Background on hyped Bitcoin miner served via Yahoo

Last Friday security researchers from Fox-IT noticed that Yahoo was inadvertently spreading malware via its advertisement services. Last Monday the Israel-based security company Light Cyber spread a much hyped press release that most of the malware was used to mine Bitcoins. I am personally a bit surprised that the BBC, The Guardian and even Interpol tweeted about it, as Light Cyber provided little to no details or evidence.


The story is not completely wrong but, when you read those articles, the perception now is that the entire attack revolved around Bitcoin mining, which is false.

We saw the Bitcoin miner too but omitted it from our initial excerpt because, according to our own telemetry, only 4% of the victims that we rescued received this malware. And contrary to popular belief, click fraud and banking malware is a lot faster lucrative than mining Bitcoins with malware, as a miner likely requires specific hardware to be effective and that it will not survive long on a victim’s computer. In fact, this miner is easily picked up by antivirus software. And infected users will certainly notice the stressed out processor and/or GPU, which seriously hinders normal work or gaming.

Let me provide some useable evidence.

We found that a Citadel trojan in this attack pulled in the Bitcoin miner about a minute after the PC got infected. Citadel is based on the Zeus banking malware, also known as Zbot. It typically creates a random folder under the %AppData% folder and has a random filename of typically 5 or 6 characters, e.g.:


On each victim computer this malware is uniquely obfuscated to evade antivirus detection.

The Bitcoin miner, however, is actually a wrapped version of an abused legitimate tool called cgminer, version 3.7.2 to be exact. Cgminer is a multi-threaded multi-pool FPGA and ASIC miner and relies on the OpenCL framework to perform the hashing computations for Bitcoin mining. OpenCL is mandatory for cgminer, which is by default not installed on Windows computers. This means that cgminer only works/affects machines with the OpenCL SDK installed or with special gaming-oriented hardware, as OpenCL.dll only comes standard with certain display drivers from AMD and NVIDIA.

In this attack, the cgminer malware was installed here:


When the victim computer is equipped with a modern GPU, this tool can produce hash rates orders of magnitude higher than what can be achieved with just a CPU. If the computer doesn’t have a capable GPU to speed up mining it returns “clDevicesNum returned error, no GPUs usable”.


The miner uses libcurl for communication with a mining pool. Libcurl is also legitimate software.

Some SHA-256 hashes for the security community:


So the attackers do not have a 2.5-million-large Bitcoin mining network (or ‘bitnet’). This ‘bitnet’ is also not as effective as some think. A single infected computer with e.g. a decent NVIDIA GTX 560 Ti display card would take a week to generate EUR €0,1430 (at about 85.1 MHash/sec). We do not have hardware specifications of any or all victim computers, so let’s assume (hypothetically) that 1/4 of these infected machines would have this special NVIDIA display card. Also assuming that the miner would not have been noticed by antivirus software or the user, this ‘bitnet’ of 25,000 computers (1/4 of 4% of 2.5 million) would have generated about 5.5 BTC, or EUR €3,575 at the current exchange rate of the virtual currency.

The created perception that Bitcoin mining was the driving force behind the Yahoo attack is just plain wrong. The attack is about the people who earned a lot by offering their malware staging area at Yahoo to a multitude of criminals. Hence the enormous variety of malware. Surely, malware designed to steal your identity or banking credentials is far more threatening than malware which only takes a toll on your computers speed.

Comments are closed.

%d bloggers like this: