By Dancho Danchev
Bitcoin, the digital peer-to-peer based currency, is an attractive target for cybercriminals, who persistently look for new monetization tactics to apply to their massive, but easily generated botnets. Not surprisingly, thanks to the buzz surrounding it, fraudulent Internet actors have begun to look for efficient ways to take advantage of the momentum. A logical question emerges – how are market oriented cybercriminals capitalizing on the digital currency?
Instead of having to personally infect tens of thousands of hosts, some take advantage of basic pricing schemes such subscription-based pricing, and have others do all the infecting, with them securing a decent revenue stream based on a monthly subscription model.
Let’s profile the international underground market proposition, detailing the commercial availability of a stealth Bitcoin miner, feature screenshots of the actual DIY miner generating tool, screenshots provided by happy customers, and perhaps most importantly, MD5s of known miner modifications ‘pushed’ since its first commercial release.
Sample screenshot of the actual advertisement for the stealth Bitcoin miner:
Sample screenshots of the stealth Bitcoin mining generator:
Sample screenshots courtesy of happy customers demonstrating that the service works:
The price is $10 USD per month through PayPal, which includes automatic updates to the miner executable. The EULA also reserves the right not to be held responsible for any unauthorized use of the stealth Bitcoin miner. Now, why would someone want to hide something from himself remains a mystery, similar to the commercial availability or Remote Access Trojans pitched as Remote Access Tools, given the fact that they come with built-in rootkit/evasive features.
Although at the initial commercial release of the miner, the author was manually updating the executable on a periodic basis, as of April, 2013, the updates are delivered automatically. Here are some MD5s of known variants that we’re currently aware of:
Webroot SecureAnywhere users are proactively protected from these threats.