From the very beginning, it was clear that Nakamotoan cryptocurrency was just the thing for extortion and other forms of digital crime. Of course, Bitcoin turned out to be a bit too transparent to be ideal for grey markets. “Sort of anonymous” is not the same as “untraceable”.
In recent years, this shortcoming has been addressed by new variants of Nakamotoan cryptocurrencies, with far stronger protocols to assure that transactions are impossible to trace through the protocol itself. At this time, Monero is becoming the leader in this dubious field, preferred for digital ransom demands and other extra-legal transactions.
Cryptocurrencies also offer a new and unique digital “crime”, covert crypto mining. It is possible to take advantage of unused cycles to run cryptocurrency mining computations, which can pay out a trickle of digital currency. And malware can sneak in, install the mining program without permission, and then ship out the winnings. This is a form of theft of services, and if you infect enough victims, there could be tidy profits.
This concept works for any Nakamotoan currency, but something like Monero is ideal because the specific origin of a given coin is obscured. It is said that 4% of all Monero has been mined by malware.
This month we learn of a new twist on this game: malware that sneaks in to cloud platforms to mine Monero [1].. That’s not new or interesting. The cool part is that this malware not only evades detection by the server, it actually uninstalls and disables the malware defenses! It also gets rid of any other crypto miners, i.e., the spawn of other malware [2].
Cool!
These cloud services are supposed to be well defended. Part of the idea is to trust the big guys to do it right, rather than having to do your own security. Unfortunately, that makes the cloud a giant monoculture (or actually large patches of monoculture). If and when there is a flaw, then there are zillions of instances that can all be exploited.
This is exacerbated by the fact that, by design, you have pretty much no idea at all what software you are using in the cloud. You can see your sandbox and its interfaces, but there is a lot underneath that and managing it that you can see. So, there is a huge attack surface that you can’t even see, but that can definitely get you.
The good news is that these services are competently run, and the same monoculture means that when something is patched it will be patched everywhere. (Even if you don’t know about it.)
But the coolest feature of this malware is the aggressive suppression of defenses and competitors. It’s one thing to quietly steal services, it’s another thing to attack other malware!
And we can be sure that soon enough there will be malware versus malware wars, as competing attackers fight each other in digital turf wars. Swell.
Why did my machine crash? Because several programs were trying to reconfigure the system at the same time!
- Xingyu Jin and Claud Xiao, Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products, in Unit42. 2019. https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/
- Yogita Khatri (2019) This Malware Has a Worrying Trick to Mine Monero on Cloud Servers. Coindesk, https://www.coindesk.com/this-malware-has-a-worrying-trick-to-mine-monero-on-cloud-servers
Cryptocurrency Thursday
Robert McGrath's Blog 