False Stoned virus detections in Bitcoin files are widespread

Summary:Some joker stuffed the virus signature into the return address for a Bitcoin transaction leading to Stoned virus detections when transactions are stored on-disk.

Researcher Didier Stevens is reporting on his blog that he has confirmed the reports of anti-virus false positive detections in Bitcoin files. Stevens submitted samples to VirusTotal and received positive detections from several, including many respectable vendors like Symantec, Sophos and Trend Micro.

stoned-bitcoin

The programs are detecting the Stoned virus, an ancient boot sector virus created in 1987. A user report to Microsoft for the problem in May correctly notes that the detection is in error and that it appears to be the result of a prank: Someone inserted the virus signature as a string associated with a transaction. Stevens identified two transactions, both dated 4/4/2014, but he thinks there are others.

As Stevens explains: "[s]tuffing messages in the address of the output(s) of a transaction is a well-known method to insert messages in the Bitcoin blockchain." The string does not contain an executable virus, nor would it ever be executed even if it were code.

As the Microsoft description says, Stoned is ancient. I recall cleaning up a major outbreak in a project I was running in 1990. In those days boot sector viruses were a more serious problem. Now the actual Stoned virus doesn't do any real damage, but just displays "YOUR COMPUTER HAS BEEN STONED" on one of every eight computer startups.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.