Background on hyped Bitcoin miner served via Yahoo

Last Friday security researchers from Fox-IT noticed that Yahoo was inadvertently spreading malware via its advertisement services. Last Monday the Israel-based security company Light Cyber spread a much hyped press release that most of the malware was used to mine Bitcoins. I am personally a bit surprised that the BBC, The Guardian and even Interpol tweeted about it, as Light Cyber provided little to no details or evidence.

interpol

The story is not completely wrong but, when you read those articles, the perception now is that the entire attack revolved around Bitcoin mining, which is false.

We saw the Bitcoin miner too but omitted it from our initial excerpt because, according to our own telemetry, only 4% of the victims that we rescued received this malware. And contrary to popular belief, click fraud and banking malware is a lot faster lucrative than mining Bitcoins with malware, as a miner likely requires specific hardware to be effective and that it will not survive long on a victim’s computer. In fact, this miner is easily picked up by antivirus software. And infected users will certainly notice the stressed out processor and/or GPU, which seriously hinders normal work or gaming.

Let me provide some useable evidence.

Citadel
We found that a Citadel trojan in this attack pulled in the Bitcoin miner about a minute after the PC got infected. Citadel is based on the Zeus banking malware, also known as Zbot. It typically creates a random folder under the %AppData% folder and has a random filename of typically 5 or 6 characters, e.g.:

C:\Users\<user>\AppData\Roaming\Iquha\ruyvy.exe

On each victim computer this malware is uniquely obfuscated to evade antivirus detection.

cgminer
The Bitcoin miner, however, is actually a wrapped version of an abused legitimate tool called cgminer, version 3.7.2 to be exact. Cgminer is a multi-threaded multi-pool FPGA and ASIC miner and relies on the OpenCL framework to perform the hashing computations for Bitcoin mining. OpenCL is mandatory for cgminer, which is by default not installed on Windows computers. This means that cgminer only works/affects machines with the OpenCL SDK installed or with special gaming-oriented hardware, as OpenCL.dll only comes standard with certain display drivers from AMD and NVIDIA.

In this attack, the cgminer malware was installed here:

C:\JvaApp\wdsdll.exe

When the victim computer is equipped with a modern GPU, this tool can produce hash rates orders of magnitude higher than what can be achieved with just a CPU. If the computer doesn’t have a capable GPU to speed up mining it returns “clDevicesNum returned error, no GPUs usable”.

cgminer

The miner uses libcurl for communication with a mining pool. Libcurl is also legitimate software.

Some SHA-256 hashes for the security community:

9621744EF9C063DAB33CCA0FD4CCB24D79D227AC29D28CD27797338ACD9ABD47
A99253A538C3EF1945E146050645E321DA3B055A2624F83356FCB3F8C37B0DB3
31DD1B7A65EEC28F0D2B03E070290494A945AD4643053D8396B5DC65DE595409
26CE58F04C7A002CDBE6F05BADF0E986825B25138802368D79C300B3E2E2E2F0

So the attackers do not have a 2.5-million-large Bitcoin mining network (or ‘bitnet’). This ‘bitnet’ is also not as effective as some think. A single infected computer with e.g. a decent NVIDIA GTX 560 Ti display card would take a week to generate EUR €0,1430 (at about 85.1 MHash/sec). We do not have hardware specifications of any or all victim computers, so let’s assume (hypothetically) that 1/4 of these infected machines would have this special NVIDIA display card. Also assuming that the miner would not have been noticed by antivirus software or the user, this ‘bitnet’ of 25,000 computers (1/4 of 4% of 2.5 million) would have generated about 5.5 BTC, or EUR €3,575 at the current exchange rate of the virtual currency.

The created perception that Bitcoin mining was the driving force behind the Yahoo attack is just plain wrong. The attack is about the people who earned a lot by offering their malware staging area at Yahoo to a multitude of criminals. Hence the enormous variety of malware. Surely, malware designed to steal your identity or banking credentials is far more threatening than malware which only takes a toll on your computers speed.

Comments are closed.

%d bloggers like this: