The cybercriminals who infected the computers of European Yahoo users apparently wanted to create a huge Bitcoin network.
Researchers at security firm Light Cyber revealed this week that one of the malware programs aimed to use the resources of infected PCs to perform the calculations necessary to run a Bitcoin network. Reported earlier this month by fellow security firm Fox IT, the campaign spread its package by using Yahoo's ad server to deploy malicious ads. The malware took advantage of vulnerabilities in Java to install itself on computers that visited the ads.yahoo.com site.
Light Cyber founder Giora Engel told CNET that his firm detected the attack in its customers' networks four days before it was publicly known and reported by Fox IT. Engel explained how the firm learned of the malware:
Many of our customers share threat intelligence with our Magna Cloud, so our research lab noticed this unknown malware and attack campaign coming from our customers' networks and investigated the specific case. As part of the investigation, we found a few tools that were downloaded by the malware. This specific attack campaign incorporated a variety of different monetization techniques using a variety of malwares. The attackers made sure they exploit each of the millions of infected machines to its full worth by employing Bitcoin miners, WebMoney wallet hackers, personal information extraction, banking information extraction, and generic remote access tools.
Engel said that Light Cyber detected a portion of the infected computers talking to Bitcoin mining pools on the Web, a sign that they were actually being used for mining. He also explained how Bitcoin mining works:
Bitcoin mining is a computationally heavy process that gets harder and harder in time. Bitcoin is mined in blocks, and since it takes a lot of computing power to mine a block, the miners join forces and form mining pools or "bitcoin mining networks" -- in which each one participates with his computing power and gets in return his share of the revenue. In our case, the malware author would be the sole beneficiary of the mining efforts.
Bitcoin mining on computers is not usually worth the effort, Engel added, because the electrical cost of operating the computer is higher than the revenue garnered from the mining itself. But the malware author stole the computing resources of the affected machines and did it in such large numbers as to turn a profit from the operation.
The malware attack reportedly lasted from December 31 through January 3, when Yahoo took down the malicious ads. On Saturday, Yahoo acknowledged the issue through the following statement:
At Yahoo, we take the safety and privacy of our users seriously. On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware. We promptly removed these advertisements. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected.
So far, Yahoo hasn't revealed any details on the infected computers or publicly advised affected users on what they should do. But security firm Surfright shed a bit more light on the situation.
Not every ad on the Yahoo advertisement network contained the malicious iframe, but if you have an outdated version of Java Runtime (you can check here) and you used Yahoo Mail the last 6 days, your computer is likely infected.
In an advisory to its customers, Light Cyber also detailed the following extensive steps for detecting the malware:
Communication with the following Internet domains is an indication of a positive infection of the communicating computer:
Communication with the following Internet domains/IP addresses is an indication of a possible infection:
The existence of the following files is an indication of a positive infection:
- %localappdata%\cygwin1.dll (See note 1)
- %localappdata%\wuauclt.exe (See note 1)
- %localappdata%\temp\????????.lnk (8 hex characters)
- %localappdata%\temp\????????.exe (8 hex characters)
(1) filename is used by legitimate software but not in the listed path
People with infected computers are advised to run a full virus scan and block the Internet domains listed above through their router/firewall.
Update at 11:30 a.m. PT: with more information from feedback from Light Cyber's founder.