Yahoo Infects 2 Million European PCs with Bitcoin Malware

computer-row
8 January 2014

For four days last week Yahoo’s European servers were the equivalent of a cyber Typhoid Mary, spreading disease to anyone who came near. Yahoo was the victim of a major security breach, which caused its servers to send out millions of malware-laden ads to an estimated two million European users.

Suspicions were first raised by Dutch security outfit Fox IT, which estimated that Yahoo’s servers were responsible for 27,000 malware infections every hour the malware was live on Yahoo’s website.

Yahoo confirmed the embarrassing attack in a statement:

“From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware.”

The statement went on to point out that mobile users and Mac users were not affected, as the malware apparently targeted Windows systems, The Guardian reports.

Bitcoin mining malware was involved

One rather interesting aspect of the attack was that it involved bitcoin mining. The malware would start using infected PCs as mining rigs but it is still unclear how many computers were infected. Although the average PC with an integrated graphics processor is virtually useless for bitcoin mining, tens of thousands of PCs laden with mining malware could produce some results.

In late 2013 German police arrested two hackers who were charged with spreading mining malware to several networks and an undisclosed number of PCs. Following a preliminary investigation, authorities concluded that the duo managed to mine over €700,000 worth of bitcoins. Since they did not have to invest in mining rigs, or pay the electric bill for that matter, it seemed like a very profitable endeavour – until they were raided by the GSG-9, Germany’s elite counter-terrorist police unit.

Little is known about the bitcoin malware served by Yahoo. The German hacker-miners appear to have used a custom version of readily available malware, tweaking it to include a mining scrip and evade detection.

Cyber criminals and bitcoin

Developing and spreading bitcoin mining malware is not easy and with a rapid increase in hash difficulty it will soon be a thing of the past. PCs have not been viable bicoin mining platforms for months and the only way to make any cash on PC bitcoin mining is if you don’t have to buy the hardware or electricity. At this point a network of average PCs will waste more energy generating bitcoins than the bitcoins are worth. Of course, malware is one way of doing it.

In addition to mining malware, some malicious developers have devised a new form of ransomware. The number of bitcoin ransomware detections is going up and the trend was first noticed in the second half of 2013. Ransomware has been around for two decades, but bitcoin is making it a lot more alluring for malicious developers. The software encrypts all content on infected computers and instructs the victims to pay a ransom for the unlock key. Cryptolocker’s ransom is two bitcoins, or about $1,700.

There are a number of different ransomware models that could evolve to use bitcoin. Security experts have also voiced concerns that mobile ransomware could become a major security risk in the near future.

What makes bitcoin so valuable to cyber criminals?

Aside from the sheer value of stolen or illegally mined bitcoins, anonymity is probably the main reason hackers are embracing bitcoin. Renting a botnet costs money and bitcoin is perfect for untraceable transactions between two parties that don’t want to share their identity. The same is true of ransomware – using bitcoin to receive a ransom payment makes sense.

Acquiring specialized software, proprietary hardware, zero-day exploits and other tools used by hackers requires quite a bit of cash. Contrary to what most people think, many hackers do not operate alone. Although there are still plenty of ‘lone wolves’, the cybercrime ecosystem has evolved.

Like any economic entity, it has a hierarchy and what could only be described as division of labour is taking hold. In other words, many hackers are specializing in different niches and cybercrime syndicates are becoming more sophisticated, with a structure similar to traditional criminal syndicates or even legitimate businesses.

As bitcoin is ideal for paying accomplices and funding the whole operation, it is bound to see more use in the murky waters of the deep web.