Title: Bitcoin miner virus/malware found in the wild Post by: bluikster on October 11, 2011, 07:08:46 AM Hi, I had to create an account to tell/warn/spread awareness about this.
There seems to be a "bitcoin miner malware" spreading. One office PC had its CPU at 100% pretty much constantly if network was connected. There is one good Google hit about it and a few Chinese/Japanese Google hits that do not have anything interesting. There is a process "ping.exe" running under svchost, with command line: "C:\WINDOWS\System32\ping.exe" -g no -t 1 -o httX://re********-startup.com:8344/ -u *** -p ********* The "re********-startup.com" resolves at the moment to: re********-startup.com has address 38.99.169.85 re********-startup.com has address 38.99.169.86 re********-startup.com has address 38.99.169.87 re********-startup.com has address 184.82.193.155 I have censored the address. If people think it is a good idea to publicize it, I can. The censored username/pass I will not publicize. Someone already have noticed it few weeks back. See for details: http://www.virustotal.com/file-scan/report.html?id=f2868ba54f077bf77f24d36648e5a631ad7a672cbbaf18a2dcb3bced94ccbd00-1316899029 But the poster did not notice the obvious connection to bitcoin! I have the binary soon and will do some analysis on it. I am an IT professional with a little experience in doing binary analysis. I believe I am the first one to find this one out, does anyone have estimates how wide-spread this is? I am not familiar with mining but do the command line switches look familiar to some public miner? Title: Re: Bitcoin miner virus/malware found in the wild Post by: bluikster on October 11, 2011, 08:42:15 AM After initial looks:
- the ping.exe binary itself seems pretty unremarkable - it loads "Generated by Ufasoft VLIW compiler" - it uses GPU also, I bet someone is making nice amount of bitcoins with these. Title: Re: Bitcoin miner virus/malware found in the wild Post by: nmat on October 11, 2011, 08:54:16 AM It's CGMiner (https://bitcointalk.org/index.php?topic=28402.0).
Title: Re: Bitcoin miner virus/malware found in the wild Post by: bluikster on October 11, 2011, 09:04:45 AM It's CGMiner (https://bitcointalk.org/index.php?topic=28402.0). I edited above, the evidence seems to point to "Ufasoft's miner". I will check about edit: definitely Ufasoft's miner, the command line usage matches as does all the other strings about Ufasoft. Now if I could just find where are the files this gets loaded from.. Anyone with better malware analysis want to help me? I have forgotten most of my olly skills.. Title: Re: Bitcoin miner virus/malware found in the wild Post by: zakna on October 17, 2011, 11:02:48 PM i have the same problem i want to get rid of that crap .... only temporary soluce for me was to disable the ping.exe process
|