Bitcoin mining through Yahoo Ads Malware campaign gets caught

Casey Nolan

by - | 3 years ago
Comments [ 0 ]

10 Jan

Infinarium Rating

Average User Rating

1 Star2 Stars3 Stars4 Stars5 Stars
No Ratings Yet
Loading...

At the end of the day, Bitcoin will always be a virtual currency item

Bitcoin networks are everywhere; small ones, big ones or private networks – all of them are mostly dedicated to mining the well known virtual currecny 24/7. These networks are based on powerful computers with robust processing capabilities and a high speed internet connection. This is why mining for Bitcoins requires setting up what you could say a small facility, which isn’t exactly part of the online miners’ plan of action.

What Bitcoin miners do is that they collaborate with other miners, and set up a system to discover virtual currency. Once enough Bitcoins are mined and sold, the revenue is split as per the agreement between all parties. The only downside to this entire strategy is that the process takes time, resources and burns through investment – so much so that the “revenue” doesn’t even manage to get to the break-even point.

Kids and their over expectations about Bitcoin network

This is where blackhat Bitcoin online miners come in; they can be dumb sometimes, but most of them are intelligent enough to find shortcuts. For instance, over a week ago, the European Yahoo ad network was taken over by a malware which would “infect” end user PCs through an exploit in Java Script application. As a result, people visiting ads.yahoo.com had their PCs converted into “slave” computers that would consume significant amount of bandwidth to mine for Bitcoins.

All these Bitcoins would eventually go to the cybercriminals who created those ads at Yahoo ad network. A security firm Fox IT spent a month figuring this issue out, and came up with a list of proxies, IP address ranges and domain names/ live websites that were being used as part of the online criminal activity.

Giora Engel, one of the notable developers and head of operations at Fox IT issued interesting statements, and warnings against Bitcoin cyber criminals. More interestingly, Engel pointed out several key things that would help users protect their computers while they are surfing online.

Meanwhile, Yahoo publicly apologized to people who got “under the bus” during this recent Bitcoin mining operation.

An artist's view of how Bitcoin will take over real life trades

Many of our customers share threat intelligence with our Magna Cloud, so our research lab noticed this unknown malware and attack campaign coming from our customers’ networks and investigated the specific case. As part of the investigation, we found a few tools that were downloaded by the malware. This specific attack campaign incorporated a variety of different monetization techniques using a variety of malwares.

The attackers made sure they exploit each of the millions of infected machines to its full worth by employing Bitcoin miners, WebMoney wallet hackers, personal information extraction, banking information extraction, and generic remote access tools.

Bitcoin mining is a computationally heavy process that gets harder and harder in time. Bitcoin is mined in blocks, and since it takes a lot of computing power to mine a block, the miners join forces and form mining pools or “bitcoin mining networks” — in which each one participates with his computing power and gets in return his share of the revenue. In our case, the malware author would be the sole beneficiary of the mining efforts.

Communication with the following Internet domains is an indication of a positive infection of the communicating computer:

  • kmymmeiaoooigke.org
  • bgdjstkwkbhagnp.org
  • ceigqweqwaywiqgu.org
  • smsfuzz.com

Communication with the following Internet domains/IP addresses is an indication of a possible infection:

  • blistartoncom.org
  • doesexisted.in
  • formsgained.in
  • funnyboobsonline.org
  • goodsdatums.in
  • locationmaking.in
  • mejudge.in
  • operatedalone.in
  • original-filmsonline.com
  • preferringbad.in
  • savedesiring.in
  • slaptoniktons.net
  • slaptonitkons.net
  • stopsadvise.in
  • yagerass.org
  • 192.133.137.100
  • 192.133.137.247
  • 192.133.137.56
  • 192.133.137.59
  • 192.133.137.63
  • 193.169.245.74
  • 193.169.245.76

The existence of the following files is an indication of a positive infection:

  • %windows%\Installer\{4A74FBA7-71A0-BEA1-F538-72E3D519AA4F}\syshost.exe
  • %localappdata%\cygwin1.dll (See note 1)
  • %localappdata%\wuauclt.exe (See note 1)
  • %localappdata%\temp\????????.lnk (8 hex characters)
  • %localappdata%\temp\????????.exe (8 hex characters)
  • %localappdata%\temp\vedefuzunwi.exe
  • %programdata%\bbtmp0\jtkyygiu.exe
  • c:\temp\zcompute.exe

(1) filename is used by legitimate software but not in the listed path

From technical perspective, I know for sure that many people have no understanding of how to block an entire IP address range. I am talking about an average internet user who simply enjoys his/her past time online.

Some common practices are to be taken into account when browsing for anything on the internet. For instance, you can install the ‘Ad Block’ extension on your browser to avoid unwanted ads. Yes, the setback of installing Ad Block is that you’d be blocking ads on all those websites that are not only legit, but also depend on paying their bills.

However, Ad Block is a great way of venting out unwanted ad networks and anything that looks suspicious. What you won’t see, will mostly not affect your online browsing experience. I would also like you to perform a full virus scan of your computer hard drives. Don’t forget to enable “Scan within/ Scan inside Archives” option to make sure that your PC is clean.

In addition to running virus scans, you can also go for an alternative approach to prevent unwanted Bitcoin miner intrusion. A number of people have installed classic OS on their hard drives, such as Win 98 or Win 2000. These folks usually boot up their systems through the said OS, and surf the internet as long as it is needed.

Even if they (PCs) end up getting infected by a browser based Bitcoin virus, it is not likely to come into effect when the primary OS is running. I mean, when you have switched to your main OS, after rebooting from the older OS, the virus will no longer be in effect.

This is a tricky and rather complex approach to safeguarding your computer against Bitcoin operations, but it is still worth it. Please share your opinions at ‘Infinarium’ through the comments section in this article. You can also write and send your concerns to techguy@infinarium.com without hesitation. 

This entry was posted on Friday, January 10th, 2014 at 12:12 PM and is filed under Computers, How To. You can follow any responses to this entry through the RSS 2.0 feed.

Casey Nolan

About Casey Nolan

Hello everyone, I am Bilal Malik AKA 'Casey Nolan'; Head Editor and owner of 'Infinarium.Com'. For product reviews, article requests, recommendations, or if you just want to get something off your chest, send me an email at techguy@infinarium.com.

Join the Conversation

Log In or Create an Account to post a comment, or quickly Sign In with

Top Categories

Top Reviews

LG Hbs 760 vs. LG HBS 770 Tone Pro ̵...

Updated on : 3 months ago

Should I buy B&O H8 Wireless Beopla...

Updated on : 4 months ago

‘Daily Brain Puzzle’ is a su...

Updated on : 4 months ago

Infinarium TV

NVIDIA SHIELD – The Console Killer?

Top Headlines

Archives

WP-Backgrounds Lite by InoPlugs Web Design and Juwelier Schönmann 1010 Wien