The malware attack that turned desktop computers into Bitcoin mining bots is far bigger than earlier anticipated with Yahoo reporting the attack may have been carried out for a longer duration, and that victims are not confined to Europe.

Bitcoin Bitcoin mining malware from compromised Yahoo ads may have spread outside Europe

Over the holidays, users reading Yahoo pages and using Yahoo services may have run malware on their browsers that turned their computers into Bitcoin mining bots. VR Zone earlier reported that the malware was served via Yahoo’s Java-based advertising platform, although the attack was supposedly limited to within Europe, particularly affecting users accessing Yahoo websites and services like Yahoo Mail and Yahoo Messenger.

In a recent update, however, Yahoo admits that the malware attack may have had a wider coverage than earlier anticipated. First, the attack was perpetrated over a longer duration than earlier reported: December 27, 2013 to January 3, 2014 (instead of December 31 to January 3, as earlier reported). Likewise, while a bulk of the victims were on European sites, the malware may have victimized a “small fraction of users outside the region.”

According to Yahoo, the attack was perpetrated through an account that had been compromised. The account has since been shut down, and the company is working with law enforcement agencies to investigate the extent of the intrusion and the identity of the perpetrator. The malware supposedly turned victim computers into bots that mine Bitcoin — a fact initially discovered by security company Light Cyber. However, the attack may have also been used to steal personal information.

Initial estimates from Dutch security firm Surfright put the number of possible victims to about 2 million users, mostly from within Europe, as the malware attack was perpetrated via advertisements on Yahoo sites and services  meant for this market. Yahoo has not given any specific tools and instructions for ensuring that users are protected against the malware, although the company advises users to keep their operating systems up-to-date with the latest patches, particularly the latest versions of Java and Flash. Apparently, the attack only affects Windows machines.

Code insertion has become a weak point for websites that run dynamic content. The prevalence of JavaScript and HTML5 has given rise to bigger potential vulnerabilities, says security expert Maty Siman, co-founder and CTO at Checkmarx, a Java code review tool that checks against potential weak points in static code. Siman will keynote at AppSec 2014 in California this month, with a warning on how dynamic content — which includes virtually all modern sites — might be riddled with security holes.

Meanwhile, Bitcoin mining is a lucrative business, especially given the growing value of the crypto-currency today as both an investment instrument and a medium for exchange. Bitcoin can be mined through complex algorithms that solve the crypto-currency’s encryption. Specialized chipsets and machines have been built for this purpose, although some enterprising users have likewise used networked computers in fulfilling this goal.

Not everything is done through legitimate means, however. For example, VR Zone earlier reported how a gaming company employee hijacked unwitting clients’ computers in mining Bitcoin. In that case, while the malware did not come with a potentially damaging payload, it resulted in unwanted resource usage — Bitcoin mining is heavy on GPU resource usage — and this resulted in the attacker gaining real dollar value through Bitcoin.

In the case of Yahoo ads, Light Cyber co-founder Giora Engel said that the security firm first discovered the Bitcoin mining ability of the malware as part of the various monetization techniques involved. This indicates that Bitcon might not be the sole purpose for the attack, but has become one way through which malicious hackers can leverage vulnerabilities and quickly cash in.

Source: Yahoo