Yahoo ad malware spawned European Bitcoin mining network

Yahoo ad malware spawned European Bitcoin mining network

Summary: Cash hungry cybercriminals may have established a European network of Bitcoin miners through Yahoo's ad network.

TOPICS: Security, EU

Yahoo may have squashed an attack on European users originating from its ad network, but not before cybercriminals were able to spread bitcoin mining malware to potentially millions affected by the attack.

A malware attack aimed at Yahoo's European users last week was also an attempt to build a network of Bitcoin miners, according to security company Light Cyber.

On 3 January, visitors to began to be served up malicious ads from its ad network, redirecting victims to a site hosting the Magnitude exploit kit. The kit contains a number of exploits for outdated Java systems.

Like many exploit kits, it's been built to serve up a cocktail of threats, including banking trojans, downloaders and adware.

Fox-IT, which first highlighted the attack, noted that the vast majority of infections, which were occurring at a rate of 27,000 per hour, happened in Europe, primarily affecting Windows machines in the UK, France and Romania.

Yahoo initially issued a statement confirming that 3 January that it had served malicious ads on its European sites that didn’t meet its editorial guidelines. However, last Sunday issued a new statement, adjusting the start date of the attack to 31 December.

It reiterated that users in North America, Asia Pacific and Latin America weren't affected, Yahoo said. Nor were users of Apple Macs or mobile devices.

However, according to Light Cyber, the Yahoo ad malware campaign actually began on 29 December, and included Bitcoin miners amongst the mix of threats being distributed through the attack. Bitcoin-mining malware typically aims to free-ride off a victim's computing resources to generate Bitcoins for cybercriminals' use.

"The attackers put special efforts to mine the bitcoin efficiently and used an optimized 64-bit Bitcoin mining software when the infected PC supported that," Light Cyber founder Giora Engel told ZDNet.

In a private advisory to its clients, the company outlines a number of indictors of infections. 

According to it, communications with the folowing domains is a sign of definite infection:


The presense of the following system files is also a sign of positive infection:

  • %windows%\Installer\{4A74FBA7-71A0-BEA1-F538-72E3D519AA4F}\syshost.exe
  • %localappdata%\cygwin1.dll (See note 1)
  • %localappdata%\wuauclt.exe (See note 1)
  • %localappdata%\temp\????????.lnk (8 hex characters)
  • %localappdata%\temp\????????.exe (8 hex characters)
  • %localappdata%\temp\vedefuzunwi.exe
  • %programdata%\bbtmp0\jtkyygiu.exe
  • c:\temp\zcompute.exe

(1) filename is used by legitimate software but not in the listed path 

Expect to hear more about Magnitude in coming months. According to security researcher Kafeine, which monitors prominent exploit kits, Magnitude is shaping up to be a replacement to Blackhole, which had been the reigning exploit kit until its author was arrested late last year.

Yahoo did not respond to request for comment.

Topics: Security, EU

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Ad-block is mandatory for safe browsing

    Seriously, even Yahoo's ads are serving malware now. Advertising networks just are not doing a good enough job moderating content, and even when the website is passing complaints on to the advertiser they just end up taking them out of rotation for a week or two before new malware ads crop up.

    Even if an ad isn't directly installing malware, it's probably pushing a tracking cookie or trying to trick you into installing bloatware like browser toolbars, bonzai buddy or some fake antivirus product. Personally I'm looking into installing ad-block for the network I manage, either by installing the extension or plugging ad-block's filters into our web filter that's supposed to block malicious URLs but doesn't block ads (too much money and potential for lawsuits there I guess).

    Sorry ZDnet, you're going to have to find some other way to make money than ads. Advertisers pushed it too far, now no computer-literate user is going to see any ads.
  • Publishers MUST invest in ad verification platforms!

    If publisher wants to continue making money from ads, the need to invest in the right ad verification tool. Something like GeoEdge Analytics or Tag Scanner can let the publisher have the cake and eat it too!
  • If you're going to use other peoples' computers to mine Bitcoin... should at least pay them for the privilege.
    John L. Ries
    • Of course..

      since the "miners" have the highest level of integrity, and are just trying to make an honest living.
      Frankly, one think most likely to scuttle bitcoins is the widespread of criminal use - so are "legitimate miners" just playing into the hands of criminals???? Where else is the "currency" of any real value (removing the confidence factor of "investing", of course)?