Bitcoin Forum

Bitcoin => Bitcoin Discussion => Topic started by: BitcoinPorn on June 29, 2011, 08:13:48 PM


Title: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: BitcoinPorn on June 29, 2011, 08:13:48 PM
http://www.securelist.com/en/blog/208188132/Gold_rush

Quote
Today our analysts detected a new threat spreading in the Russian sector of the Internet – Trojan.NSIS.Miner.a. This Trojan has two components – the legitimate bcm.exe file BitCoin Miner (not-a-virus:RiskTool.Win32.BitCoinMiner.a), and a malicious module that installs bcm without the user’s knowledge and adds it to the autorun registry. The infected computer then starts to generate bit-coins for the Trojan’s author.

Of course, the Trojan’s code clearly indicates the server address where the cybercriminal’s account is located.

http://www.securelist.com/en/images/pictures/klblog/208188133.png

We decided to see how successful our nameless ‘miner’ was, and ended up getting a bit of a surprise.

http://www.securelist.com/en/images/pictures/klblog/208188134.png

Found from http://www.reddit.com/r/Bitcoin/comments/icgo4/trojannsisminera_used_to_secretly_mine_bitcoin_on/

Title: Re: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: gentakin on June 29, 2011, 08:18:30 PM
Hats off to Tycho for blocking botnets automatically! Remember, it's causing a loss of 3% pool fees.

Title: Re: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: SlaveInDebt on June 29, 2011, 08:31:27 PM
How about other pools? They have measure's in place against this?

Title: Re: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: finack on June 30, 2011, 12:40:27 AM
Quote from: gentakin on June 29, 2011, 08:18:30 PM
Hats off to Tycho for blocking botnets automatically! Remember, it's causing a loss of 3% pool fees.

That's not how I read the screenshot. Look at the account's current hash rate, about 4 GH. So he's letting them get work and submit it, he's likely just made it so it isn't accumulating bitcoins for it - meaning instead of a 3% share of their work he's getting a 100% share of it.

Title: Re: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: [Tycho] on June 30, 2011, 09:54:16 PM
Quote from: finack on June 30, 2011, 12:40:27 AM
Quote from: gentakin on June 29, 2011, 08:18:30 PM
Hats off to Tycho for blocking botnets automatically! Remember, it's causing a loss of 3% pool fees.
That's not how I read the screenshot. Look at the account's current hash rate, about 4 GH. So he's letting them get work and submit it, he's likely just made it so it isn't accumulating bitcoins for it - meaning instead of a 3% share of their work he's getting a 100% share of it.
No. In this "warning" state at the moment of taking this screenshot all account/workers configuration options are disabled, but mining still continues and he gets his reward.
Then if we don't receive any explanation from user, his workers are blocked and he won't get any work (his miners will stop).
Mining operations on this account were already blocked when I saw this topic.

This red message turned out to be a bit misleading, I'll correct it now.

Title: Re: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: malevolent on July 01, 2011, 10:18:44 AM
Good job!

Title: Re: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: Veldy on July 02, 2011, 04:14:16 AM
Awesome!  Great to learn of additional security measures in place; I don't think this was ever announced.  I finally decided to lock my payout address a couple of weeks ago, so I am really surprised that such a trojan/bot was created [not to mention it shows identity].  I don't know if most people have locked their address, but I hope so. At first I didn't like the idea, but now it doesn't matter.  I shuttle my coins to another wallet ... another client on one of my mining boxes and once confirmed to my satisfaction, I shut the client down, encrypt the wallet.dat to wallet.dat.asc and put it in safe storage.  No decryption keys on ANY of my machines nor accessible to anybody unless they get to one of a few locations ... and past my dogs, security system, and my pistol or shotgun (no joke) in one of the locations ... where I live :).

I highly recommend a backup wallet and full public/private key encryption to avoid significant exposure should your machine be compromised [including physically].

Title: Re: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: Tasty Champa on July 02, 2011, 04:30:10 AM
Honesty,
Fuckin NICE! :)


Deepbit +1

Title: Re: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: airdata on July 02, 2011, 04:53:08 AM
Wonder what flags they set?

If you just threw it to full speed a user would likely find it fast if they were having full cpu constantly.

Title: Re: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: steelhouse on July 03, 2011, 12:24:53 AM
I think I might of had this, however it shows slow mh/s on your computer.  What I did was reinstall windows to fix it.

Title: Re: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit
Post by: d3m0n1q_733rz on July 08, 2011, 08:29:41 AM
If you do happen to find this, there's one of two places the autorun could be located.  One is in your start menu.  The other is in your Task Scheduler.  Very rarely will you find it in your registry, but if you see the miner running and you didn't install it, run a registry search to see if you can find any instance of it or a batch file to run it.


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines