Security researcher Brian Krebs took a look at the well-structured FeodalCash initiative, which pays people to install malware that turns machines into bots for mining machines for the Bitcoin virtual currency. Mining is the hardware-intensive (but not, strictly speaking, illegal) process of creating new Bitcoins by adding transaction records to Bitcoin's public ledger of past transactions.
The Bitcoin Wiki noted that “Mining is intentionally designed to be resource-intensive and difficult so that the number of blocks found each day by miners remains steady….Bitcoin mining is so called because it resembles the mining of other commodities: it requires exertion and it slowly makes new currency available at a rate that resembles the rate at which commodities like gold are mined from the ground.”
Mining is a vastly complex mathematical challenge and those searching for the proverbial gold in Bitcoin banks typically need big machines with big horsepower and legions of graphics cards. Butterfly Labs has upped the ante with an appliance built for mining, which has gotten mixed reviews but earned at least once researcher $700. But Krebs notes that, increasingly, miners are turning to malware to secretly mine Bitcoins from compromised systems instead of using their own. Users would likely detect the infection by virtue of their machine’s processing power output skyrocketing for no apparent reason.
The affiliate program is a Russian-language campaign. FeodalCash has been around since May 2013, and “has been recruiting new members who can demonstrate that they have control over enough Internet traffic to guarantee at least several hundred installs of the bitcoin mining malware each day,” Krebs said.
So far, FeodalCash has signed up 238 working affiliates, which together – and here’s the rub – have mined only about 140 Bitcoins. Krebs points out that each Bitcoin is worth about $100 at the current exchange rate, so for all of that effort, the program has netted about $14,000.
The FeodalCash administrator insist the product isn’t malware, but Krebs begs to differ. The intention is rather obvious: the FeodalCash website offers affiliates a handy graphical tool for creating a custom installer that silently injects the malware into a machine; it can be disguised with a variety of program icons that are similar to familiar Windows icons.
“I gained access to an affiliate account and was able to grab a copy of the mining program,” he noted. “I promptly submitted the file to Virustotal and found it was flagged as a trojan horse program by at least two antivirus products. This analysis at automated malware scanning site malwr.com shows that the mining program installer ads a Windows registry key so that the miner starts each time Windows boots up. It also indicates that the program beacons out to pastebin.com (perhaps to deposit a note about each new installation).”
As for the culprits behind the scheme, Krebs uncovered that it’s the work of “two guys from Ukraine, who apparently are named Igor and Andrei.”