Top 5 Stories


Bitcoin Mining Affiliate Program Pays Per Mass Malware Infection

19 July 2013

Affiliate programs are a tried-and-true channel distribution strategy: paying third-parties to refer business makes a lot of sense if you’re looking for market scale. The hacking underground often takes chapters from legitimate businesses to jumpstart opportunity, and the latest is a work-from-home type Bitcoin-mining affiliate program.

Security researcher Brian Krebs took a look at the well-structured FeodalCash initiative, which pays people to install malware that turns machines into bots for mining machines for the Bitcoin virtual currency. Mining is the hardware-intensive (but not, strictly speaking, illegal) process of creating new Bitcoins by adding transaction records to Bitcoin's public ledger of past transactions.

The Bitcoin Wiki noted that “Mining is intentionally designed to be resource-intensive and difficult so that the number of blocks found each day by miners remains steady….Bitcoin mining is so called because it resembles the mining of other commodities: it requires exertion and it slowly makes new currency available at a rate that resembles the rate at which commodities like gold are mined from the ground.”

Mining is a vastly complex mathematical challenge and those searching for the proverbial gold in Bitcoin banks typically need big machines with big horsepower and legions of graphics cards. Butterfly Labs has upped the ante with an appliance built for mining, which has gotten mixed reviews but earned at least once researcher $700. But Krebs notes that, increasingly, miners are turning to malware to secretly mine Bitcoins from compromised systems instead of using their own. Users would likely detect the infection by virtue of their machine’s processing power output skyrocketing for no apparent reason.

The affiliate program is a Russian-language campaign. FeodalCash has been around since May 2013, and “has been recruiting new members who can demonstrate that they have control over enough Internet traffic to guarantee at least several hundred installs of the bitcoin mining malware each day,” Krebs said.

So far, FeodalCash has signed up 238 working affiliates, which together – and here’s the rub – have mined only about 140 Bitcoins. Krebs points out that each Bitcoin is worth about $100 at the current exchange rate, so for all of that effort, the program has netted about $14,000.

The FeodalCash administrator insist the product isn’t malware, but Krebs begs to differ. The intention is rather obvious: the FeodalCash website offers affiliates a handy graphical tool for creating a custom installer that silently injects the malware into a machine; it can be disguised with a variety of program icons that are similar to familiar Windows icons.

“I gained access to an affiliate account and was able to grab a copy of the mining program,” he noted. “I promptly submitted the file to Virustotal and found it was flagged as a trojan horse program by at least two antivirus products. This analysis at automated malware scanning site shows that the mining program installer ads a Windows registry key so that the miner starts each time Windows boots up. It also indicates that the program beacons out to (perhaps to deposit a note about each new installation).”

As for the culprits behind the scheme, Krebs uncovered that it’s the work of “two guys from Ukraine, who apparently are named Igor and Andrei.”

This article is featured in:
Industry News  •  IT Forensics  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×