sophos technical paper
The ZeroAccess Botnet – Mining and Fraud for Massive Financial Gain
James Wyke, Senior threat researcher SophosLabs
2012-09
http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx...
The ZeroAccess botnet that communicates on port 16471 (32-bit) and 16470 (64-bit) is currently downloading plugins that facilitate Bitcoin mining.
...
These statistics clearly show that the Bitcoin mining botnet is the most prevalent, followed by the click fraud botnet with the kernel-mode botnet a very distant third.
...
If we estimate the total size of all ZeroAccess botnets to be 1,000,000 machines and use the statistics acquired from the successful installs data that suggests that the proportion of the total machines that connect to the Bitcoin mining botnet is 62%, then we have 620,000 machines that could be participating in Bitcoin mining.
...
We can see that ZeroAccess’ mining pool is close in size to some of the biggest public pools. These generate huge numbers of Bitcoins, for example the DeepBit pool [14] has mined over 1 million Bitcoins in the course of one year.
...
Using botnets to mine Bitcoins deprives hard-working legitimate Bitcoin miners from generating those coins and therefore receiving payment.
More importantly this activity taints the Bitcoin image. There have been several cases of Bitcoin exchanges being broken into and Bitcoins stolen [17], and there are concerns that the currency may die off like some digital currencies have done so before it [18].
A continued association with botnets and malware does nothing to increase the more widespread adoption of Bitcoin.
...