Threat Assessment: Moondogecoin

After thinking I was being burned and people were using my computers to mine, I realized I had no idea how they did it, and wanted to know more. This post, and the others that follow, will be a record of my research into the sites I used.

To safely check these sites, I made a Windows 7 virtual machine in Virtual Box. Below are screenshots of my VM setup:

So yeah, 2GB RAM, 1 CPU core, standard stuff. I put the VM behind NAT, and disabled shared host folders and clipboard. Better safe than sorry, right? After updating windows, Firefox, and installing Microsoft Security Essentials, I made a clone of the VM that I can call upon in case my test environment gets corrupted beyond the point of repair. Once I had that taken care of, I was ready to start my research.

So what is Moondogecoin? According to their whois lookup at whois.net, they were registered by GoDaddy in June of 2014. They list a PO Box in Victoria, AU, as their main point of contact. They also have a phone number that I don't care to call because I'm not that interested in incurring a massive phone bill to call the other side of the planet. Their contact info is rather sparse, likely because of a desire to hide the people behind this operation. The information is disturbingly similar to the other moon sites, almost to a T. The likelihood of each of these sites being run by the same group is very high.

Their site is...well, it's everything you'd expect in a site that gives out "free" money. There are banner ads everywhere. There are these pop-up ads that will show up in the lower left and right of the web page, sometimes showing one or both at the same time.

I let the site idle for a little bit, just to see what it would do, and the above screenshot is the performance results after idling for roughly 20-30 minutes on the site. It's high, but then again, I'm in a VM with 2GB of RAM and only one CPU core. Surprise surprise...

The next thing for me to check was the scripts that the site runs. Firefox's debug mode is fanstastic for this, and that's precisely what I used. I checked each of the sources in the debugger window, and I found the below results:

Within Moondoge.co.in:

-Faucet.js: This is a script that handles the payout of the cryptocurrency. It's actually a fairly simple script, and worth studying if you're curious about Java programming.

-Fingerprint2.js: This is an interesting script. Not only does it handle the sizing and orientation for desktop and mobile versions of the website, it also contains functions that check to see if you're spoofing your operating system. In my case, I'm just running a virtual machine, so I'm not that worried if it gets corrupted. I just got a laugh out of variable names like "has_lied_os" and "excludeHasLiedBrowser". They really want honest people for their "honest" moneymaking scheme!

-ion.sound.min.js: This is a readily available JavaScript plugin that allows the site to play a sound when you're able to claim your free cryptocurrency again. It's not an issue.

-jquery.bpopup.min.js: Script for the popup ads that show up in the bottom corners. Also borrowed from elsewhere. Not worth sweating over.

-jquery.cookie.js: Generates the cookies for their website. Also borrowed from elsewhere, looks like a MR. Klaus Hartl made it in 2014 and uploaded it to github. Open source under the MIT license, so that's why they used it. At least they're cognizant of licensing, and supporting the open source community...

-jquery.countdown.min.js: More open source scripts! This one comes from a Mr. Keith Wood, also released under the MIT license. They use this to figure out the 5 minute countdown timer before you can claim again.

-jquery.plugin.min.js: This is a plugin container class for the plugins referenced above. Again, MIT license, also made by Keith Wood. Makes all the other scripts work correctly.

Within ad.bitmedia.io:

-js/adbybm.js: This is one of the banner ads. As best I can tell, it's not inserting any malicious scripts into the web site, though malvertising is a thing.

In ads.creative-service.com:

-pixel: This has a bunch of images, which appear to be banner ads. No direct malware detected, but we all know how quickly that can change...

The rest of these are fairly straightforward, and not worth diving into too much detail. There's a couple important ones, so I'm going to touch on those briefly.

Cointraffic.io: This is a site that runs banner ads related to cryptocurrency. You've probably seen their stuff before. Grand scheme of things, they're not that bad, but too much advertising can be cumbersome on slower computers.

Coinzilla.io: Just like Cointraffic, advertising service that focuses on cryptocurrency. They have a jquery script that pulls ads from their server. It's all squeezed into 4 lines of code, so reading it is a bitch.

Netdna.bootstrapcdn.com: I didn't know who these guys are, but apparently they're a content delivery network. Think Cloudflare and their DDoS protection. Similar shindig. You learn something new every day, right?

And then you have your standard google analytics, facebook, twitter, and a youtube script that I can't quite pin down. There's no embedded video, even though the source very clearly has code for an embedded web player.

So here's my take on this site. The banner ads may slow down slower machines, but the site isn't doing anything shady to profit off of your patronage. That can change in a heartbeat, obviously, so please be careful when you visit this site. Do it in a virtual machine, and make sure you have a clean backup that you can fall back on if you need to nuke this one. If you do decide to take the plunge and try it out, I'd appreciate your assistance in using my affiliate link:

http://moondoge.co.in/?ref=4f5caaac070f

As always, stay safe, use your head, and for the love of god, use protection!