Creators of “WannaCry”, a new form of ransomware, managed to only make around $50,000 worth of bitcoins via infecting and encrypting the files on  around 200,000 PCs all over the world, according to CNBC’s industry sources.Last Friday, WannaCry managed to infect PCs, running Widows’ OSs, across more than 150 countries all over the world.$300 worth of bitcoin were demanded as a “ransom” to decrypt the files of every infected machine.According to James Smith, Elliptic’s CEO, approximately $50,000 worth of bitcoin were paid to hackers by victims of the ransomware by 7 am EST today.WannaCry is formulated to ask for a ransom of $300 in the beginning, which would rise to $600, if the victim refuses to pay the ransom during the first 7 days following infection of his/her machine.Accordingly, experts predict the amounts paid to the creators of WannaCry to increase after a few days, when the 7 day deadline is due.Given the wide scale and global nature of the attack, the amount of coins paid to the hackers is still relatively low.

Law enforcement agencies and network security professionals have been urging victims of WannaCry not to pay the ransom.Payments from victims of the ransomware were sent to three bitcoin addresses, according to James Smith, yet the hackers still did not move any of the coins they received to any other addresses.WannaCry, which is also known as WannaCrypt, Wanna Decryptor and WanaCrypt0r 2.0, is a novel ransomware that targets machines running Microsoft Windows operating systems.WannaCry spreads via multiple means such as phishing emails, and it also spreads as a computer worm on unpatched systems.The attack affected individuals as well as big companies.Many companies in Spain were affected including Telefonica.The UK’s National Health Service (NHS) was hit hard by WannaCry.Other affected companies include FedEx, LATAM Airlines and Deutsche Bahn.A couple of days after the attack was launched, a security expert discovered an efficient kill switch, which shielded unaffected machines against new infections, provided that their systems were patched.

This led to slowing down of the spread of the ransomware.Security professionals have warned against a second attack wave, as new versions of the ransomware were detected lacking the “kill switch”.Bitcoin, the virtual currency that has sparked a digital gold rush, is now being targeted by malicious nerds seeking a quick payday.A new Trojan automatically scans for Bitcoins and steals them.Infostealer.Coinbit, the name of the Trojan, could very well have been behind the $500,000 Bitcoin heist that made all the geeks grasp their wallet file a little tighter.So, geeks, store your Bitcoins in a super-secret place nobody would ever look.Like, burn them onto a CD and then write "Shaq Sex Tape" on it in Sharpie.Be safe out there, or before you know it you'll be sifting through the crumbled bits of your virtual fortune.Bitcoin mining: Investing in the future of the underground market2013-06-03AbstractThe exchange rate of the digital currency Bitcoin (BTC) passed the US$200/BTC1 mark earlier this year – a fact that has not escaped the attention of cybercriminals.

Micky Pun takes a look at one of the latest Bitcoin-mining malware families.Copyright © 2013 Virus Bulletin Bitcoin malware landscapeRevisiting the veteranDissecting the malwareFollowing the moneyBitcoin roadmapThe exchange rate of the digital currency Bitcoin (BTC) passed the USD$200/BTC1 mark earlier this year – a fact that has not escaped the attention of cybercriminals who have sought ways to capitalize on the popularity and increasing value of the currency.ethereum coin maxThis article will take a look at the latest Bitcoin operation in the cybercrime world and analyse the latest Bitcoin-mining malware family.Bitcoin malware landscapeThere are three major types of Bitcoin-related malware:Wallet-stealingBitcoin-mining (or ‘freeloading’)A combination of the aboveAs the name suggests, wallet-stealing malware focuses on illegally accessing Bitcoin ‘wallets’.bitcoin news hard fork

A Bitcoin wallet is loosely the equivalent on the Bitcoin network of a physical wallet.The wallet contains private keys which allow the user to spend the Bitcoins allocated to their Bitcoin addresses [1].An online wallet can be compromised by having its login information stolen, while an offline wallet can be ‘stolen’ by infecting the Bitcoin-mining client or simply retrieving the wallet file if it is not encrypted in the system.bitcoin mystery solvedBitcoin mining is the process of making computer hardware perform mathematical calculations for the Bitcoin network to confirm transactions and increase security.bug bounty bitcoinAs a reward, Bitcoin miners can collect fees for the transactions they confirm, along with newly created Bitcoins [2].achat bitcoin belgique

Where Bitcoin mining malware is concerned, a Bitcoin miner first has to secretly be installed on a victim’s system.This will then join the Bitcoin pool and start mining for the criminal’s account.The third kind of Bitcoin malware combines both wallet stealing and Bitcoin mining, and has been seen in botnets such as Kelihos.bitcoin valor inicialIn this article, we will focus on the latest Bitcoin mining malware distributed by SkyBot and NgrBot.(To avoid confusion with legitimate Bitcoin miners, I will refer to this type of malware as Bitcoin ‘freeloaders’.)Revisiting the veteranBefore examining the latest Bitcoin freeloader, it is worth looking back at what one looked like two years ago.In August 2011, there was a Bitcoin freeloader (MD5:a9c88a209db76deb4fe9f1a9f8f47971) in the wild which used the same version of the Ufasoft Bitcoin miner as is used by the latest one.This malware, detected by many vendors as Hstart/Hiddenstart, featured a trivial payload delivery method.

A WinRar file with self-extracting archive using a configuration file (Figure 1) would load the launcher (‘hstart.exe’) after decompression.Figure 1.Config file which automatically runs the malicious executable after decompression.The launcher would then create a process that runs a malicious batch file (‘x.bat’ in Figure 1).The malicious batch file would execute the Ufasoft Bitcoin miner (‘x11811.exe’) with commands instructing it to utilize the current machine as a Bitcoin miner contributing to the criminal’s account.Figure 2.Batch file containing Bitcoin-mining commands.Dissecting the malwareDetected by Fortinet as W32/CoinMine.UIE!tr, the latest Bitcoin freeloader (MD5: 26ed87a390426197599a08443a4e64ac) has some similarities with the earlier one.Since the system has already been compromised by the bot client prior to downloading the freeloader, the binary is not packed or encrypted.Hidden behind some visually obfuscating codes and anti debug tricks, the malicious part of the freeloader is not apparent at first glance and could easily be mistaken for a legitimate Bitcoin miner by an anti-virus engine.

In the resource section of the executable, there is a ‘DATA’ section which stores an unencrypted version of Ufasoft Bitcoin miner 0.20 (DLL).Most importantly, the command that ensures the Bitcoin miner is run for the criminal’s gain is stored in the ‘CONFIG’ section.Before executing the payload, the malware will first add auto-run registry entries to ensure that it runs every time the computer is started.After that, the malware creates a suspended new process (see Figure 3) with the current executable file using commands extracted from the ‘CONFIG’ resource.This new process makes detecting the malware more difficult.Figure 3.Suspended new process with malicious commands.(Clickhere to view a larger version of Figure 3.)Obviously, the original malicious executable would not be able to interpret the commands called.The newly created process is intended as a platform for the malware to inject the legitimate Bitcoin miner such that when the process is eventually resumed, it will run the command that tells the compromised computer to start putting money into the criminal’s pocket (see Figure 4).Figure 4.

Injecting the legitimate Bitcoin miner into memory with malicious commands.Following the moneyThe diagram shown in Figure 5 illustrates how the money made through mining on the victim’s computer reaches the criminal’s pocket.As seen in the previous section, the malware will execute a command that enrols the victim’s computer in a mining activity.This activity was assigned to the criminal when an account was created at the mining pool server.When the victim’s computer sends a ‘get work’ request to the pool server through the legitimate Bitcoin miner client, it will receive a mathematical problem to solve.All computers infected with this malware will perform the same actions and join the pool involuntarily.As a result, the number of miners under the criminal’s account increases and the percentage payout to this account when a solution is reached will also increase.The newly created Bitcoins will be sent to Bitcoin addresses that are under the criminal’s control and it will be impossible to trace back to the criminal because there are numerous ways in which the Bitcoins can be retrieved anonymously.

For example, for only a 0.5% transaction fee, the ‘send shared’ privacy service will break the chain of addresses by swapping your Bitcoins with those of multiple users.With various Bitcoin mixing (‘laundering’) services available on the Internet, Bitcoin’s anonymity makes it easy for an unskilled person to engage in criminal activity.Figure 5.    92.23.236.102 94.242.198.64 94.102.50.53 Eligiusshit.st mining.eligius.st uclid.es ssl.nemaradio.net (malicious domain for hosting other malware) apple.skc.suvps.x1x2.in (also hosting NgrBot in France Paris Gandi)  Table 1.Summary of Bitcoin pool servers and proxies used by criminals.From the table, we can tell that the criminal uses a diverse range of pool-mining methods offered by different servers.Additional proxy servers are provided in certain cases to enhance the victim miners’ productivity – which could, for example, be affected by an unstable Internet connection.Each transaction is deemed to be public knowledge as network confirmation is necessary.

When a criminal decides to show off the proof of his crime by using the address as his username, it is possible to trace a fraction of the money he has made from his victims.Indeed, we have encountered this during our analysis.For example: The 34-byte number starting with 1 suggests that this username might be a transaction address.Searching the database which holds information about all transactions can show us how much money a criminal has made.The report shown in Figure 6 shows that there were a lot of newly generated coins – suggesting that this address was actively engaged in mining activity during April.Transaction history of PyoNmwdNP7PQWQwjCLiK8Av5V9eAGhKcL from blockchain.info.(Clickhere to view a larger version of Figure 6.)The result shows that one of the addresses has made 1.75 BTC so far, which is roughly equivalent to US$350 at the current market rate.That might not seem like much, but we have to keep in mind that this is just one of the many addresses that the criminal is using.

In addition, the really profitable part in the Bitcoin business is selling Bitcoins that were previously mined or otherwise gained when their value was low.Bitcoin roadmapThe recent rise in Bitcoin value has given cybercriminals significant incentive to work on Bitcoin related malware.Unless the Bitcoin mining software is re-implemented, it will be more convenient for cybercriminals to take an existing client and repackage it so that it executes the malicious commands stealthily.Thanks to its anonymity, Bitcoin is a favourable currency among cybercriminals.However, it is unknown at this time whether all these criminal activities will cripple the Bitcoin economy.Since Bitcoin is a limited resource, there will theoretically come a day when no more Bitcoins can be mined.Some people might consider the current Bitcoin mining business a once-in-a-lifetime opportunity, since only a reasonable amount of resources are needed to generate revenue.This might not be the case in the future.As Bitcoin has finally gained some major public attention this year, we expect to see more advances in Bitcoin malware in the near future.