July 18, 2013

An increasing number of malware samples in the wild are using host systems to secretly mine bitcoins. In this post, I’ll look at an affiliate program that pays people for the mass installation of programs that turns host machines into bitcoin mining bots.

The FeodalCash bitcoin mining affiliate program.

The FeodalCash bitcoin mining affiliate program.

Bitcoin is a decentralized, virtual currency, and bitcoins are created by large numbers of CPU-intensive cryptographic calculations. As Wikipedia explains, the processing of Bitcoin transactions is secured by servers called bitcoin miners. These servers communicate over an internet-based network and confirm transactions by adding them to a ledger which is updated and archived periodically using peer-to-peerfilesharing technology. In addition to archiving transactions, each new ledger update creates some newly minted bitcoins.

Earlier this week, I learned of a Russian-language affiliate program called FeodalCash which pays its members to distribute a bitcoin mining bot that forces host PCs to process bitcoin transactions (hat tip to security researcher Xylitol). FeodalCash opened its doors in May 2013, and has been recruiting new members who can demonstrate that they have control over enough Internet traffic to guarantee at least several hundred installs of the bitcoin mining malware each day.

The FeodalCash administrator claims his mining program isn’t malware, although he cautions all affiliates against submitting the installer program to multi-antivirus scanners such as Virustotal; sending the program that installs bitcoin mining bot to Virustotal “greatly complicates the work with antivirus” on host PCs. Translation: Because services like Virustotal share information about new malware samples with all participating antivirus vendors, scanning the installer will make it more likely that antivirus products on host PCs will flag the program as malicious. Rather, the administrator urged users who want to check the files for antivirus detection to use a criminal friendly service like scan4u[dot]net or chk4me[dot]com, which likewise scan submitted files with dozens of different antivirus tools but block those tools from reporting home about new and unidentified malware variants.

This Google-translated version of the site shows the builder for the installer.

This Google-translated version of the site shows the builder for the installer.

I gained access to an affiliate account and was able to grab a copy of the mining program. I promptly submitted the file to Virustotal and found it was flagged as a trojan horse program by at least two antivirus products. This analysis at automated malware scanning site malwr.com shows that the mining program installer ads a Windows registry key so that the miner starts each time Windows boots up. It also indicates that the program beacons out to pastebin.com (perhaps to deposit a note about each new installation).

The FeodalCash administrator also claims that his affiliates are not permitted to distribute the installer file in any way that violates the law, but of course it’s unclear which national laws he might be talking about. At the same time, the affiliate program’s Web site includes a graphical tool that helps affiliates create a custom installer program that can install silently and be disguised with a variety of program icons that are similar to familiar Windows icons.

Also, the administrator demands that new users demonstrate the ability to garner hundreds to thousands of installs per day. This is a rather high install rate, and it appears many if not all affiliates are installing the mining program by bundling it with other executable programs distributed by so-called pay-per-install (PPI) programs. This was apparent because a source managed to gain administrative-level access to the back-end database for the FeodalCash program, which includes hundreds of messages between affiliates and the administrator; most of those messages are from new registrants sending the administrator screenshots  of their traffic and installs statistics at various PPI affiliate programs.

So far, FeodalCash has managed to attract at least 238 working affiliates. Here is a copy of the affiliate list, complete with their corresponding bitcoin wallets. According to Xylitol, the host PCs that currently have this botcoin mining malware installed are doing their slavish work at the Eligius bitcoin mining pool. According to the FeodalCash administrative panel, the infected machines have mined only about 140 bitcoins. Each bitcoin is currently worth about $100 at today’s exchange rate, making the program’s total haul only about $14,000. The current bitcoin generation rate is about 4.719 bitcoins per day, or about $340.45 daily.

Who’s behind this affiliate program? It appears to be the work of two guys from Ukraine, who apparently are named Igor and Andrei. Andrey gives his email address on some forums as “feodalcash@gmail.com.” That address was used to register at least ten different domain names, according to a Reverse Whois report produced by domaintools.com. But those domains weren’t much help.

Then I noticed that listed on one of the FeodalCash user pages is a notice that the affiliate program is having a user meeting tonight (July 18) at Beerlin, a German-styled pub in Kharkov, Ukraine! The affiliate panel also helpfully included a map of downtown Kharkov to assist those planning to attend.

Directions to the affiliate meting on July 18, 2013, at Beerlin in Kharkov, Ukraine.

Directions to the affiliate meting on July 18, 2013, at Beerlin in Kharkov, Ukraine.

 


35 thoughts on “Botcoin: Bitcoin Mining by Botnet

  1. Vee

    “I promptly submitted the file to Virustotal and found it was flagged as a trojan horse program by at least two antivirus products.”

    It’s flagged, but I wouldn’t really rely on AntiVir and TotalDefence who might/probably have a high false positive rate. Don’t confuse me as saying the file is clean, that’s not what I’m saying, but I’d rescan the file in 24hrs to get a better picture (which by then more AVs will flag it as a bitcoin miner).

    Two other virus submitting things to use for anyone interested:

    HitmanPro 3 – Will upload any unknown/new/suspicious files to its scan cloud (which also sends to the AVs that partner with it, Dr Web, Emsisoft Anti-Malware, G Data AntiVirus, BitDefender and IKARUS) There is also an option to somehow link it up with VirusTotal but I never messed with that part of it.
    http://www.surfright.nl/en/hitmanpro/

    And Jotti, which is an alternative to VirusTotal:
    http://virusscan.jotti.org/en

    And there’s an ESET submit page as well:
    http://kb.eset.com/esetkb/index?page=content&id=SOLN141

  2. Larry McPhillips

    “The affiliate program is having a user meeting tonight (July 18) at Beerlin.”

    Haaaa, not anymore! Thanks Brian… a charming read as always.

    1. Haggis

      AWWW!! we all could have had a road trip lol

  3. Stefan Misaras

    I have been following this bitcoin mining with interest, as everyone else, hoping there’s a way to get away from the limitations and restrictions of cash, currency, government rules, etc… but I guess it’s only a matter of time until someone “breaks this system” also 🙁 With the possibility of harnessing the power of the internet (whether legally or illegally), almost anything can be counterfeited, copied, broken into, forced, and even destroyed…what starts as a good idea and genuine people interested in genuine mathematical problems, etc, ends up in being the playpen of the hackers and opportunists 🙁

    I wonder what their response would be, since they have a very active community with self-made and ever-tightening rules and security measures, …

    PS. In the paragraph starting with “Also, the administrator demands demands that new users demonstrate the ability to garner hundreds to thousands of installs per day. ” there’s two “demands” there…

  4. cypherpunk

    Most hackers haunted by Krebs are russians 🙂

    1. denys

      hmm… but these guys seems to be ukrainian..not russian

      1. saucymugwump

        In Ukraine, there are ethnic Ukrainians and there are people of other ethnic groups who possess Ukrainian passports. According to the CIA World Factbook, the breakdown goes as follows:

        Ukrainian 77.8%, Russian 17.3%, Belarusian 0.6%, Moldovan 0.5%, Crimean Tatar 0.5%, Bulgarian 0.4%, Hungarian 0.3%, Romanian 0.3%, Polish 0.3%, Jewish 0.2%, other 1.8% (2001 census).

        Ethnic Russians in Ukraine (and Belarus, the Baltic States, etc) tend to pine over the “good old days” of the Soviet Union. Not that long ago an ethnic Russian policeman in Ukraine declared “I do not understand the cows’ language,” referring to Ukrainian.

        http://www.rferl.org/content/ukrainian_language_cow/2288383.html

        1. john doe

          Russians, ukrainians and belorussians, ethnic or not, are usually good friends anyway and share common values, bar few nutcases. Think of Scots and Englishmen.

  5. saucymugwump

    Bitcoin is a farce and always will be a farce. “Mining” is the first cousin of counterfeiting, proving that geeksters do not understand the purpose of currency. The reasons the USD, euro, Australian dollar, Canadian dollar, and Swiss franc are trustworthy currencies are stability and reliability; these currencies do not drastically change in value from day-to-day. We are now seeing the second shoe drop, with cyber-criminals realizing that there is money to be made from bot-mining

    1. Neej

      Nothing you said shows it to be a “farce” including whatever “the first cousin to counterfeiting” means.

  6. patriq

    Was rummaging though a ZeuS C&C last week and found a Bitcoin miner. However, this miner is not part of an affiliate program. Just goes to show that these guys will do whatever they can to squeeze out a dollar.

    “As if stealing money directly from victims bank accounts is not lucrative enough these a**holes were mining for BitCoin on their bots as well.
    In the same directory of the panel on this server, I found a zip archive amd.zip which contained a file wuaxctl.exe.
    amd.zip > wuaxctl.exe ”

    http://protectyournet.blogspot.com/

  7. CharlieG

    Off Topic, but bear with me.

    This octogenarian fan of Brian Krebs’ provocative [in the very positive sense of the word] commentary since his Washington Post days is ever increasingly fascinated by the evolving complexity of ever increasing layers of enigmas to us uninitiated casual users of these “machines”.

    “Machinations” will come to mind.

    Hence I’ll add my two cents’ of somewhat experienced World involvement to the swirling controversy of what the N.S.A. is doing, probably very, very well despite the Snowden’s lurking in their midst:

    How can computer users at any level complain about their precious “privacy” when they publish pictures of their genitals on Internet forums?….at the same time our Muslim enemy are batting around existential threats such as young Tsarnarov (sic) and using the very same medium? ….and… they doubtlessly read with intense interest about such as this “bitcoin” development.

    That’s crass hypocrisy on the part of those whiners and wailers.

    1. CooloutAC

      I only complain about the Tsaranovs, credit card thiefs, and the pictures of my genitals people steal from my hdd lol, and the fact i’m part of some malicous or criminal botnet.

    2. stormy

      “How can computer users at any level complain about their precious “privacy” when they publish pictures of their genitals on Internet forums”

      — I hope not ALL computer users do that, or I’m definitely too old-school :). True, a lot of people seem to think fora, BBS, social networks and even cloud storage spaces are not supposed to be “public” (heck, even the word forum meant “public place” in ancient Rome, if that’s not enough of a warning). But I think the whole controversy about PRISM and Tempora is rather that they’re listening to things that “should” (well, the law is not clear on that, but the spirit of the law is) be private, such as phone/VoIP conversations and mail. Saying that because it’s technically possible to read every mail or listen to every phone convo we should do it is exactly like saying that because you left your car open someone should steal everything in it. Stealing cars might even be temporarily necessary to increase national security, but it’s still stealing.

      1. CooloutAC

        Are you telling me you never took a naked photo of yourself or someone else man? really? 🙂

    3. Cliff

      “Muslim Enemy” – Why on earth type this? USA has enemies of all faiths, and many muslims are great friends of the USA.

  8. And then what

    Who is going to Ukraine then ?? :))

    Суть дела такова. В любом яхт-клубе электроэнергия раздается бесплатно. На бонах стоят раздаточные колонки с несколькими розетками. Иногда правда там стоят автоматы. В еверопейских клубах они обычно на довольно небольшой ток. Но иногда автоматы стоят на большой ток, их можно обойти или их нет вообще и тогда можно тянуть хоть 10кВт. Сначала конечно убедиться, что проводка выдержит. В приличных клубах всё проведено хорошим таким кабелем.

    Охлаждение: даже в самые жаркие дни вода редко прогревается до 25 градусов, зависит от местности конечно. Варианты охлаждения: гонять забортную воду по ватерблокам системы охлаждения. Сначала через фильтр можно пропустить чтобы блоки быстро не заросли. Но все-таки лучше сделать двухконтурную систему: по ватерблокам гонять специальный хладогент с антикор присадками и пр. и охлаждать его забортной водой в теплообменнике.

    Поскольку влажность высокая, обычная элетроника в таких условиях долго не живет. Поэтому оптимальным все-таки представляется погрузить майнеры в закрытую емкость с маслом, которое уже охлаждать в теплообменнике забортной водой. Получится компактная система которую можно спрятать поглубже и забыть про нее. Во всех случаях забортную воду проще всего брать из внешнего контура охлаждения двигателя и выкидывать в выхлоп, можно воспользоваться также вводами на камбузе или туалете-душевой, то есть дополнительные дыры сверлить в корпусе не нужно.

    Интернет естественно мобильный. Даже для 10 кВт асиков LTE должно хватить, а сейчас уже есть LTE-A. Иногда в клубах раздают вайфай, но он уже может стать слабым звеном.

    Яхта (катер, лодка) в основном используется по выходным: приехал, покатался, вернулся в клуб. Все остальное время майнеры будут трудиться и зарабатывать денежку. На оплату стоянки должно хватить. А может еще и на солярку хватит и чтобы новые паруса пошить и на выпить-закусить.

    Покупать даже небольшую старенькую лодку только для того чтобы поставить на нее майнеры скорее всего смысла не имеет. Это для тех у кого уже есть плав-средство. Еще один ньюанс — водоем должен быть незамерзающим, толку от майнеров внутри лодки стоящей на берегу будет немного.

    С другой стороны, если майнер уже намайнил 1000 биткоинов, то почему бы и не купить яхту? В конце концов, как сказал Стивенсон: “Лучшее что мужчина может сделать со своими деньгами — это построить шхуну”.

  9. CooloutAC

    I would love to hear about folding botnets. Especially since I still never grasped a real understanding of what folding is. But I was always told many computers are folding unknowingly.

    It might not be for money, and these malicous hackers might think they are doing a good thing for the world self righteously, but its just as bad!! They are not given permission, and It severely degrades pc performance and shortens the lifespan especially on video cards apparently.

  10. Madmonkey

    The fact that only 2 antivirus programs are able to flag this as malware is really not good for the general public. Lets hope bigger antivirus companies will add them to their database soon.

    1. Vee

      That’s very typical of fresh samples though. I’ve submitted new finds every so often to VirusTotal and within a day the rates go from 2-3 to 20+. Within a week a file will top out somewhere in the 30s.

      Folding/Mining malware would be pretty easy to detect I’d think: your CPU/GPU would probably be at full load, high temps, fans revving up etc. I suppose it could even damage badly ventilated systems with stock cooling, or even blow some capacitors if it ran for months on end, just like with legit stress testing/benching software.

  11. Clownso

    This isn’t new. Botnet operators have been utilizing bitcoin mining for over a year now, and it’s getting a lot less profitable for the bottom dwellers. Even major botnets such as ZeroAccess appear to have (for the most part) abandoned it due to increasing difficulty levels.

    On a side note, if those were that affiliates total earnings from all their installations then that is quite pathetic. Amateur hour over in Ukraine it looks like.

  12. Old School

    Source: http://en.wikipedia.org/wiki/Bitcoin
    “Although the Bitcoin Project describes bitcoin exclusively as an “experimental digital currency,” bitcoins are often traded as an investment. Critics have accused bitcoin of being a form of investment fraud known as a Ponzi scheme. A case study report by the European Central Bank observes that the bitcoin currency system shares some characteristics with Ponzi schemes, but also has characteristics which are distinct from the common aspects of Ponzi schemes as defined by the U.S. Securities and Exchange Commission.”

  13. Zooko

    Hi Brian Krebs.

    Long time reader, first time poster.

    I asked some questions of an alleged Bitcoin botnet-herder on reddit one year ago, and I did a few sanity checks on his numbers, and posted my notes here:

    https://plus.google.com/u/0/108313527900507320366/posts/1oi1v7RxR1i?hl=en

    The profit margin in using Botnets for Bitcoin mining has been shrinking dramatically, due to the deployment of custom ASICs for Bitcoin mining. Look at this graph of the total Bitcoin hash power over time:

    https://bitcoin.sipa.be/speed-lin-ever.png

    The inverse of that (i.e. one divided by that) is the amount of money you can make from one gigahash-per-second of mining power.

    The aggregate network hash power is something like 25X as much today as it was a year ago.

    Therefore, even if that guy I talked to a year ago *was* making a profit from his Bitcoin-mining Botnet, he would have to be running a Botnet 25 times as big, today, to make the same amount of money per day. I assume that the expense of running that big of a Botnet would eat up his profits from mining.

    Note that at the time, a year ago, he said Bitcoin was a sideline and that his main lines were spam and DoS.

    As far as I can tell, custom-ASIC based Bitcoin mining is continuing to deploy at a fast rate, and any profit to be made from Botnet Bitcoin mining is likely to evaporate soon.

    1. BrianKrebs Post author

      Yup. There’s no question that bitcoin mining even by a large botnet can’t come close to ASIC-based mining. But then again, that doesn’t mean botnet herders will avoid taking advantage of their resources for mining if they don’t care what happens to the machines.

      1. Zooko

        Well, that’s a good point. I guess the marginal cost to the bot operator is merely a slightly increased chance of the infection getting noticed and removed, right? I recall that the botnet operator on reddit said that he ran his Bitcoin mining at a low duty cycle so that it wouldn’t cause noticeable heating or delays.

      2. meh

        Isn’t there a better use of these machines?

        Seems like an awfully large trail of breadcrumbs to be leaving around the world for $300 a day.

  14. null

    Brian,

    “I gained access to an affiliate account and was able to grab a copy of the mining program.”

    That is a big lie. Next time do your own research and don’t steal it… because this is what you have done.

    Thanks….

    1. BrianKrebs Post author

      How did I lie, exactly? Oh, and next time you want to leave a comment like this, man up and use your email address so I can contact you back. Or, if I “stole” some of your research, let me us know who you are so we can appropriately bow down at your greatness. Thanks.

  15. null

    I dont want more drama, but you have to understand that if I was researching these guys this article doesn’t help because makes them paranoid.

    Also if this article have been done using the information I got and without my permission makes me even more angry.

    I don’t want to tell you how to do your job, but writing articles using the information from another researcher doesn’t seem right (for me). Because without that password, this article wouldn’t have nothing…

    For me, this is closed and I won’t bother you more.

    thanks.

    1. BrianKrebs Post author

      Still no information about who you are or proof that I somehow used your information without your permission. I think maybe your anger is misdirected?

      1. null

        No Brian. You know exactly what happened and also who I am.

        If you consider that you have to contact me feel free, but for me this is closed.

        thanks.

  16. pow

    This is BUNNN aka 100from TROJANFORGE…
    Real name: Oancea Ionut Catalin

Comments are closed.