An increasing number of malware samples in the wild are using host systems to secretly mine bitcoins.In this post, I’ll look at an affiliate program that pays people for the mass installation of programs that turns host machines into bitcoin mining bots.Bitcoin is a decentralized, virtual currency, and bitcoins are created by large numbers of CPU-intensive cryptographic calculations.As Wikipedia explains, the processing of Bitcoin transactions is secured by servers called bitcoin miners.These servers communicate over an internet-based network and confirm transactions by adding them to a ledger which is updated and archived periodically using peer-to-peerfilesharing technology.In addition to archiving transactions, each new ledger update creates some newly minted bitcoins.Earlier this week, I learned of a Russian-language affiliate program called FeodalCash which pays its members to distribute a bitcoin mining bot that forces host PCs to process bitcoin transactions (hat tip to security researcher Xylitol).

FeodalCash opened its doors in May 2013, and has been recruiting new members who can demonstrate that they have control over enough Internet traffic to guarantee at least several hundred installs of the bitcoin mining malware each day.The FeodalCash administrator claims his mining program isn’t malware, although he cautions all affiliates against submitting the installer program to multi-antivirus scanners such as Virustotal; sending the program that installs bitcoin mining bot to Virustotal “greatly complicates the work with antivirus” on host PCs.ethereum stack exchangeTranslation: Because services like Virustotal share information about new malware samples with all participating antivirus vendors, scanning the installer will make it more likely that antivirus products on host PCs will flag the program as malicious.bitcoin trader github

Rather, the administrator urged users who want to check the files for antivirus detection to use a criminal friendly service like scan4u[dot]net or chk4me[dot]com, which likewise scan submitted files with dozens of different antivirus tools but block those tools from reporting home about new and unidentified malware variants.I gained access to an affiliate account and was able to grab a copy of the mining program.ethereum stack exchangeI promptly submitted the file to Virustotal and found it was flagged as a trojan horse program by at least two antivirus products.boutique bitcoin paris shows that the mining program installer ads a Windows registry key so that the miner starts each time Windows boots up.ethereum 1060 gtx (perhaps to deposit a note about each new installation).bitcoin bow faucet

The FeodalCash administrator also claims that his affiliates are not permitted to distribute the installer file in any way that violates the law, but of course it’s unclear which national laws he might be talking about.At the same time, the affiliate program’s Web site includes a graphical tool that helps affiliates create a custom installer program that can install silently and be disguised with a variety of program icons that are similar to familiar Windows icons.Also, the administrator demands that new users demonstrate the ability to garner hundreds to thousands of installs per day.This is a rather high install rate, and it appears many if not all affiliates are installing the mining program by bundling it with other executable programs distributed by so-called pay-per-install (PPI) programs.This was apparent because a source managed to gain administrative-level access to the back-end database for the FeodalCash program, which includes hundreds of messages between affiliates and the administrator; most of those messages are from new registrants sending the administrator screenshots  of their traffic and installs statistics at various PPI affiliate programs.

So far, FeodalCash has managed to attract at least 238 working affiliates.Here is a copy of the affiliate list, complete with their corresponding bitcoin wallets.According to Xylitol, the host PCs that currently have this botcoin mining malware installed are doing their slavish work at the Eligius bitcoin mining pool.According to the FeodalCash administrative panel, the infected machines have mined only about 140 bitcoins.Each bitcoin is currently worth about $100 at today’s exchange rate, making the program’s total haul only about $14,000.The current bitcoin generation rate is about 4.719 bitcoins per day, or about $340.45 daily.Who’s behind this affiliate program?It appears to be the work of two guys from Ukraine, who apparently are named Igor and Andrei.But those domains weren’t much help.Then I noticed that listed on one of the FeodalCash user pages is a notice that the affiliate program is having a user meeting tonight (July 18) at Beerlin, a German-styled pub in Kharkov, Ukraine!

The affiliate panel also helpfully included a map of downtown Kharkov to assist those planning to attend., , Xylitol This entry was posted on Thursday, July 18th, 2013 at 12:14 am and is filed under A Little Sunshine, Web Fraud 2.0.You can follow any comments to this entry through the RSS 2.0 feed.Both comments and pings are currently closed.Maybe it's a sign of the Bitcoin bubble.Criminals are trying to take control of PCs and turn them into Bitcoin miners.According to antivirus seller Kaspersky Lab, there's a new Trojan – spotted just yesterday and spreading via Skype – that takes control of infected machines and forces them to do known as Bitcoin mining, a way of earning digital currency.The Bitcoin digital currency system rewards miners (in Bitcoins, natch) for their number-crunching work, which is essential to keeping the anonymous Bitcoin currency system working.With the Trojan, hackers are forcing others' machines to earn them money, and it can really put a strain on these machines.

Victims might notice that their CPU usage shoots sky high.Yesterday, the Trojan was spreading via Skype messages.In one Spanish message obtained by Kaspersky, the Trojan was supposed to be a "favorite" picture of the victim.About two thousand people per hour were clicking on the website hosting the Trojan software, Kaspersky said."Most of potential victims live in Italy then Russia, Poland, Costa Rica, Spain, Germany, Ukraine and others," Kaspersky Researcher Dmitry Bestuzhev wrote in a blog post.Once computer criminals have tricked you into downloading a Trojan, they have control of your computer, and there are a lot of things they could do.And the Trojan isn't only used for Bitcoin mining, Kaspersky says.This isn't the first time a Bitcoin mining Trojan has popped up, and malicious software that flat-out steals bitcoins has been around for years.Two years ago, Symantec spotted a Trojan – called Badminer – that sniffed out graphical processing units and used them to crank out bitcoins.A regular PC wouldn't be able to do much Bitcoin mining on its own, but hackers could pretty easily register a group of compromised computers with a specific Bitcoin mining pool and point all of the systems there, according to Charlie Shrem, the founder of Bitcoin payment processor Bitinstant.