A misleading story has emerged about last week’s Yahoo malware infestation, which saw the company’s home page become a cyber Typhoid Mary, exposing thousands of European PCs to digital disease. The malware-infected ads were served up by Yahoo after it fell victim to a major security breach, and now one security firm claims that these turned some two million computers into a Bitcoin-mining botnet.
The claim was made by the security firm Light Cyber, which told The Guardian that Bitcoin mining has become increasingly popular with cybercriminals, due to the way it rakes in cash at no cost to them. The malware was designed to create a massive network of Bitcoin-mining machines, stated Light Cyber.
“The malware writers put a lot of effort into making it as efficient as possible to utilise the computing power in the best way,” said Light Cyber’s founder Giora Engel to the BBC.
The BBC added that the Bitcoin botnet could generate as much as £60,000 ($98,000) each day.
Bitcoin Botnet = B*llshit?
One hundred thousand US would be a decent profit by anyone’s standards, certainly would surely make such an endeavor extremely worthwhile for whoever developed the malware – if only it wasn’t complete and utter fantasy, of course
While the claims that machines have been enslaved by a botnet might be true, there’s simply no way such a network could generate profits that come even close to that amount. Light Cyber’s research fails to take into account one crucial fact – that CPU mining is all but defunct these days, having been superseded by ASIC mining rigs that are far, far more efficient.
“The whole of Bitcoin mining is around 10-15 PH/s,” said SiliconANGLE’s founding editor and ‘Bitcoin Doctor’ Mark Hopkins. “If you had a billion machines like mine infected… that’s one or two GH/s, and that will only net you a couple of bucks every couple days.”
“There’s no way the BBC’s estimates are close to legitimate. Under no circumstances even assuming 100% infection rates on Yahoo customers could they make $5, let alone $98k. ASICs are just that much more efficient.”
Hopkins added that what’s more likely to have happened is that the Yahoo ads contained Trojans that seek out and try to infect Bitcoin Wallet.dat files, which is where people’s private keys for their Bitcoin wallets are held. Steal that file, you can basically take all their money – something that’s going to be far more profitable than trying to build a botnet to compete with the largest Bitcoin mining pools.
Besides enslaving PCs as Bitcoin miners, the Yahoo ads also installed other forms of malware onto victim’s computers, including one that exploits vulnerabilities in Java using the Magnitude exploit kit. According to security researchers at Fox IT, Magnitude is typically used to install malware like Andromeda, ZeuS, Dorkbot, Necurs and Tinba, among others.
Fox IT also criticized Yahoo for refusing to say how its servers had been compromised, or indicating how many PCs might have been affected by the malware. However, the firm estimates that some 27,000 computers could have been infected each hour over the four days that Yahoo was serving up poisonous ads, meaning that up to two million machines might have been compromised. The vast majority of infected machines are believed to be in the UK, France and Romania. Yahoo insisted that North American, South American and Asia-Pacific users were not affected by the breach. In addition, it stated that Macs and mobile devices were also unaffected.