Earlier today, Antivirus maker Trend Micro informed the world via blog post that a Trojan disguised as a component of their own virus scanning software was dropping “Bitcoin-Mining Malware.” Other news sites have been quick to follow and of course it’s making the rounds on the forums. Sadly, every last one of them appears to be letting the hype draw them away from some obvious statements.
First, there is of course no such thing as “Bitcion-Mining Malware” – there’s just Bitcoin mining software. This is an important distinction we need to make if we’re to sway the court of public opinion: tools are tools, not good or evil, they just exist. Most of us in the Bitcoin community are probably already familiar with this mindset, but those entering now aren’t necessarily like the early adopters – many are the sort of people who can’t understand why a non-criminal would own lock picks, the kind who classify tools as good and bad based on their stereotypical purpose and make no additional distinction. It needs to be made clear that this is an unauthorized use of an otherwise useful tool.
Second, this isn’t exactly anything new. There’s an entire class of malware referred to as “droppers” that exist solely to download and run whatever software the bad guy wants. This software could be anything at all and in many cases can be remote-controlled by some operator to change gears at a moment’s notice. The same Trojan that’s dropping the Bitcoin miner in this case could also drop a payload that steals World of Warcraft passwords or stored credit card details. The TROJ_RIMECUD.AJL Trojan that’s doing the dirty work may be new, but I assure you there’s nothing original about it. The maliciously-executed mining software, on the other hand, has had an entry in Trend Micro’s database since July of last year. I honestly think it only got a blog post because it was spoofing this particular software company’s products.
Third, this kind of thing isn’t very common for one very good reason: it’s just not that profitable. Let’s assume this particular botnet is average. That means about 20,000 compromised computers and probably of the lower-end variety your internet-naive relatives expect free family tech support on. We’ll say each machine can CPU mine at 3 MH/s – which is being generous. Assuming that all 20,000 computers are left turned on 24 hours a day at current difficulty, block reward and exchange rates this botnet would be worth a whopping $3,647.70 per month or about $44,000 a year. Of course if you wanted to get 60GH/s worth of Bitcoin mining power without potential jail time you could always just pre-order one of the new ASIC products from BFL, BTCFPGA or Avalon and get the equivalent power for about $1300. Combine this with the fact that those same ASIC products are about to push difficulty through the roof and this is looking like a pretty bad idea.
But it’s free money for them, right? Not really. There are lots of things a botnet operator can do with these infected PCs that net a lot more profit and go largely unnoticed by their rightful owners. This will consume 100% of available processing power 24 hours a day and cause significant slowing of the host system. This is very noticeable and will cause those infected to take action much more quickly, thus removing themselves from the botnet, reducing the operator’s profits and perhaps even taking one more step towards the operator’s arrest.
There are a plethora of other reasons I don’t have the time or desire to get into, but the point remains: this isn’t a big deal. It’s just one more unnecessary and ignorant negative headline for the Bitcoin community to explain away. At least now when that well-meaning older relative (we all have one) emails you a scan of their coffee-stained printed copy of whatever negative article was on AOL News you’ll have a canned response ready to go.
Tip With Bitcoin
Each post has its own unique address, so your tips also tell me what you liked!