Bitcoin Forum

Hio and good day BTCland. :)

How prevalent is this ? And what can we do to stop it.

Someone pointed this 'freaknik' out to me a few weeks ago. He likes to brag about his thievery. This was taken from the chat log at Peerbet.org.

http://img.techpowerup.org/130121/botnet slaves.jpg

http://threatpost.ca/en_us/blogs/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012

http://img.techpowerup.org/130121/Capture380.jpg

pEACe

on pools that let you list all the miners, look for all the people at 10-25mhash

"The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact."

Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.

Whoa! Over 9000 botnets! How many slaves in each botnet!?

I see them at BTCmine all the time. I've also seen them at one of the p2p pools.
http://btcmine.com/toplist/

How many shares per day will 1 Ghash/s get you ?

I'm averaging 21.5k with my 1.05 - 1.15 Ghash/s.

'bout tree fiddy

http://www.youtube.com/watch?v=9cn7xfBpZ3M

                  :D ;D :D ;D :D ;D

ACIS will hurt these botnet guys hardcore, they'll probably switch over to ppc once that happens.

Do you really think so? I saw a guy mining 40GH/s with a 10k net.

As a Security Analyst at a large MSSP and someone who is very active in Info-sec, I can certainly verify that many of these botnets are in existence and we have caught quite a few of them. Zeroaccess is the BTC baron of the botnet world currently due to it being pushed by almost every very up to date Exploit Kit around today and being extremely difficult to track as well as remove.

For those who are familiar with exploit kits feel free to skip this paragraph:
Exploit Kits serve numerous exploits to a user when visiting a site utilizing recent exploits which target Java , Adobe Flash, Reader, Firefox, Internet Explorer and Windows in General, you can read more about them here, https://krebsonsecurity.com/?s=exploit+kit&x=0&y=0 Simply scroll down for the latest news on Exploit Kits, the creators behind them and the arsenal of exploits they will use against you to install their malicious payload. Naked Security goes more into ZeroAccess in-depth here http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ and Sopho's article on ZeroAccess and mining http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf .


Now aside from the ones utilizing ZeroAccess we have tons of other black hats utilizing other bot types with a bitcoin mining payload alongside their keylogger's, form grabbers, ACH transaction browser MITM setups and whatever other plugins or payloads they decide to add. Many of the Bitcoin botnets we have found will utilize SSH, RDP and VNC scanners once they compromise the host which checks for a few basic account names and passwords while scanning for more victims.

A fellow colleague in info-sec runs a site in which he disassembles these botnet's and posts their details such as the gateway, command and control servers it is using, bitcoin mining information and the landing pages. If you browse the site @ exposedbotnets.com and go through a few posts you will come across details like the ones pasted below which he has gleamed from their insecure Botnet setups. I am only allowed to publically post about the ones I catch via my own Honeypot / HoneyClient at home and not the numerous ones we have found at work.
Not to mention that most of the botnet operators have gotten smart enough to proxy the traffic back to the mining pools Keep in mind i have removed any information regarding the botnet's landing pages or infection vectors simply some bitcoin info recently gleamed and yes i did star out **** a racial slur for one of these d-bags worker names.

Botnet Server:  zeonyx

Some bitcoin mining infos:
http://Slinky:abc123@pool.bitclockers.com:8332
http://Zeroexe7_Zero8:n*****1@eu.triplemining.com:8344
http://Zeroexe7_Indian:n*****1@us2.eclipsemc.com:8337


Botnet Server:   gwassnet

I'm going to guess this is the same guy as the other gwass domain.
Also, bitcoin mining info: http://Hung:28787@pool.bitclockers.com:8332

Personally we have seen many using 50btc, bitclockers and the ones listed above.

Id love to know if anyone who has experience running a pool could help me think of ways to track down botnet related mining activity and find a way to stop it. And yes i know once the ASIC fairy comes and blesses us all with new rigs this wont be an issue, except many of the more sophisticated samples we are finding and unable to track back to the pool are utilizing gpu mining as well with some code that looks like it may have been borrowed from the bitminter client.

So as I said earlier if any pool operators have suggestions on tracking these rogue BTC botnets via other methods feel free to shoot me a PM.

Thanks,
detro

java and adobe flash are the devil.

though I haven't had anything worse than Realplayer (what a PoS that is nowadays) in the last 15 years or so *knock on wood*

just watching my facebook feed, it's easy to see how many people will randomly click on links

(and watching w00tw00t spam)

FTFY

Thank you for the info Detro. :)

I hope there will soon be a way to detect and stop them without having to manually monitor each gpu/miner for lost hash power.

pEACe

Unless im mistaken you can rent out botnets if you trawl through the underwebs enough. Payments is taken in, yes thats right, you guessed it.....bitcoin