There are reports of anti-virus false positive detections of Bitcoin files. More precisely for the old Stoned computer virus.
I found the smoking gun! These reports should not be dismissed as hoaxes.
I’ve identified 2 Bitcoin transactions that contain byte sequences found in the Stoned computer virus. Here they are:
- f09904aaa4fa4a8ec7da06f5e3d318a9b6a218e1a215f9307416fbbadf5a1c8e
- fcf5cf9893a142897598edfc753bd6162e3638e138fc2feaf4a3477c0cfb65eb
Both transactions appear in blocks dated 2014-04-04.
The first transaction has byte sequences of the Stoned computer virus in the address of transaction outputs 1, 2, 3 and 4:
Txout 1: value: 1 txOutScriptLength: 25 txOutScript: 'OP_DUP OP_HASH160 0700ba8000cd13eb4990b90300ba000100000000 OP_EQUALVERIFY OP_CHECKSIG' Stoned virus byte sequence: 0700ba8000cd13eb4990b90300ba0001 Txout 2: value: 1 txOutScriptLength: 25 txOutScript: 'OP_DUP OP_HASH160 b8010333dbb10133d29c00000000000000000000 OP_EQUALVERIFY OP_CHECKSIG' Stoned virus byte sequence: b8010333dbb10133d29c Txout 3: value: 1 txOutScriptLength: 25 txOutScript: 'OP_DUP OP_HASH160 750e33c08ed8a03f04a8017503e8070000000000 OP_EQUALVERIFY OP_CHECKSIG' Stoned virus byte sequence: 750e33c08ed8a03f04a8017503e80700 Txout 4: value: 1 txOutScriptLength: 25 txOutScript: 'OP_DUP OP_HASH160 b8010333dbb10133d29c00000000000000000000 OP_EQUALVERIFY OP_CHECKSIG' Stoned virus byte sequence: b8010333dbb10133d29c
I’ve submitted this transaction to VirusTotal: 16 detections. I also submitted the block containing this transaction: 5 detections.
The second transaction has a byte sequence of the Stoned computer virus in the address of transaction output 43:
Txout 43: value: 10 txOutScriptLength: 25 txOutScript: 'OP_DUP OP_HASH160 0400b801020e07bb000233c98bd1419c00000000 OP_EQUALVERIFY OP_CHECKSIG' Stoned virus byte sequence: 0400b801020e07bb000233c98bd1419c
I’ve submitted this transaction to VirusTotal: 14 detections. I also submitted the block containing this transaction: 4 detections.
This is a likely explanation why there were “Stoned Virus” anti-virus alerts for Bitcoin blockchain files reported in the news.
Stuffing messages in the address of the output(s) of a transaction is a well known method to insert messages in the Bitcoin blockchain. The drawback is that the Bitcoins send to these addresses are irrevocably lost, because these addresses have no (known) private key. That is why only very small amounts will be transferred (1 and 10 Satoshis in these transactions). The message is limited to 20 bytes (the size of the raw address used in the output).
But I believe that all output addresses in these transactions (except for the last output) are byte sequences found in malware.
When I run ClamAV’s sigtool on these transactions (with a recent database), a lot of signatures are found:
VIRUS NAME: Gen.600;MATCH: ** YES ** (1 match at offset: 1321) VIRUS NAME: Gen.696;MATCH: ** YES ** (1 match at offset: 1356) VIRUS NAME: Gen.801;MATCH: ** YES ** (1 match at offset: 1798) VIRUS NAME: Stoned.1;MATCH: ** YES ** (1 match at offset: 200) VIRUS NAME: Stoned.2;MATCH: ** YES ** (1 match at offset: 266) VIRUS NAME: Syslock.1;MATCH: ** YES ** (1 match at offset: 369) VIRUS NAME: Syslock.2;MATCH: ** YES ** (2 matches at offsets: 404 368) VIRUS NAME: Ten-Bytes;MATCH: ** YES ** (1 match at offset: 606) VIRUS NAME: Terminator.1;MATCH: ** YES ** (1 match at offset: 642) VIRUS NAME: Terror.1;MATCH: ** YES ** (1 match at offset: 675) VIRUS NAME: Terror.2;MATCH: ** YES ** (1 match at offset: 709) VIRUS NAME: Terror.4;MATCH: ** YES ** (1 match at offset: 744) VIRUS NAME: Terror;MATCH: ** YES ** (1 match at offset: 810) VIRUS NAME: Tiny-163.A;MATCH: ** YES ** (1 match at offset: 845) VIRUS NAME: Tiny-163.C;MATCH: ** YES ** (1 match at offset: 879) VIRUS NAME: Tiny-A;MATCH: ** YES ** (1 match at offset: 912) VIRUS NAME: Tori-1;MATCH: ** YES ** (1 match at offset: 1014) VIRUS NAME: Tree;MATCH: ** YES ** (1 match at offset: 1050) VIRUS NAME: TUQ.RPVS;MATCH: ** YES ** (1 match at offset: 538) VIRUS NAME: USSR-1049.A;MATCH: ** YES ** (1 match at offset: 1083) VIRUS NAME: USSR-2144.B;MATCH: ** YES ** (1 match at offset: 1117) VIRUS NAME: USSR-3103;MATCH: ** YES ** (1 match at offset: 1152) VIRUS NAME: USSR-311.B;MATCH: ** YES ** (1 match at offset: 1184) VIRUS NAME: USSR-311.D;MATCH: ** YES ** (1 match at offset: 1219) VIRUS NAME: USSR-311.E;MATCH: ** YES ** (1 match at offset: 1252) VIRUS NAME: USSR-516.B;MATCH: ** YES ** (1 match at offset: 1287) VIRUS NAME: USSR-601;MATCH: ** YES ** (1 match at offset: 1320) VIRUS NAME: USSR-707.B;MATCH: ** YES ** (1 match at offset: 1390) VIRUS NAME: USSR-707.C;MATCH: ** YES ** (1 match at offset: 1422) VIRUS NAME: USSR-711.C;MATCH: ** YES ** (1 match at offset: 1458) VIRUS NAME: USSR-830;MATCH: ** YES ** (1 match at offset: 1490) VIRUS NAME: USSR-948.B;MATCH: ** YES ** (1 match at offset: 1525) VIRUS NAME: V1244;MATCH: ** YES ** (1 match at offset: 1661) VIRUS NAME: V191;MATCH: ** YES ** (1 match at offset: 1697) VIRUS NAME: V-1L;MATCH: ** YES ** (1 match at offset: 1594) VIRUS NAME: V200.B;MATCH: ** YES ** (1 match at offset: 1729) VIRUS NAME: Vacsina.2;MATCH: ** YES ** (1 match at offset: 1900) VIRUS NAME: Vacsina.3;MATCH: ** YES ** (1 match at offset: 1934) VIRUS NAME: Vacsina.4;MATCH: ** YES ** (1 match at offset: 1966) VIRUS NAME: VCS (Clam);MATCH: ** YES ** (1 match at offset: 1830) VIRUS NAME: VHP-361.A;MATCH: ** YES ** (1 match at offset: 1864) VIRUS NAME: Vienna-1028;MATCH: ** YES ** (1 match at offset: 2172) VIRUS NAME: Vienna.1;MATCH: ** YES ** (2 matches at offsets: 2068 2034) VIRUS NAME: Vienna.1-1;MATCH: ** YES ** (1 match at offset: 2068) VIRUS NAME: Vienna.2;MATCH: ** YES ** (1 match at offset: 2102) VIRUS NAME: Vienna-62.B;MATCH: ** YES ** (1 match at offset: 2205) VIRUS NAME: Vienna.7;MATCH: ** YES ** (1 match at offset: 2137) VIRUS NAME: TinyFamily2;MATCH: ** YES ** (1 match at offset: 946) VIRUS NAME: TinyFamily3;MATCH: ** YES ** (1 match at offset: 980) VIRUS NAME: Italian.1;MATCH: ** YES ** (1 match at offset: 231) VIRUS NAME: Italian-Generic;MATCH: ** YES ** (1 match at offset: 266) VIRUS NAME: Jerusalem.1;MATCH: ** YES ** (1 match at offset: 301) VIRUS NAME: Jerusalem-1361;MATCH: ** YES ** (1 match at offset: 469) VIRUS NAME: Jerusalem.2.Nemesis;MATCH: ** YES ** (2 matches at offsets: 1592 334) VIRUS NAME: Jerusalem.5;MATCH: ** YES ** (1 match at offset: 368) VIRUS NAME: Jerusalem.7;MATCH: ** YES ** (1 match at offset: 403) VIRUS NAME: Jerusalem.9;MATCH: ** YES ** (1 match at offset: 436) VIRUS NAME: Jerusalem-Family.1;MATCH: ** YES ** (1 match at offset: 504) VIRUS NAME: Jerusalem-USA;MATCH: ** YES ** (1 match at offset: 572) VIRUS NAME: Kharkov-1024;MATCH: ** YES ** (1 match at offset: 605) VIRUS NAME: Label.1;MATCH: ** YES ** (1 match at offset: 674) VIRUS NAME: Label.2;MATCH: ** YES ** (1 match at offset: 707) VIRUS NAME: Leech.1;MATCH: ** YES ** (1 match at offset: 741) VIRUS NAME: Leprosy.1;MATCH: ** YES ** (1 match at offset: 777) VIRUS NAME: Leprosy.2;MATCH: ** YES ** (1 match at offset: 809) VIRUS NAME: Leprosy.4;MATCH: ** YES ** (1 match at offset: 843) VIRUS NAME: Leprosy-A;MATCH: ** YES ** (1 match at offset: 879) VIRUS NAME: LOL;MATCH: ** YES ** (1 match at offset: 641) VIRUS NAME: Lozinsky.2;MATCH: ** YES ** (1 match at offset: 913) VIRUS NAME: Macho;MATCH: ** YES ** (1 match at offset: 1015) VIRUS NAME: Minnow;MATCH: ** YES ** (1 match at offset: 1081) VIRUS NAME: Mirror.1;MATCH: ** YES ** (1 match at offset: 1117) VIRUS NAME: Mis-Speller;MATCH: ** YES ** (1 match at offset: 1149) VIRUS NAME: MIX1;MATCH: ** YES ** (1 match at offset: 1217) VIRUS NAME: MIX1-B;MATCH: ** YES ** (1 match at offset: 1251) VIRUS NAME: Mixer-1A;MATCH: ** YES ** (1 match at offset: 1319) VIRUS NAME: Mixer-1B;MATCH: ** YES ** (1 match at offset: 1354) VIRUS NAME: Mix-I;MATCH: ** YES ** (1 match at offset: 1286) VIRUS NAME: MLTI.1;MATCH: ** YES ** (1 match at offset: 945) VIRUS NAME: MLTI.2;MATCH: ** YES ** (1 match at offset: 981) VIRUS NAME: Mummy;MATCH: ** YES ** (1 match at offset: 1422) VIRUS NAME: New-COM.1;MATCH: ** YES ** (1 match at offset: 1659) VIRUS NAME: Nomenclatura.2;MATCH: ** YES ** (1 match at offset: 1693) VIRUS NAME: Nothing;MATCH: ** YES ** (1 match at offset: 1729) VIRUS NAME: NPox-1;MATCH: ** YES ** (1 match at offset: 1491) VIRUS NAME: NV-71;MATCH: ** YES ** (1 match at offset: 1525) VIRUS NAME: Ontario.3;MATCH: ** YES ** (1 match at offset: 1932) VIRUS NAME: Orion-263;MATCH: ** YES ** (1 match at offset: 1966) VIRUS NAME: Oropax.1;MATCH: ** YES ** (1 match at offset: 2001) VIRUS NAME: Oropax.2;MATCH: ** YES ** (1 match at offset: 2035) VIRUS NAME: OV;MATCH: ** YES ** (1 match at offset: 1762) VIRUS NAME: PC-Bandit;MATCH: ** YES ** (1 match at offset: 2067) VIRUS NAME: PRSC1024;MATCH: ** YES ** (1 match at offset: 2203) VIRUS NAME: Boot.OneHalf;MATCH: ** YES ** (1 match at offset: 1898) VIRUS NAME: Jerusalem-PuertoExe;MATCH: ** YES ** (1 match at offset: 537) VIRUS NAME: Mistake.TypoBoot;MATCH: ** YES ** (1 match at offset: 1183) VIRUS NAME: MtE.mem.2-staticsig;MATCH: ** YES ** (1 match at offset: 1387) VIRUS NAME: MutationEng-NE;MATCH: ** YES ** (1 match at offset: 1455) VIRUS NAME: OldYankee.1;MATCH: ** YES ** (1 match at offset: 1796) VIRUS NAME: OldYankee.2;MATCH: ** YES ** (1 match at offset: 1829) VIRUS NAME: OldYankee.3;MATCH: ** YES ** (1 match at offset: 1863) VIRUS NAME: Stoned-B;MATCH: ** YES ** (1 match at offset: 1625) VIRUS NAME: Nado.Lover.602-1;MATCH: ** YES ** (1 match at offset: 1557)
My conclusion: these transactions are a deliberate attempt to generate as much false positive anti-virus detections as possible on systems that store Bitcoin transactions on disk. Virus signatures were stuffed in the address of the outputs of these transactions.
And I don’t think the attempt was limited to these 2 transactions. Around the same time, I find other transactions were the output addresses also ends with null bytes:
Hash: edb83f04e68bfe78bbfe7ce80d33e85acb9335c96ead5712517b8c70d1f27b38
Hash: 7e49504c7cecea7ea95d78ff14687878ba581a21dc0772805d2925c617514129
Hash: f65895220f04aa0084d9abae938d3f517893e3afbffe25fc9e7073e02331b9ed
Hash: 8a445d12f225a21d36bb78da747efd2e74861fcd033757da572c0434d423acd1
Hash: 2814673f0952b936d578d73197bfd371cefbd73c6294bab16de1575a4c3f6e80
Hash: 5dbb9df056c36457228a841d6cc98ac90967bc88411c95372d3c2d92c18060f8
You can also look at the input addresses of these transactions to find other, similar transactions:
I plan to discuss the methods and tools I used to find and analyze these transactions in an upcoming blog post.
