How did the Yahoo Bitcoin malware botnet work?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Obviously these people did not have antivirus software on their PCs, or was
 this a zero-day attack?

RL

http://www.bbc.co.uk/news/technology-25653664

 8 January 2014 Last updated at 17:29 GMT
  
Yahoo malware enslaves PCs to Bitcoin mining
By Jane Wakefield Technology reporter  

Adverts on Yahoo's homepage were infected with malware designed to mine the
 Bitcoin virtual currency, according to security experts.

Yahoo confirmed that for a four-day period in January, malware was served i
n ads on its homepage.

Experts estimate that as many as two million European users could have been
 hit.

Security firm Light Cyber said the malware was intended to create a huge ne
twork of Bitcoin mining machines.

"The malware writers put a lot of effort into making it as efficient as pos
sible to utilise the computing power in the best way," Light Cyber's founde
r Giora Engel told the BBC.
Lucrative market

Bitcoin mining malware is designed to steal computing power to make it easi
er for criminals to accumulate the virtual currency with little effort on t
heir part.

"Generating bitcoins is basically guessing numbers," said Amichai Shulman,  
chief technology office of security firm Imperva.

"The first one to guess the right number gets 25 bitcoins and if you have a
 large volume of computers guessing in a co-ordinated way then you have a m
ore efficient way of making money," he added.

Other than a computer running slower, victims will be unaware that their ma
chine is being used in what could become known as a "bitnet".

It is a variation on the traditional botnet, networks of malware-infected c
omputers used to churn out spam or bombard websites with requests in order  
to knock them offline.

Some experts estimate that such networks could be generating as much as $10
0,000 (£60,000) each day.

Since bitcoins have risen in value - one bitcoin is now worth £1,000 - it
 is becoming a lucrative market for online criminals.

"Bitcoin mining malware is the new frontier as criminal gangs look for new  
ways to make money," said Mr Engel.
Easy target

Yahoo acknowledged the attack in a statement earlier this week.

"From December 31 to January 3 on our European sites, we served some advert
isements that did not meet our editorial guidelines - specifically, they sp
read malware," the statement read.

It went on to say that users in America, Asia and Latin America weren't aff
ected but did not specify how many European users were victims.

Fox IT, the Dutch cybersecurity firm which revealed the malware attack, est
imates that there were around 27,000 infections every hour the malware was  
live on the site.

Over the period of the attack that could mean as many as two million machin
es were infected.

Such attacks may be hard to avoid, said Mr Shulman.

"For an ad platform it is virtually impossible to guarantee 100% malware fr
ee ads."

"There are many independent stakeholders involved in the process of web adv
ertising, so from time to time any ad platform is bound to deliver malware.
"

Re: How did the Yahoo Bitcoin malware botnet work?

RayLopez99 submitted this idea :
Quoted text here. Click to load it

Yes. What do you mean by zero day? I mean, how could a new trojan not  
be a zero day malware? I can see how a software exploit could be, but  
not a trojan since there's no patch.



Re: How did the Yahoo Bitcoin malware botnet work?

On Thursday, January 9, 2014 9:26:38 AM UTC+8, FromTheRafters wrote:
  
Quoted text here. Click to load it

No, what do *YOU* mean by zero day, lol?  You're the expert Rafters.

Here's more info:

  I think this exploit must have placed something in the user's hard drive  
that worked in the background, or was it just 'browser based' and relied on
 Java to work, while the user had the browser window open?
  

Note also that for some reason it was limited to Europe--perhaps because it
 was a 'browser based' attack and due to 'distributed databases' most adver
tisements are limited to certain geographic regions, so clicking on a web p
age in Europe will incorporate adverts from nearby European sites only.

RL
  

Re: How did the Yahoo Bitcoin malware botnet work?

RayLopez99 presented the following explanation :
Quoted text here. Click to load it

I've never claimed to be an expert, but I understand why you would  
think so.

The time between the 'exploit' and the patch. That would be the  
Magnitude Exploit Kit using the four exploits is has for this attack.  
It doesn't always deliver the same target malware, and it is this  
target malware 'bitbot?' that we are discussing, not the exploit or the  
kit.


Here's more info:

http://www.kahusecurity.com/2013/deobfuscating-magnitude-exploit-kit/



Re: How did the Yahoo Bitcoin malware botnet work?

On Thursday, January 9, 2014 9:04:47 AM UTC+8, RayLopez99 wrote:
Quoted text here. Click to load it
as this a zero-day attack?  

More suggestions from another post of mine:

It's safe to say this was a zero-day attack not detected by antivirus compa
nies?  Or do their AV signature files not cover stuff like corrupt adverts?
  I think this exploit must have placed something in the user's hard drive  
that worked in the background, or was it just 'browser based' and relied on
 Java to work, while the user had the browser window open?

Seems strange that 2M machines were infected over several days before the A
V companies or anybody figured it out, so it must have been a zero-day atta
ck?

Note also that for some reason it was limited to Europe--perhaps because it
 was a 'browser based' attack and due to 'distributed databases' most adver
tisements are limited to certain geographic regions, so clicking on a web p
age in Europe will incorporate adverts from nearby European sites only.

RL

http://www.bbc.co.uk/news/technology-25653664

Re: How did the Yahoo Bitcoin malware botnet work?

on 1/8/2014, RayLopez99 supposed :
Quoted text here. Click to load it

Yes, and it no doubt used server side poly too.

Quoted text here. Click to load it

A new polymorphic form of a malvertisement can be as hard to detect as  
a new polymorphic form of the malware it leads to. Scanners are capable  
of detecting the ones that they know.

Quoted text here. Click to load it

Hmmm. The 'exploit' was most likely in Java since it was a Java  
exploit. The browser was an ingress vector as was the Java support in  
said browser. Once exploited, the target malware was downloaded and  
executed.

Quoted text here. Click to load it

In that respect, all new malware is zero day. It always takes time to  
react to new stuff, and they have hopes of getting enough machines  
infested during this window of time.

Quoted text here. Click to load it

That sounds logical.



Site Timeline