Forgot your password?
typodupeerror
Bitcoin Communications Security

New Skype Malware Uses Victims' Machines To Mine Bitcoins 132

Posted by timothy
from the hey-that's-not-yours-it's-mined dept.
An anonymous reader writes "A new piece of malware propagating across Skype has been discovered that tries to convince the recipient to click on a link. What makes this particular threat different is that it drops a Bitcoin miner application to make the malware author money. While malware has both spread on Skype and mined Bitcoins before, putting the two together could be an effective new strategy."
This discussion has been archived. No new comments can be posted.

New Skype Malware Uses Victims' Machines To Mine Bitcoins

Comments Filter:
  • This seems a few years late. It's so ungodly difficult to mine now that average Joe's infected computer just isn't going to manage to mine anything. Sure you may get lucky and get this installed on a few super high end machines, but last I heard it's getting hard to even do it with high end gpu's. Now, had this happened at the beginning of bitcoin (and I'm sure it did), the author would have actually stood a chance to make some money here.
    • by leathered (780018)

      That was exactly my thoughts when I first saw the headline. A top-end core i7 can manage a mere 20 Mhashs/s, while a GPU can do 2000 MH/s. The professional miners have moved on from GPUs to custom ASICs that can churn out as much 50GH/s.

      The only way the malware purveyors are going to get anything of value out of this is if they get lucky and infect a number of high-end gaming rigs.

      • That was exactly my thoughts when I first saw the headline. A top-end core i7 can manage a mere 20 Mhashs/s, while a GPU can do 2000 MH/s. The professional miners have moved on from GPUs to custom ASICs that can churn out as much 50GH/s.

        The only way the malware purveyors are going to get anything of value out of this is if they get lucky and infect a number of high-end gaming rigs.

        What I find a bit surprising is that doing something so relatively overt would still be a viable use of a botnet. Running the CPU full tilt, especially given how many computers are ill-cooled and battery powered these days, is something that even a total non-techie is relatively likely to notice. I'm amazed that any bot-herder decided that the increased attrition from being noticed would be less expensive than CPU-mining bitcoins would be valuable(especially when alternatives like keylogging for bank and ot

        • Try going to the police with "Somebody is using my computer to mine bitcoins" vs "someone stole money from my bank account".

      • That was exactly my thoughts when I first saw the headline. A top-end core i7 can manage a mere 20 Mhashs/s, while a GPU can do 2000 MH/s. The professional miners have moved on from GPUs to custom ASICs that can churn out as much 50GH/s.

        The only way the malware purveyors are going to get anything of value out of this is if they get lucky and infect a number of high-end gaming rigs.

        A 10,000 machine bot running on machines that average 2Mhashes/sec is ten times as effective as your 2000MH/s GPU. It's not the speed of the machines, but the size of the botnet.

      • by dbIII (701233)
        They got sucked into the bitcoin scam and you are expecting them to apply reason?
    • Indeed - from experience an average computer with standard GPU will do between 2 and 20 Mhash/s (not all GPUs will be usable, and most computers around with usable GPUs will have low-end ones). The best GPU's will make a whooping 600 to 900 Mhash/s, and even with that it'll be pretty hard to compete against the ASIC rigs - there's already devices making 60 Ghash/s (60,000 Mhash/s), and the upcoming rigs will do up to 1,500 Ghash/s (that's 1,500,000 Mhash/s!). In a few months the network difficulty will be s

    • by ceoyoyo (59147)

      A few hundred thousand or a million CPUs with someone else paying the electricity bill can still mine a few bitcoins. A $1500 ASIC setup does 40 or 50 thousand Mhash/s. If the average botnet machine does 50 Mhash/s on it's CPU/GPU you need a thousand infected machines to match that $1500 ASIC. If your botnet goes big and you get a hundred thousand machines, you've got a pretty nice mining setup.

      • by pla (258480)
        Getting good performance out of a GPU miner takes some tweaking, and very few average home PCs even have GPUs worth mining on anyway (most IGPs and consumer-grade NVidia cards barely count as one more CPU-class device on which to mine, if even possible).

        So that really only leaves CPU mining as the no-fuss option. And a typical modern machine will do 3-6 MH/s per core, so figure 24MH/s as an upper limit for any fairly new high-end OEM machine. For comparison, the BitForce Jalapeno - If it ever ships - Wi
        • by ceoyoyo (59147)

          I'm pretty sure if I were into botnets I'd rather spend a weekend writing something to infect 20,000 machines than spend $15,000 on ASIC miners. That's using your numbers. Plus if someone comes along with a spam or DDOS job for you, you can switch to that, then back to mining when you're done.

          If you've got a botnet lying around you might as well use it's off time.

      • For mining with the GPU, this requires OpenCL/CUDA SDKs to be installed. If this came packaged with those, it would be the biggest bit of malware I've ever seen (well over 100MB).

        That leads the logical conclusion that these will be mining on the CPU.
    • by istartedi (132515)

      That depends on whether or not they effectively parallelized the algorithm. One Joe can't do it, but if you command a million Joe-bots it might be worth it. Maybe you don't even have to chop up work units. Maybe it's just a question of having enough "tickets" for the odds of one being a winner to go up. Since the tickets cost nothing there's no reason not to play except the possibility of getting caught. Since they're criminals already, "fear of getting caught" is a sunk cost.

  • by Freddybear (1805256) on Saturday April 06, 2013 @11:42AM (#43379285)

    So when the user detects and presumably removes the malware, what happens to those mined bitcoins? Do they disappear? Are they still in the malefactor's account? Lastly, is there any chance of tracing and impounding the bitcoin account so that the bad guy doesn't profit?

    • by PRMan (959735)
      If a coin were to be successfully mined by grandma's computer (unlikely anyway these, but possible if you have 1 million of them), then I am certain they would immediately transfer it to their bitcoin account using a bitcoin address.
    • by EmperorArthur (1113223) on Saturday April 06, 2013 @12:05PM (#43379483)

      From what I understand, the trick is each miner goes through a search space. If it doesn't find anything, it requests another search space from the control server. If it does, it tells the control server about it. The control server then tells the rest of the world that it found this new bitcoin. If you shut down a machine during a search the control server eventually sees this and has another machine look through the same search space. This is basic parallel programming using a scatter-gather approach with a little bit of management on the server side.

      As for the bitcoin itself. There's nothing anyone can do. There is no mechanism within the bitcoin system to declare a bitcoin to have been produced illegally. If the command and control server is shut down then the bitcoin wallet might very well be lost. In that case, the bitcoin is lost forever. See this CCC video about bitcoin loss, deflation, and why that's a bad thing. https://www.youtube.com/watch?feature=player_detailpage&v=-FaQNPCqG58#t=1137s [youtube.com] As cool as bitcoin is, it has serious problems which will keep it from being used in day to day life. Hyped Example: http://www.newstatesman.com/economics/2013/04/bitcoin-hyperdeflation [newstatesman.com]

      The idea behind this malware is kind of neat though. It's not stealing log in credentials, so it doesn't need to do browser interception and then have the hacker physically dealing with banks. It doesn't preform ddos attacks or send spam, so it doesn't use any network resources except for talking to the command and control server. If it's written correctly, it should run at low priority with a small memory footprint. It might be using 100% CPU, but on a desktop machine, the user would probably never even know its there.

      • by IamTheRealMike (537420) <mike@plan99.net> on Saturday April 06, 2013 @02:18PM (#43380219) Homepage

        As cool as bitcoin is, it has serious problems which will keep it from being used in day to day life.

        Bitcoin does indeed have problems that make it hard to use in daily life, but "deflation" is not one of them. BitPay has reported that when the value of a Bitcoin rises their transaction rate goes up not down, as macro-economists would predict. Perhaps because holders of coins feel rich and start to splash out. This should not surprise us. The consumer electronics industry has been in a permanent state of economy-destroying inflation since pretty much forever yet even better and cheaper smartphones/mp3 players/etc continue to fly off the shelves. And in case you'd like observations more rigorous, there is no empirical evidence of a link between deflation and depression [minneapolisfed.org].

        Anyway, obviously the goal is that nobody loses Bitcoins through carelessness - there are many strategies to help people back up their keys, and over time they will become widely implemented and used.

        • BitPay has reported that when the value of a Bitcoin rises their transaction rate goes up not down, as macro-economists would predict

          You're confusing long and short-term trends. If there is a consistent long-term trend upwards, then economics predicts that people will hold, because it's the rational thing to do. If there is a lot of volatility, then it predicts that people will sell when the value goes up and buy when it goes down. This means that you'd expect a lot of high-frequency trades when the value spikes, as people cash out. They'll then buy slowly at the bottom (so as not to push the price up too fast) and then sell again at

          • But the long term trend with Bitcoin has been upwards in both value and transaction volume. So what economics predicts simply doesn't line up with reality, no matter which way you slice the data.

            • No, economics predicts that two factors will affect the transactions. One is that, as a commodity with a long-term trend that goes upwards, the rational strategy is to hold. The other is that, as a highly volatile commodity, it is possible to make a lot of money by buying at the peaks and selling at the troughs. Currently, Bitcoin is sufficiently volatile that the effects of the latter outweigh the effects of the former: it is possible to make a lot more money from the noise than from the growth. The sa
        • never had to take Viagra have you?

      • by Jeremi (14640)

        It might be using 100% CPU, but on a desktop machine, the user would probably never even know its there.

        Is there a way to keep your program's CPU usage from showing up in Task Manager (etc)? If so, then the only other thing you'd need is a way to keep the computer's fans at their nominal levels so that the extra noise wouldn't tip the user off, and you're golden (at least until the computer catches fire).

        • For 99% of users it doesn't matter. Computers are the magic black boxes that either work or they don't.

          While it might be fun to write a program that disables all thermal protections and stops the fans, it's quite a different challenge than a simple bitcoin miner.

          I have enough trouble trying to set things using the officially provided drivers. Controlling hardware on an unknown machine... Anyone who could do that shouldn't have any trouble making quite a bit of money.

          • While it might be fun to write a program that disables all thermal protections and stops the fans, it's quite a different challenge than a simple bitcoin miner.

            Of course you wouldn't disable thermal measures but instead add little moments of idle to the loop to keep the CPU utilization down.

      • by Rich0 (548339)

        The idea behind this malware is kind of neat though. It's not stealing log in credentials, so it doesn't need to do browser interception and then have the hacker physically dealing with banks. It doesn't preform ddos attacks or send spam, so it doesn't use any network resources except for talking to the command and control server. If it's written correctly, it should run at low priority with a small memory footprint. It might be using 100% CPU, but on a desktop machine, the user would probably never even know its there.

        Indeed, it doesn't even need to have an exploit. If you implemented a miner in Javascript you could just stick it in an advertisement and have it crunch away in a sandbox. Granted, you couldn't keep it running when the tab is closed and it would be slow in Javascript, but it would work just fine.

        Even if mining on non-specialized hardware is inefficient it doesn't cost the operator anything, and it greatly reduces their risk of being caught, assuming they don't use the stolen bitcoins in any traceable tran

        • by dkf (304284)

          Even if mining on non-specialized hardware is inefficient it doesn't cost the operator anything, and it greatly reduces their risk of being caught, assuming they don't use the stolen bitcoins in any traceable transactions (the bitcoins are always traceable, but to be caught you have to use them in some transaction that can link them up with your real-world identity).

          The bitcoins would look entirely legit, as they wouldn't need to be actually minted on the zombie; the distributed client could just report the key information back to the C&C server which would then do the actual minting (very easy, as there would be no search required). From the outside world's perspective, it would look just like the C&C server has lots of kick-ass hardware to do the searching.

          • by Rich0 (548339)

            Good point - wasn't really thinking of that but it would be hard to ID the bitcoins that used the botnet for aid.

    • by Anonymous Coward

      So when the user detects and presumably removes the malware, what happens to those mined bitcoins? Do they disappear?Are they still in the malefactor's account?

      I would doubt the keys for the address the bitcoins end up in are stored on the infected machine.

      Lastly, is there any chance of tracing and impounding the bitcoin account so that the bad guy doesn't profit?

      No, Bitcoin was designed intentionally to not allow that sort of thing. Not so much to protect bad guys, of course, but to protect someone like a political dissenter from the government seizing/freezing their funds to silence them. Unfortunately you can't have one without the other.

    • Miners are looking for the lottery number (nonce) such that it plus a set of new bitcoin transactions and the hash of the previous block generates a new hash with a lot of leading zeros. The exact number the new hash has to be below is set by the total hashing power of the network. Thus the difficulty of the lottery is adjusted so that a new block is found every 10 minutes. If you win the lottery, you get to include 25 newly created bitcoins addressed to your own account, plus any transaction fees. At th

      • by Jeremi (14640)

        If you win the lottery, you get to include 25 newly created bitcoins addressed to your own account, plus any transaction fees. At the moment this is worth $3500 or so per block.

        Hmm, for $3500 per block, I wonder if anyone has set up a "miner parasite" malware -- it would infect as many legitimate BitCoin-mining machines as possible, then do nothing until a mining machine discovered a winning hash. At that point it would intercept the miner's announcement of the winning hash code at the network level, so that instead of the announcement going out to the BitCoin network, it would go out to the malware creator's machine instead. The malware creator would then cash in on the new blo

        • by Sigma 7 (266129)

          If you have the malware that can detect a "winning block" being sent from a computer, then you can also extract the private key from said miner (and pull the coin out from under the worker.)

      • by Chuckstar (799005)

        If they are mining in a pool, then it doesn't matter if they find the block. The more computation you contribute to the pool, the bigger % you get of the 25 BTC if the pool as a whole wins the lottery. It means there's a much higher probability of the botnet controller making money than the way you are describing.

    • by Erk2 (2880293)
      Good luck, if someone is smart enough to write this kins of malware then they are going to be smart enough to move the coins, especially if the wallet IP is in the mountains of China or similar.
  • Had this been done with litecoin or namecoin, I could see some profit. Bitcoin? Sorry, difficulty rating is too high and just keeps going up.

    On top of that, the type of people likely to click on this are also already likely exploited and running with limited system resources as-is.

    Even the entire skype userbase couldn't stand up to the raw power behind half of the mining farms already out there.

    What a stupid malware author.

    • by dbIII (701233)

      What a stupid malware author.

      They got sucked in by the bitcoin scam, but are using somebody else's electricity so they sound a bit less stupid than the usual mark for the bitcoin scam.

  • by mathimus1863 (1120437) on Saturday April 06, 2013 @12:24PM (#43379599)
    To the people that are saying it's not worth it for malware or botnets to mine coins with CPUs... a single CPU does about 4 MH/s. If 250,000 computers all over the world are affected, that's 1 TH/s, which is about 67 BTC/day at the current difficulty. About $1,000/day, or $30,000/month. Scale appropriately for how many computers are affected.

    Yes, it's a waste of time and electricity for an individual to mine Bitcoins with their CPU, but if you have access to 100,000+ machines doing it, and you're not paying for the electricity, it's obviously worth it.
    • by Smerta (1855348)

      ...about 67 BTC/day at the current difficulty. About $1,000/day, or $30,000/month.

      WUT?

      67 BTC/day == $1,000/day? In other words - $16/BTC?

      I thought it was more like $140 or so?

      Maybe just add another zero in there...

    • A 250,000 machine botnet is extremely large, that puts you up in the worlds largest active botnets. Building and maintaining such a thing is not easy at all. To mine off that, you need to run a pool server that those machines can all get work from (as the existing pools will all ban you), which is a rather complex scaling problem all by itself, and then you have the fact that it's all a time limited technique. ASIC hardware has, from what I understand, finally started to ship in significant numbers from the

    • by UCFFool (832674)
      My 6 year old computer with a slightly upgraded processor (Athlon X2 5200+) is ~ 3MH/s as a reference point.
  • In case you have not heard, Hotmail's PC chat application, Messenger, is two days from being sunset [google.com] in favor of Skype. That will be causing a massive migration from users who ignored repeated upgrade emails from the MS team.
    Just when I thought it was hard to convince my long-term guests that they should ignore the Messenger Icon, forcing themselves to learn the freshly installed Skype forced down our throats, I have to worry about their malware risks from a new vector of attack.
    I very sparingly use the hot

  • Someone might modify the malware to still generate Bitcoins, but to record the coins generated. Then watch the blockchain to see who spends them. Bitcoins aren't anonymous. Mt. Gox has on at least one occasion frozen an account due to possession of "tainted" coins. [bitcointalk.org]

    Bitcoin isn't as distributed as many enthusiasts think. 80% of transactions go through Mt. Gox, a/k/a Magic, the Gathering Online Exchange.

  • `A new piece of [Windows] malware propagating across Skype has been discovered that tries to convince the recipient to click on a link. What makes this particular threat different is that it drops a Bitcoin miner application to make the malware author money. While malware has both spread on Skype and mined Bitcoins before, putting the two together could be an effective new strategy.`
  • The new mid-level BFL mining chip can perform 60,000MH/s at 80 watts. My i5-2400K can do 14MH/s, my Nvidia GTS450 can do about 40MH/s, and my Radeon 5830 would have been able to do about 220MH/s under ideal circumstances and maxed out. So, this is so far into the not worth it category, it's comical.
    • by gweihir (88907)

      Well, criminals are typically idiots. Otherwise they would go into accepted work for amoral characters, like banking, insurance or politics.

      • As a criminal I resent that. Many criminals have standards and would not touch banking, insurance or politics as a career. Stealing from any of those three is quite acceptable.
    • by UpnAtom (551727)

      I believe the current difficulty of mining bitcoins is fixed until it becomes impossible. As they're currently going at an astonishing $145 (quadrupled over a month), it's extremely profitable to mine on ATI card. However, the FPGA will flood the market with Bitcoins and we willl see the price dropping, maybe crashing.

  • There's only one interesting question about this : what OS does it run on, or what other platform (JS, Java, whatever)?

    Security firm Kaspersky discovered the threat, which it names Trojan.Win32.Jorik.IRCbot.xkt,

    Assuming that Kaspersky are not complete and utter idiots, and that the Win32 element of the name means what it normally means, I have no further interest in the story.

    Bye.

The key elements in human thinking are not numbers but labels of fuzzy sets. -- L. Zadeh

Working...