14 DAY TRIAL // Several antivirus solutions erroneously detect some Bitcoin files as the Stoned computer virus that was popular more than a quarter of a century ago.
These are false positives triggered by the fact that the 27-year-old virus signature was uploaded into the Bitcoin blockchain. This is possible because when a transaction is made, a small snippet of text can be added to it.
In this case, a prankster included byte sequences that are available in the Stoned computer virus.
The writing of the Stoned computer virus is attributed to a university student in New Zealand and it was among the first computer threats; it spread to Australia by 1989 and then to the rest of the world in the early 90s.
The virus would infect the master boot record (MBR) of the hard disk and, at every eighth boot of the system, it would plant the message “Your PC is now Stoned!” on the monitor.
Researcher Didier Stevens identified the transactions as being the following:
-f09904aaa4fa4a8ec7da06f5e3d318a9b6a218e1a215f9307416fbbadf5a1c8e -fcf5cf9893a142897598edfc753bd6162e3638e138fc2feaf4a3477c0cfb65eb
Submitting these transactions to VirusTotal showed a total of 16 detections, the engines from ClamAV, AVG and Microsoft labeling them as infected with the ancient threat.
Didier managed to trace the transactions and found that they appeared in blocks from April 4, 2014.
The presence of the virus signature poses no real danger to the user, but when the defense mechanisms in some antivirus software kick in, the Bitcoin file is deleted. The Bitcoin client then proceeds to re-download the file to perform an update on the block and the process repeats.
According to Didier, inserting messages in the address of the output of a transaction in order to add text to the Bitcoin blockchain is not new, but it has its downside. “The Bitcoins send to these addresses are irrevocably lost, because these addresses have no (known) private key. That is why only very small amounts will be transferred (1 and 10 Satoshis in these transactions). The message is limited to 20 bytes (the size of the raw address used in the output),” he says.
The researcher believes that other transactions may also be polluted with virus signatures. However, there is no danger to the user because only the signature is present, and even if it were malicious code inserted, it would not be executed, but it would trigger a reaction from the antivirus program until the file is whitelisted or the developer takes care of the false detection.