Malware Bitcoin-miners, hmm? I don't like Skype as a vector... what if you could put it in the browser instead? Which leads me to a less malware-y idea: write a JavaScript/Flash/similar component that mines bitcoins in a web browser. Put it on your site instead of ads. Has anyone beat me to it?
Mining bitcoin on a CPU these days is like digging for gold with a garden shovel. Once upon a time it may have worked, but today it's basically useless (even if you do it on a million computers at once).
I did look into using the same technique to implement bitcoin mining in glsl. My opinion is that it is possible, but not straight forward and probably not worth it, but still a pretty f'ing cool concept.
That'd be an interesting advertising alternative that could be good for both parties. In exchange for content, you give the website X CPU cycles (or GPU I guess). It could be built into the browser so that you'd have really efficient mining techniques. Clients (with beefier computers) could choose to give more cycles to their favorite sites.
I'm not sure if you could provide comparable amounts of revenue. I guess time-spent-on-site would be the most important factor. At the current cost and difficulty of Bitcoins, you'd need 1,000 concurrent users on average all day all running at 10mhps to just make $92 per day. 10mhps seems like it's asking a lot, it'd probably drain a lot of batteries.
What if you were, say, Facebook, and had lots of visitors, good time-on-site metrics and you were still searching for ways to grow revenue? Might it make sense? Seems like their entire userbase could combine to mine quite a few bitcoins.. But I'm not a miner, so perhaps I'm wrong? A quick search turned up a Fast Company article that claims (http://www.fastcompany.com/3005269/facebooks-daily-mobile-us...) 618 million daily users. Assuming that most of those folks aren't logged on all day and many (more than half!) are logging on via mobile, you'd probably only be able to convert a fraction of those to effective miners, but even still it sounds like a lot of bitcoins per day. Perhaps they might offer users the option in exchange for better privacy controls and/or an ad-free experience?
Remember that the bitcoin network adjusts itself to try to only have about 25 bitcoin per 10 minutes mined. So if you were to jump into the pool with loads of cpu power you'd get a few bitcoin for a whole, then it'd adjust to be harder, raise the bar, and you're back with the same generation rate
Yes, but you'd be getting more of the pie. The pie remains the same size, granted, but you can still make quite a lot from owning a significant portion of the processing power.
A ton of companies have tried to monetize spare cpu cycles. The problem is that you can't do anything valuable with them. Most problems aren't trivially scalable, you have to assume malicious users so that means you need to essentially double efforts, and third parties aren't comfortable sending data through the system.
Once upon a time, when java applets were exciting, fresh, and new, I wrote an applet which calculated digits of PI and used CGI to post them to my server.
Visitors would watch animations, whilst I "stole" their CPU time.
One is malware, the other isn't. When I open their "Generate Bitcoin" page it won't run because I don't have Java, not JS, in my browser. If I did it would ask me for permission to run and if I said yes it wouldn't be persistent.
The Skype malware is classed as a malicious IRC-bot so unless it's very specialized it's safe to assume it includes other features as well, like DDoSing, searching and mass uploading of files ("wallet.dat"?), mass downloading and running of files (so the backdoor could be extended at any time), login form reporting and what have you.
Actually it is better, isn't it. If malware starts working to keep the bitcoin transaction network operational as opposed to spamming or stealing webbanking keys ... then it's actually doing something that's either neutral or useful. Useful if you like bitcoin.
That'd be a great step forward. I doubt it's worth the effort though.
Shouldn't it also be more noticeable? Quiet spyware can go undetected, but something that's eating up loads of CPU cycles is less likely to do so. That's a good thing.
Don't miss the forest for the trees. If it wasn't skype, it'd be some other channel. The point here is that mining malware is a rather new and troubling phenomenon.
And of limited real value. A CPU only miner would yield about 10 MHash/s or less on standard hardware, and a malware/junkware loaded PC will do even less.
Far less than that. My shiny quad core i7 gets 4MH, and I doubt most consumer desktop computers would manage that. You're probably looking at 0.5-2 at a maximum.
[IANAL] A bitcoin miner sidesteps "unauthorized access to information", taking advantage only of the the compute resources. I'm not sure if that makes any real difference in the eyes of the law, though.
Re the conclusion: to protect yourself, don't run an OS that will silently install software just because you clicked on a blue link in a program published by the OS vendor.
Steve Ballmer should be jailed as an accessory for allowing this.
There's no indication anywhere in the descriptions of this malware - on Kaspersky's blog or elsewhere - that it is exploiting any new or unique Windows-specific vulnerabilities. It could easily just be a downloadable executable that people are stupid enough to run. Social engineering works great. If your goal is simply to get a malicious executable onto as many machines as possible, Win32 is the obvious target to choose.
You've got Skype on your *nix box: Are you certain it's NOT vulnerable to malware? Obviously a Win32 executable isn't going to run on Linux, but if there's a hole in Skype what's stopping the bug responsible for that hole from causing a similar problem on Linux or OS X?
At this point no facts have been published to describe the nature of the malware in depth, so it's stupid to assume that it's dependent on some platform-specific exploit. On the other hand, it relies on clicking a link, so hopefully you're smart enough not to click shortened URLs sent by friends on Skype, no matter what OS you're running!