Botnets have been around for a long time now and their use has often been associated with nothing good. This time round Kaspersky has found that cybercriminals are once again digging an old source of gold: Using computers on botnets to mine virtual currencies such as BitCoin.
Two botnets have been known so far to have malware install cryptocurrency miners – legitimate software used to mine virtual currencies based on blockchain technology. Researchers discovered that using these infected computers on the botnets would bring in an estimated US$30,000 on a 4,000-machine network.
Several years ago, the malware silently installing Bitcoin miners (that uses victim computers to mine currency for cybercriminals), was a common thing on the threat landscape, but the more Bitcoins that were mined, the harder it became to mine new ones.
What has changed?
With the skyrocketing price of Bitcoin, hundreds of enthusiast groups and startups have started releasing their own Bitcoin alternatives, many of which also gained a significant market value in a relatively short period of time.
These changes in the cryptocurrency markets have inevitably attracted the attention of cybercriminals, which are now turning back to fraud schemes, during which they silently install cryptocurrency mining software on thousands of PCs.
Based on results of recent research by Kaspersky Lab experts, the criminals behind the newly discovered botnets distribute the mining software with the help of adware programs, which victims are installing voluntarily.
What happens when your computer is infected
After the adware program is installed on the victims’ computer it downloads a malicious component: the miner installer. This component installs the mining software and, in addition, performs some activities to make sure the miner works for as long as possible. These activities include:
- An attempt to disable security software;
- Tracking all application launches, and suspending their own activities if a program that monitors system activities or running processes is started;
- Ensure a copy of the mining software is always present on the hard drive, and restore it if it is deleted.
- As soon as the first coins are mined, they are transferred to wallets belonging to criminals, leaving victims with an oddly underperforming computer and slightly higher electricity bills than normal.
Based on Kaspersky Lab observations, criminals tend to mine two cryptocurrencies: Zcash and Monero. These particular currencies are probably chosen because they provide a reliable way to anonymize transactions and wallet owners.
The first signs of malicious miners returning were spotted by Kaspersky Lab as early as December 2016, when a company researcher reported at least 1,000 computers infected with malware, which was mining Zcash – a cryptocurrency which was launched at the end of October 2016.
At that time – thanks to the price of Zcash which has been growing rapidly – that botnet could bring its owners as much as $6,000 per week. The emergence of new mining botnets was then predicted, and the results of recent research confirm that the prediction was correct.
“The major problem with malicious miners is that it is really hard to reliably detect such activity, because the malware is using completely legitimate mining software, which in a normal situation could also be installed by a legitimate user. Another alarming thing which we have identified while observing these two new botnets, is that the malicious miners are themselves becoming valuable on the underground market. We’ve seen criminals offering so-called miner builders: software which allows anyone who is willing to pay for full version, to create their own mining botnet. This means that the botnets we’ve recently identified are certainly not the last ones”, said Evgeny Lopatin, malware analyst at Kaspersky Lab.
In general, the number of users that have encountered cryptocurrency miners has increased dramatically in recent years. For example, in 2013 Kaspersky Lab products protected around 205,000 of users globally when they were targeted by this type of threat. In 2014 the number increased to 701,000, and the number of attacked users in the first eight months of 2017 reached 1.65 million.
Protecting your computer
In order to prevent their computer from turning into an electricity harvesting zombie, which works hard to make money for criminals, Kaspersky Lab researchers advise users follow the measures below:
- Do not install suspicious software from untrusted sources on your PC.
- The adware detection feature may be disabled by default in your security solution. Make sure you enable it
- Use a proven Internet Security solution in order to protect your digital environment from all possible threats including malicious miners.
- If you are running a server, make sure it is protected with a security solution, as servers are lucrative targets for criminals thanks to their high computing performance (in comparison to the average PC)
Kaspersky Lab products successfully detect and block the malware spreading malicious mining software with the following detection names: