Emerging Threats ETOpen – Anti-malware IDS/IPS Ruleset

The ETOpen Ruleset is an excellent anti-malware IDS/IPS ruleset that enables users with cost constraints to significantly enhance their existing network-based malware detection. The ETOpen Ruleset is not a full coverage ruleset, and may not be sufficient for many regulated environments and should not be used as a standalone ruleset. The ET Open...

Read the full post at darknet.org.uk

Bitcoin Botnet Mining

A digital currency known as Bitcoin (BTC) has been causing a bit of a media stir of late due to its use for illicit purposes. Some readers of this blog will be familiar with and have used a digital currency of some form in the past to purchase goods online. Some may even remember failed digital currencies such as e-gold, which had operations suspended by US authorities after its proprietors were indicted on four counts of violating money laundering regulations back in 2007. With Bitcoin, we now have another multi-million dollar digital currency market without any central authority for regulation. (An in-depth explanation of Bitcoins is available on Wikipedia.)

One of the selling points of the Bitcoin currency is that anyone with a computer can begin to earn Bitcoin blocks by using his or her computer’s computational power, along with open source Bitcoin software, to solve a difficult cryptographic proof-of-work problem. This is referred to as Bitcoin mining and, if successful in solving a block, it will lead to a reward of up to 50 Bitcoins per block. As of June 2011, there are just over 6.5 million Bitcoins in existence, with a finite number of 21 million possible to be reached over time. With Bitcoins presently trading at close to $20, Bitcoin mining sounds like an easy way to make some money. Well, cybercriminals might just be thinking the exact same thing.  

It has been known for some time that a botnet’s combined computing power could be used for a number of nefarious purposes. We can now add Bitcoin mining to that list. While Symantec has not observed any botnets currently being used to mine Bitcoins, the possibility is there. Through the use of pooled Bitcoin mining, a botnet herder could covertly mine Bitcoins using the computational power of a victim's computer. Another selling point of the Bitcoin currency is its apparent anonymity; along with decentralized authority spread across a peer-to-peer network, this makes the currency even more attractive to cybercriminals. But is Bitcoin mining really worth a botnet herder’s time? Let’s find out.

Using an average computer and only the CPU for computational purposes, we found that when Bitcoin mining, we were able to compute roughly 1 mega-hashes/second. So what does that mean if we want to do pooled Bitcoin mining on a botnet? Using an online Bitcoin mining calculator—which takes into account the current difficulty factor for solving Bitcoin blocks, the computer's hash rate, and Bitcoin exchange rates—we get the following data for Bitcoin botnet mining:

Bitcoin mining calculations
Caveat: calculations based on mining constantly for 24 hours using CPU only at current exchange rate and difficulty factor.

Difficulty Factor 567358.224571
Hash Rate (mega-hashes / second) 1.0
Exchange Rate ($/BTC) $20


Bot earnings broken down
  Coins  Dollars
Per Day 0.00 $0.03
Per Week 0.01 $0.23
Per Month 0.05 $0.97


Botnet mining per day
Bots   Bot earnings per day Total earnings
100 x $0.03 $3
1,000 x $0.03 $30
10,000 x $0.03 $300
100,000 x $0.03 $3,000


Botnet mining per week
Bots   Bot earnings per week Total earnings
100 x $0.23 $23
1,000 x $0.23 $230
10,000 x $0.23 $2,300
100,000 x $0.23 $23,000


Botnet mining per month
Bots   Bot earnings per month Total earnings
100 x $0.97 $97
1,000 x $0.97 $970
10,000 x $0.97 $9,700
100,000 x $0.97 $97,000

A point to note about these figures is that, as mentioned in the caveat, the compromised computer systems would have to be running 24 hours a day, which is highly unlikely. Also, the earnings would vary from day to day depending on luck. So, as we can see, there is the potential for cybercrimanals to earn money this way. However, another question is if Bitcoin mining is more profitable than other uses for the botnet. Let’s just compare one alternative: renting the botnet out for DDoS attacks. While Symantec has observed DDoS attacks being offered for as little as $5, the more usual offer is similar to what is seen in the screenshot below, offering at the high end of $400 dollars rent a week for a few hours a day.

Advertisement for botnet rates
Taking this information into account, Bitcoin botnet mining as an attractive and profitable venture for cybercriminals is very questionable. However, with recent spikes in the valuation of Bitcoins reaching as high as $26, it may become more appealing in the future to cybercriminals as another source of illegal earnings from their botnets.

We are already starting to see reports on fraud involving Bitcoins and a Bitcoin account being hacked with a substantial monetary loss of approximately $500,000. Symantec has seen one such threat designed to steal Bitcoins from your digital wallet called Infostealer.Coinbit, and we expect to see more in the near future.

As always, Symantec recommends that you keep your antivirus definitions up to date to ensure protection against new threats such as Infostealer.Coinbit.