Posts Tagged: Bitcoin


18
Jul 13

Botcoin: Bitcoin Mining by Botnet

An increasing number of malware samples in the wild are using host systems to secretly mine bitcoins. In this post, I’ll look at an affiliate program that pays people for the mass installation of programs that turns host machines into bitcoin mining bots.

The FeodalCash bitcoin mining affiliate program.

The FeodalCash bitcoin mining affiliate program.

Bitcoin is a decentralized, virtual currency, and bitcoins are created by large numbers of CPU-intensive cryptographic calculations. As Wikipedia explains, the processing of Bitcoin transactions is secured by servers called bitcoin miners. These servers communicate over an internet-based network and confirm transactions by adding them to a ledger which is updated and archived periodically using peer-to-peerfilesharing technology. In addition to archiving transactions, each new ledger update creates some newly minted bitcoins.

Earlier this week, I learned of a Russian-language affiliate program called FeodalCash which pays its members to distribute a bitcoin mining bot that forces host PCs to process bitcoin transactions (hat tip to security researcher Xylitol). FeodalCash opened its doors in May 2013, and has been recruiting new members who can demonstrate that they have control over enough Internet traffic to guarantee at least several hundred installs of the bitcoin mining malware each day.

The FeodalCash administrator claims his mining program isn’t malware, although he cautions all affiliates against submitting the installer program to multi-antivirus scanners such as Virustotal; sending the program that installs bitcoin mining bot to Virustotal “greatly complicates the work with antivirus” on host PCs. Translation: Because services like Virustotal share information about new malware samples with all participating antivirus vendors, scanning the installer will make it more likely that antivirus products on host PCs will flag the program as malicious. Rather, the administrator urged users who want to check the files for antivirus detection to use a criminal friendly service like scan4u[dot]net or chk4me[dot]com, which likewise scan submitted files with dozens of different antivirus tools but block those tools from reporting home about new and unidentified malware variants.

This Google-translated version of the site shows the builder for the installer.

This Google-translated version of the site shows the builder for the installer.

I gained access to an affiliate account and was able to grab a copy of the mining program. I promptly submitted the file to Virustotal and found it was flagged as a trojan horse program by at least two antivirus products. This analysis at automated malware scanning site malwr.com shows that the mining program installer ads a Windows registry key so that the miner starts each time Windows boots up. It also indicates that the program beacons out to pastebin.com (perhaps to deposit a note about each new installation).

The FeodalCash administrator also claims that his affiliates are not permitted to distribute the installer file in any way that violates the law, but of course it’s unclear which national laws he might be talking about. At the same time, the affiliate program’s Web site includes a graphical tool that helps affiliates create a custom installer program that can install silently and be disguised with a variety of program icons that are similar to familiar Windows icons.

Also, the administrator demands that new users demonstrate the ability to garner hundreds to thousands of installs per day. This is a rather high install rate, and it appears many if not all affiliates are installing the mining program by bundling it with other executable programs distributed by so-called pay-per-install (PPI) programs. This was apparent because a source managed to gain administrative-level access to the back-end database for the FeodalCash program, which includes hundreds of messages between affiliates and the administrator; most of those messages are from new registrants sending the administrator screenshots  of their traffic and installs statistics at various PPI affiliate programs.

Continue reading →


30
May 13

Underweb Payments, Post-Liberty Reserve

Following the U.S. government’s seizure this week of virtual currency Liberty Reserve, denizens of the cybercrime underground collectively have been progressing through the classic stages of grief, from denial to anger and bargaining, and now grudging acceptance that any funds they had stashed in the e-currency system are likely gone forever. Over the past few days, the top discussion on many cybercrime forums has been which virtual currency will be the safest bet going forward?

As I mentioned in an appearance today on NPR’s show On Point, the predictable refrain from many in the underground community has been that the demise of Costa Rica-based Liberty Reserve — and of eGold, eBullion, StormPay and a host of other virtual currencies before it — is the death knell of centrally-managed e-currencies. Just as the entertainment industry’s crackdown on music file-sharing network Napster in the late 1990s spawned a plethora of decentralized peer-to-peer (P2P) file-sharing networks, the argument goes, so too does the U.S. government’s action against centrally-managed digital currencies herald the ascendancy of P2P currencies — particularly Bitcoin.

Fluctuation in BTC values. Source: Bitcoincharts.com

Fluctuation in BTC values. Source: Bitcoincharts.com

This knee-jerk reaction is understandable, given that private crime forums are now replete with postings from members who reported losing tens of thousands of LR dollars this week. But as some of the more seasoned and reasoned members of these communities point out, there are several aspects of Bitcoin that make it especially unsuited for everyday criminal commerce.

For one thing, Bitcoin’s conversion rate fluctuates far too wildly for communities accustomed to virtual currencies that are tied to the US Dollar: In both Liberty Reserve and WebMoney — a digital currency founded in Russia — one LR or WMZ (the “Z” designation is added to all purses kept in US currency) has always equaled $1 USD.

The following hypothetical scenario, outlined by one member of an exclusive crime forum, illustrates how Bitcoin’s price volatility could turn an otherwise simple transaction into an ugly mess for both parties.

“Say I pay you $1k today for a project, and its late, and you decide to withdraw tomorrow. You wake up and the $1k I just sent you in Bitcoins is now worth just $600. It’s not yet stable to be used in such a way.”

Another forum member agreed: “BTC on large scale or saving big amounts is a mess because the price changes. Maybe it’s only good cashing out,” noting WebMoney now allows users to convert Bitcoins into a new unit called WMX.

Others compared Bitcoin to a fashionable high-yield investment program (HYIP), a Ponzi-scheme investment scam that promises unsustainably high return on investment by paying previous investors with the money invested by new investors.  As the U.S. government’s complaint alleges, dozens of HYIP schemes had a significant amount of funds wrapped up in Liberty Reserve.

“Bitcoin is a trendy HYIP. There are far more stable and attractive currencies to invest in, if you are willing to take the risk,” wrote “Off-Sho.re,” a bulletproof hosting provider I profiled in an interview earlier this month. “In the legit ‘real products’ area, which I represent, a very small niche of businesses are willing to accept this form of payment. I understand the drug dealers on Tor sites, since this is pretty much the only thing they can receive without concerns about their identities, but if you sell anything illegal, WMZ should be the choice.”

What’s more, MtGox — Bitcoin’s biggest exchanger and the primary method that users get money into and out of the P2P currency — today posted a note saying that it will now be requiring ID verification from anyone who wants to deposit money with it in order to buy Bitcoins.

A logo from perfectmoney.com

A logo from perfectmoney.com

Perhaps the closest competitor to Liberty Reserve and WebMoney — a Panamanian e-currency known as Perfect Money (or just “PM” to many) — appears to have been busy over the past few days seizing and closing accounts of some of its more active users, according to the dozens of complaints I saw on several different crime forums. Perfect Money also announced on Saturday, May 25 that it would no longer accept new account registrations from U.S. citizens or companies.

For now, it seems the primary beneficiary of the Liberty Reserve takedown will be WebMoney. This virtual currency also has barred U.S. citizens from creating new accounts (it did so in March 2013, in apparent response to the U.S. Treasury Department’s new regulations on virtual currencies.) Still, WebMoney has been around for so long — and its logo is about as ubiquitous on Underweb stores as the Visa and MasterCard logos are at legitimate Web storefronts — that most miscreants and n’er-do-wells in the underground already have accounts there.

But not everyone in the underground who got burned by Liberty Reserve is ready to place his trust in yet another virtual currency. The curmudgeon-in-chief on this point is a hacker nicknamed “Ninja,” the administrator of Carder.pro — a crime forum with thousands of active members from around the world. Ninja was among the most vocal and prominent doubters that Liberty Reserve had been seized, even after the company’s homepage featured seizure warnings from a trio of U.S. federal law enforcement agencies. Ninja so adamantly believed this that, prior to the official press announcements from the U.S. Justice Department on Tuesday, he offered a standing bet of $1,000 to any takers on the forum that Liberty Reserve would return. Only two forum members took him up on the wager.

Now, Ninja says, he’s ready to pay up, but he’s not interested in buying into yet another virtual currency. Instead, he says he’s planning to create a new “carding payment system,” one that will serve forum members and be housed at Internet servers in North Korea, or perhaps Iran (really, any country that has declared the United States a sworn enemy would do).

ninjapost

Continue reading →


6
Sep 11

Rent-a-Bot Networks Tied to TDSS Botnet

Criminals who operate large groupings of hacked PCs tend to be a secretive lot, and jealously guard their assets against hijacking by other crooks. But one of the world’s largest and most sophisticated botnets is openly renting its infected PCs to any and all comers, and has even created a Firefox add-on to assist customers.

The TDSS botnet is the most sophisticated threat today, according to experts at Russian security firm Kaspersky Lab. First launched in 2008, TDSS is now in its fourth major version (also known as TDL-4). The malware uses a “rootkit” to install itself deep within infected PCs, ensuring that it loads before the Microsoft Windows operating system starts. TDSS also removes approximately 20 malicious programs from host PCs, preventing systems from communicating with other bot families.

In an exhaustive analysis of TDSS published in June, Kaspersky researchers Sergey Golovanov and Igor Soumenkov wrote that among the many components installed by TDSS is a file called “socks.dll,” which allows infected PCs to be used by others to surf the Web anonymously.

Researchers say this Firefox add-on helps customers use Internet connections of TDSS-infected PCs.

“Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month,” the researchers wrote. “For the sake of convenience, the cybercriminals have also developed a Firefox add-on that makes it easy to toggle between proxy servers within the browser.”

The storefront for this massive botnet is awmproxy.net, which advertises “the fastest anonymous proxies.” According to Golovanov, when socks.dll is installed on a TDSS-infected computer, it notifies awmproxy.net that a new proxy is available for rent. Soon after that notification is completed, the infected PC starts to accept approximately 10 proxy requests each minute, he said.

“For us it was enough to see that this additional proxy module for tdl4 was installed directly on encrypted partition and runs thru rootkit functionality,” Golovanov told KrebsOnSecurity. “So we believe that awmproxy has direct connection to tdl4 developer but how they are working together we don’t know.” The curators of AWMproxy did not respond to requests for comment.

AWMproxy.net, the storefront for renting access to TDSS-infected PCs

The service’s proxies are priced according to exclusivity and length of use. Regular browser proxies range from $3 per day to $25 monthly. Proxies that can be used to anonymize all of the Internet traffic on a customer’s PC cost between $65 and $500 a month. For $160 a week, customers can rent exclusive access to 100 TDSS-infected systems at once. Interestingly, AWMproxy says it accepts payment via PayPal, MasterCard, and Visa.

Continue reading →