A few days ago it was revealed that numerous European users of Yahoo, as many as two million, had gotten infected with malware from virus-laden ads served by Yahoo's homepage during the period from December 31 to January 3. The company admitted as much when it revealed that "From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware." Users in North America, Asia Pacific and Latin America weren't affected, Yahoo said. Nor were users of Apple Macs or mobile devices. "We will continue to monitor and block any advertisements being used for this activity," the company added. "We will post more information for our users shortly." What was not clear is just what function the ad virus served. According to the Guardian, the purpose of the most prevalent virus spread by the website was to convert the infected computers into Bitcoin mining slaves.
According to the Guardian, "some of the malware would turn PCs into bitcoin miners - a huge drain on its computing resources - without users' knowledge. Yahoo has been criticised for not saying how many people could be affected or doing anything to help those with the malware, which attacked flaws in Java modules on systems."
As a reminder, in "A trip through the Bitcoin mines" we showed just how extensive the capital requirements can be for any legitimate Bitcoin mining operation, where the distributed calculations used to extract new Bitcoins have now risen to a stunning 10 quadrillion per second.
So what is an enterprising hacker in need of some quick cash, but unwilling to spend the CapEx for procuring the expensive equipment (especially when buybacks and dividends are so much more attractive, just kidding) to do? Why force others to do the mining for them. This is precisely what the creator of the Yahoo-hosted virus did.
According to Light Cyber, a security research firm which warned Yahoo of the attacks in late December, one of the malware programs delivered in the attack turned the victim's computer into a bitcoin miner. The computer is set to work performing the calculations required to make the bitcoin network run, but the rewards for doing so accrue to the malware writer.
Fox IT, the Dutch cybersecurity firm which first disclosed the vulnerability to the public, estimated that there were around 27,000 infections every hour the malware was live on the site. If the malware was being served consistently for the three days, it may be the case that almost 2 million computers were infected.
Bitcoin is so valuable to botnet owners, criminals who control large numbers of compromised computers, that one academic paper argues that the security of the network is permanently at risk. Philipp Güring and Ian Grigg argue that the currency violates Gresham's Law (pdf), an economic theorem that states that bad money drives out good. Since bitcoin mining is far more profitable done on stolen computers with stolen energy, they argue, it will soon be uneconomical to do it any other way.
"The attack focused on outdated software," says Steve Regan of security site CSO. "The only way for the exploits to work is to have outdated versions of Java on your system. If Java is up to date, then the odds are, you're safe. However, I don't trust Java, so unless you absolutely need it, my advice is to uninstall it from your system. It seems like I see more zero-day attacks aimed at Java than anything else, the risk isn't worth it for me." Zero-day attacks exploit previously unreported flaws in software to install malware or take over a computer.
Mining for Bitcoin was not the only infection.
As well as the bitcoin mining malware, other software installed includes ZeuS, which attempts to steal banking information; Andromeda, which turns the computer into part of a "botnet" for use by third parties, and "adjacking" malware which hijacks the user's browser to click on adverts, thus channeling income to corrupt site owners... Software such as ZeuS lets criminals install Cryptolocker, a dangerous new type of malware which first encrypts the user's files and then demands a ransom, payable in bitcoin, to decrypt them. In most versions of Cryptolocker, the ransom is set at two bitcoins, currently worth around $2,000.
One can only hope that Yahoo, which hosted the ads willingly and apparently without filtering and pre-clearing the ad content, wasn't in on the scheme. To be sure, it has been slammed for keeping users in the dark.
Yahoo has been criticised for not doing more to aid users infected by the faulty adverts. Dan Farber of technology site CNET says that: "At this point, Yahoo hasn't addressed any of the details, such as how the malware exploit got into its Web pages, how many users are impacted, and what victims of the attack should do. The company may still be gathering data."
All in all, a rather ingenious wealth extraction scheme: either have others mine for Bitcoin, or demand a ransom if they want their computer back. We wonder how long until these activities are added to the definition of GDP in the New Normal economy?
The best news, however, is that there are still at least two millions people who use Yahoo.