it's probably not much different to any Paid AV.
The whole history of paid AV products is false positives that cripple machines. I'm no MS fan, but I wouldn't single them out on this.
Not when there are bigger targets of MS stupidity like one GUI for everything (CE era Desktop WIMP stupid on 320 x 240 PDA, today Zune GUI stupid on Desktop PC). The Ribbon. etc
"The whole history of paid AV products is false positives that cripple machines. I'm no MS fan, but I wouldn't single them out on this."
So essentially we are in agreement?
I'm not singling MS out, there isn't a safe or effective AV software available from anyone, they are ALL filled with useless definitions from 20 years ago.
All this talk of random numbers and not-so-random numbers reminds me of something:
If, he thought to himself, such a numerical coincidence is a virtual impossibility, then it must logically be a finite improbability. So all I have to do in order to make one is to work out exactly how improbable it is, feed that figure into the bitcoin generator, give it a fresh cup of really hot virus code ... and turn it on!
He did this, and was rather startled to discover that he had managed to create the long sought after golden Infinite Improbability bitcoin generator out of thin air.
It startled him even more when just after he was awarded the Galactic Institute's Prize for Extreme Cleverness he got lynched by a rampaging mob of respectable AV salesmen who had finally realized that the one thing they really couldn't stand was a smartass.
Deliberately inserting virus signatures into the block chain has been talked about for a while. For example, http://pastebin.com/ct2WHUK5. Nor is this the first time it's happened, eg https://bitcointalk.org/index.php?topic=559365. Unless there's evidence to the contrary, I would expect this to be deliberate.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
