![]() The attack is about the people who earned a lot by offering their malware staging area at Yahoo to a multitude of criminals. The created perception that Bitcoin mining was the driving force behind the Yahoo attack is just plain wrong. Also assuming that the miner would not have been noticed by antivirus software or the user, this ‘bitnet’ of 25,000 computers (1/4 of 4% of 2.5 million) would have generated about 5.5 BTC, or EUR €3,575 at the current exchange rate of the virtual currency. a decent NVIDIA GTX 560 Ti display card would take a week to generate EUR €0,1430 (at about 85.1 MHash/sec). We do not have hardware specifications of any or all victim computers, so let’s assume (hypothetically) that 1/4 of these infected machines would have this special NVIDIA display card. This ‘bitnet’ is also not as effective as some think. So the attackers do not have a 2.5-million-large Bitcoin mining network (or ‘bitnet’). The miner uses libcurl for communication with a mining pool. If the computer doesn’t have a capable GPU to speed up mining it returns “clDevicesNum returned error, no GPUs usable”. When the victim computer is equipped with a modern GPU, this tool can produce hash rates orders of magnitude higher than what can be achieved with just a CPU. In this attack, the cgminer malware was installed here: C:\JvaApp\wdsdll.exe This means that cgminer only works/affects machines with the OpenCL SDK installed or with special gaming-oriented hardware, as OpenCL.dll only comes standard with certain display drivers from AMD and NVIDIA. OpenCL is mandatory for cgminer, which is by default not installed on Windows computers. Cgminer is a multi-threaded multi-pool FPGA and ASIC miner and relies on the OpenCL framework to perform the hashing computations for Bitcoin mining. The Bitcoin miner, however, is actually a wrapped version of an abused legitimate tool called cgminer, version 3.7.2 to be exact. On each victim computer this malware is uniquely obfuscated to evade antivirus detection. It typically creates a random folder under the %AppData% folder and has a random filename of typically 5 or 6 characters, e.g.: C:\Users\\AppData\Roaming \Iquha\ruyvy.exe Citadel is based on the Zeus banking malware, also known as Zbot. We found that a Citadel trojan in this attack pulled in the Bitcoin miner about a minute after the PC got infected. And infected users will certainly notice the stressed out processor and/or GPU, which seriously hinders normal work or gaming. In fact, this miner is easily picked up by antivirus software. ![]() And contrary to popular belief, click fraud and banking malware is a lot faster lucrative than mining Bitcoins with malware, as a miner likely requires specific hardware to be effective and that it will not survive long on a victim’s computer. We saw the Bitcoin miner too but omitted it from our initial excerpt because, according to our own telemetry, only 4% of the victims that we rescued received this malware. The story is not completely wrong but, when you read those articles, the perception now is that the entire attack revolved around Bitcoin mining, which is false. ![]() I am personally a bit surprised that the BBC, The Guardian and even Interpol tweeted about it, as Light Cyber provided little to no details or evidence. Last Monday the Israel-based security company Light Cyber spread a much hyped press release that most of the malware was used to mine Bitcoins. Last Friday security researchers from Fox-IT noticed that Yahoo was inadvertently spreading malware via its advertisement services.
0 Comments
Leave a Reply. |