Yahoo! ad malware attack worse than thought

A recent malware attack that saw Yahoo! serving malware to users of its websites affected more users than originally thought and may have caused affected computers to become ‘bitcoin slaves’, generating bitcoins for the attackers.

The original story

In early January, security company Fox IT reported that some ads appearing on yahoo.com were infecting users with a ‘Magnitude’ exploit kit.

The kit exploits vulnerabilities in Java, Fox IT said, and installs a variety of different malware on users’ machines including: ZeuS, Andromeda, Dorkbot/Ngrbot, Advertisement clicking malware, Tinba/Zusy and Necurs.

The security company said the earliest signs of infection were on 30 December 2013, but that the attack may have started even earlier. By 3 January, traffic to the exploit kit had ‘significantly decreased’, Fox IT said.

Fox IT estimated that during the attack, around 27,000 users were infected every hour. The countries most affected by the attack were Romania, Great Britain and France.

Elsewhere, Yahoo was reported as saying the attack did not affect users in North America, Asia Pacific or Latin America, and it did not affect people accessing the ads using mobile devices or Mac computers.

Yahoo issued a statement to the Washington Post saying: “At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.”

Fox IT said: “It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors. The exploit kit bears similarities to the one used in the brief infection of php.net in October 2013.”

The latest

Since the story first broke, further details have emerged.

A Cisco report on the attack claimed that “the malicious advertisements were just one attack in a long series of other attacks waged by the same group”.

The report is lengthy and is well worth a read.

Yahoo has extended its estimated time frame of the attack. The company initially said the attack took place between 31 December and 3 January, but has since said that users may have been impacted from 27 December.

The company has also changed its stance on who was affected, saying that “While the bulk of those exposed to the malicious advertisements were on European sites, a small fraction of users outside of this region may have been impacted as well.

“This attack occurred because an account was compromised. The account has been shut down and we are actively working with law enforcement to investigate this,” Yahoo said.

Some reports claim that the attack may have been an attempt to create a massive bitcoin-generating network.

According to Cnet, researchers from security firm Light Cyber said that one of the malware programs involved in the attack aimed to use the resources of the infected machines to perform the calculations necessary to run a bitcoin network.

Light Cyber founder Giora Engel reportedly said that his company detected a portion of the infected computers communicating with bitcoin mining pools - an indication they were being used for mining the currency.

But security blog SiliconANGLE has disputed elements of this bitcoin mining claim, calling it “misleading”.

“While the claims that machines have been enslaved by a botnet might be true, there’s simply no way such a network could generate profits that come even close to [US$100,000]. Light Cyber’s research fails to take into account one crucial fact - that CPU mining is all but defunct these days, having been superseded by ASIC mining rigs that are far, far more efficient,” the blog said.

SiliconANGLE’s editor, Mark Hopkins, is quoted in the blog as saying: “There’s no way the BBC’s estimates are close to legitimate. Under no circumstances even assuming 100% infection rates on Yahoo customers could they make [US]$5, let alone [US]$98k. ASICs are just that much more efficient.”

Hopkins claimed it’s more likely that the malicious ads contained trojans that try to infect users’ bitcoin wallet.dat files, which would allow the attackers to steal all of a user’s bitcoins.

Note: There’s lengthy details on protecting machines and removing the malware from affected machines on Fox IT’s original post. Yahoo also has a list of steps to follow to protect your machines.