Bitcoin may still be a virtual unknown quantity for most people, but the digital currency has not escaped the notice of attackers, many of whom are turning their attention to finding ways to use the system for their own gains. The attacks against Bitcoin exchange Mt. Gox and hack of Instawallet this week are the latest evidence, but now there is a piece of malware in circulation that is using Skype as a spreading mechanism and then using infected machines’ processing power to mine Bitcoins.
The new malware is sending links to Skype users with a message encouraging them to click to see a photo of themselves online. The campaign began yesterday and is still ongoing, with thousands of victims clicking on the malicious link every hour, according to an analysis by Dmitry Bestuzhev of Kaspersky Lab.
“The initial dropper is downloaded from a server located in India. The detection rate on VirusTotal is low. Once the machine is infected it drops to the system many other pieces of malware. Downloads come from the Hotfile.com service. At the same time the malware connects to its C2 server located in Germany,” the analysis says.
Once the malware is on the victim’s machine, it goes about the business of usurping the PC’s processing power in the service of mining Bitcoins. The Bitcoin network relies on a complex system to create each Bitcoin and verify that the currency is valid and being spent by the owner of those Bitcoins. Part of that process requires a lot of processing power, and that’s what the attackers behind this malware campaign are after.
Here’s how the Bitcoin Project explains the mining process.
“Bitcoin mining is the process of making computer hardware do mathematical calculations for the Bitcoin network to confirm transactions and increase security. As a reward for their services, Bitcoin miners can collect transaction fees for the transactions they confirm along with newly created bitcoins. Mining is a specialized and competitive market where the rewards are divided up according to how much calculation is done,” the documentation says.
The malware, identified as Trojan.Win32.Jorik.IRCbot.xkt, causes a massive spike in the CPU usage on an infected machine, Bestuzhev said.