MALWARE found being served on internet portal Yahoo's ad network was designed to mine the Bitcoin virtual currency, it has emerged.
Bitcoin mining malware aims to force unsuspecting systems to generate Bitcoins for cybercriminals' use. The Bitcoin mining process eats up a system's computing power as it processes Bitcoin blocks thus making infected systems run abnormally slow.
Security firm Light Cyber claims to have discovered the virtual currency mining threat and said it is intended to create a huge network of Bitcoin mining machines.
The Bitcoin mining malware dicovery arrives in addition to the news reported on Monday that Yahoo had served thousands of machines with malware after the search engine's ad network was infested with code that exploits vulnerabilities in Java.
These malicious advertisements were discovered by cyber defence and IT security company Fox IT, which found that its clients were being infected after visiting yahoo.com.
The company learned that some of the adverts on the website were malicious and were iframes hosted on domains blistartoncom.org, slaptonitkons.net, original-filmsonline.com, funnyboobsonline.org and yagerass.org.
"Upon visiting the malicious advertisements users get redirected to a 'Magnitude' exploit kit via a HTTP redirect to seemingly random subdomains of boxsdiscussing.net, crisisreverse.net, limitingbeyond.net and others," Fox IT said in a blog post.
"All those domains are served from a single IP address: 188.8.131.52. This IP address appears to be hosted in the Netherlands."
This attack exploits vulnerabilities in Java and can install a host of malware including Zeus, Andromeda, Dorkbot/Ngrbot, and advertisement clicking malware Tinba, Zusy and Necurs. Fox IT said that users don't need to click the ads to receive the malware, they can be infected simply by visiting a webpage that contains infected ads.
Fox IT worked out from a sample of traffic that the number of visits to the malicious website were around 300,000 per hour.
"Given a typical infection rate of [nine] percent, this would result in around 27,000 infections every hour," the security firm said. "Based on the same sample, the countries most affected by the exploit kit are Romania, Great Britain and France."
It's unclear yet why those countries are the most affected, but Fox IT said it is likely due to the configuration of the malicious advertisements at Yahoo.
Fox IT advises that users block access to the 192.133.137/24 subnet and 193.169.245/24 subnet IP addresses to help counteract the malicious activity. However, data centre security firm Imperva seems to think that it is impossible for an advertising network to be completely malware-free.
"For an ad platform it is virtually impossible to guarantee 100 percent malware free ads," Imperva CTO Amichai Shulman explained. "Ad platforms should keep doing what they do (guarantee 100 percent effort, not 100 percent results) as consumers can really do nothing but to keep their computers as patched as possible."
Yahoo is aware of the issue and is looking into it. µ