Threat Assessment: Moonbitcoin

ddrfr33k (63)in #bitcoin • 6 years ago (edited)

After thinking I was being burned and people were using my computers to mine, I realized I had no idea how they did it, and wanted to know more. This post, and the others that follow, will be a record of my research into the sites I used.

To safely check these sites, I made a Windows 7 virtual machine in Virtual Box. Below are screenshots of my VM setup:

VM system.PNG
VM processor.PNG

So yeah, 2GB RAM, 1 CPU core, standard stuff. I put the VM behind NAT, and disabled shared host folders and clipboard. Better safe than sorry, right? After updating windows, Firefox, and installing Microsoft Security Essentials, I made a clone of the VM that I can call upon in case my test environment gets corrupted beyond the point of repair.

So, what is moonbitcoin? According to their whois lookup at whois.net, they were registered by GoDaddy in July of 2014. They list a PO Box in Victoria, AU, as their main point of contact. They also have a phone number that I don't care to call because I'm not that interested in incurring a massive phone bill to call the other side of the planet. Their contact info is rather sparse, likely because of a desire to hide the people behind this operation. The information is disturbingly similar to the other moon sites, almost to a T. The likelihood of each of these sites being run by the same group is very high.

moonbitcoin website.JPG

Their site is...well, it's everything you'd expect in a site that gives out "free" money. There are banner ads everywhere. There are these pop-up ads that will show up in the lower left and right of the web page, sometimes showing one or both at the same time.

moonbitcoin resource usage.JPG

Attached is a screenshot of my VM's system resources after idlling for roughly 10-12 minutes. It's high, but not super bad, either. When I first accessed the site, it was running a lot more than it was later. I'm curious as to why this happened.

The next thing for me to check was the scripts that the site runs. Firefox's debug mode is fanstastic for this, and that's precisely what I used. I checked each of the sources in the debugger window, and I found the below results:

Within moonbit.co.in:

-coinhive.min.js: This. This right here. This is what I was afraid of. Coinhive is a known mining applet that can be run in the background of your web browser. It'll mine what's called Monero, and the settings can be adjusted by the webstie admin who handles the amount of system resources to consume. What fascinates me about moonbitcoin is that my system resources weren't super high while monitoring the site. I'm of half a mind to believe they look at what you have available and whether or not you're worth using for mining. Possible, but not likely. Since September 19, 2017, Coinhive.com is malwarebytes' second most blocked url, with over 130 million blocks in the span of a few weeks. If that doesn't give you pause, I don't know what does. UFC recently got in trouble when keen eyed users noticed a spike in system usage while watching official matches online, thanks to coinhive. If you can get Malwarebytes working in a way that blocks that script but keeps everything else, do it. I haven't tested it to see if it's feasible, but that can be tested with time.

-Faucet.js: This is a script that handles the payout of the cryptocurrency. It's actually a fairly simple script, and worth studying if you're curious about Java programming.

-Fingerprint2.js: This is an interesting script. Not only does it handle the sizing and orientation for desktop and mobile versions of the website, it also contains functions that check to see if you're spoofing your operating system. In my case, I'm just running a virtual machine, so I'm not that worried if it gets corrupted. I just got a laugh out of variable names like "has_lied_os" and "excludeHasLiedBrowser". They really want honest people for their "honest" moneymaking scheme!

-ion.sound.min.js: This is a readily available JavaScript plugin that allows the site to play a sound when you're able to claim your free cryptocurrency again. It's not an issue.

-jquery.bpopup.min.js: Script for the popup ads that show up in the bottom corners. Also borrowed from elsewhere. Not worth sweating over.

-jquery.cookie.js: Generates the cookies for their website. Also borrowed from elsewhere, looks like a MR. Klaus Hartl made it in 2014 and uploaded it to github. Open source under the MIT license, so that's why they used it. At least they're cognizant of licensing, and supporting the open source community...

-jquery.countdown.min.js: More open source scripts! This one comes from a Mr. Keith Wood, also released under the MIT license. They use this to figure out the 5 minute countdown timer before you can claim again.

-jquery.plugin.min.js: This is a plugin container class for the plugins referenced above. Again, MIT license, also made by Keith Wood. Makes all the other scripts work correctly.

acds.pro.vidible.tv: Vidible is owned by AOL, apparently. They're an advertising company that provides media content like smaller versions of embedded video that play on the side while you read a news article. I didn't see anything like that while monitoring moonbitcoin, but that doesn't mean they won't do it.

Within ad.bitmedia.io:

-js/adbybm.js: This is one of the banner ads. As best I can tell, it's not inserting any malicious scripts into the web site, though malvertising is a thing.

Within ad.lkqd.net:

-vpaid.js: banner ad script. Again, not necessarily a bad thing, but can be potentially corruptible if the wrong actors start advertising.

Cdn.www.cccpmo.com

-files-epommarket/templates/531/601: has a player.min.js, which is 3 lines long, and kinda difficult to read well. It appears to be an embedded video player.

The last couple sources are common across all the moon sites. Mellowads, cloudflare, bootstrapcdn, twitter, facebook, ajax.googleapis.com, google analytics, they're all here. The two that are unique to Moonbitcoin are moatads and a www.top-advertise.com. I tried looking up top advertise, but they don't even have a DNS entry. As far as I can tell, they don't exist. Moatads has been flagged by Webroot as well as McAffee, both list it as a Potentially Unwanted Application. While not inherently malicious, it can be troublesome if it tries to start downloading malware.

So, what's my verdict? Moonbitcoin is the most malicious of the moon sites. Even then, it's all stuff that can be easily remedied. I would recommend using a Virtual Machine, keep your antimalware up to date, and be cautious. This site will give you wee fractions of a bitcoin for your time, which is better than nothing. Use your common sense, stay away if you don't want to take on the risk. If you do decide to take the plunge and try it out, I'd appreciate your assistance in using my affiliate link:

http://moonbit.co.in/?ref=5a4dfcd4c170

As always, stay safe, use your head, and for the love of god, use protection!

#cryptocurrency #securityanalysis #threatassessment

6 years ago in #bitcoin by ddrfr33k (63)

$0.00

STEEM 0.27

TRX 0.13

JST 0.032

BTC 64802.57

ETH 2975.30

USDT 1.00

SBD 3.69

Threat Assessment: Moonbitcoin

Coin Marketplace