I already wrote some proof of concept code that steals a user's balance if they're using the Windows client. You'd just have to distill it down to shellcode and include it as a payload in a 100% silent driveby browser exploit.
POC code for Linux/BSD would be trivial, too. I'm not sure about Mac, but there's probably a way to do it via automator or regular message passing.
As I've been saying for a while on the BTC forums, the wallets will be the main target, not the crypto.
Completely agree. Although your code wouldn't help make a worm. Because even though you could get the Bitcoin client's peer addresses you couldn't remotely exploit them.
I'm worried about the bitcoin client being in c++ rather than java because that seems to make a remote code execution vulnerability a lot more likely. And given a single remote code exec vuln it'd be easy to make a worm which destroys the entire network.
It'd probably be easier to build a BTC-related website, let it grow a bit, then empty the wallets of everyone visiting it. It'd probably also be easier to compromise an existing site and throw your code/exploit up. I wouldn't try building a worm, that's for sure.
POC code for Linux/BSD would be trivial, too. I'm not sure about Mac, but there's probably a way to do it via automator or regular message passing.
As I've been saying for a while on the BTC forums, the wallets will be the main target, not the crypto.