Bitcoin Forum
June 22, 2024, 07:23:39 AM *
News: Voting for pizza day contest
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Other / Beginners & Help / Re: Bitcoin miner virus/malware found in the wild on: October 11, 2011, 09:04:45 AM
Quote from: nmat on October 11, 2011, 08:54:16 AM
It's CGMiner.


I edited above, the evidence seems to point to "Ufasoft's miner". I will check about CGMiner also, thank you.
edit: definitely Ufasoft's miner, the command line usage matches as does all the other strings about Ufasoft.

Now if I could just find where are the files this gets loaded from.. Anyone with better malware analysis want to help me? I have forgotten most of my olly skills..
2  Other / Beginners & Help / Re: Bitcoin miner virus/malware found in the wild on: October 11, 2011, 08:42:15 AM
After initial looks:
- the ping.exe binary itself seems pretty unremarkable
- it loads a miner called "bitcoin-miner" ufasoft's miner, I will find from where so I have all the files I need and can wipe the old system

"Generated by Ufasoft VLIW compiler" - it uses GPU also, I bet someone is making nice amount of bitcoins with these.
3  Other / Beginners & Help / Bitcoin miner virus/malware found in the wild on: October 11, 2011, 07:08:46 AM
Hi, I had to create an account to tell/warn/spread awareness about this.

There seems to be a "bitcoin miner malware" spreading. One office PC had its CPU at 100% pretty much constantly if network was connected. There is one good Google hit about it and a few Chinese/Japanese Google hits that do not have anything interesting.

There is a process "ping.exe" running under svchost, with command line:
"C:\WINDOWS\System32\ping.exe" -g no -t 1 -o httX://re********-startup.com:8344/ -u *** -p *********
The "re********-startup.com" resolves at the moment to:
re********-startup.com has address 38.99.169.85
re********-startup.com has address 38.99.169.86
re********-startup.com has address 38.99.169.87
re********-startup.com has address 184.82.193.155

I have censored the address. If people think it is a good idea to publicize it, I can. The censored username/pass I will not publicize.

Someone already have noticed it few weeks back. See for details:
http://www.virustotal.com/file-scan/report.html?id=f2868ba54f077bf77f24d36648e5a631ad7a672cbbaf18a2dcb3bced94ccbd00-1316899029

But the poster did not notice the obvious connection to bitcoin!

I have the binary soon and will do some analysis on it. I am an IT professional with a little experience in doing binary analysis.
I believe I am the first one to find this one out, does anyone have estimates how wide-spread this is?

I am not familiar with mining but do the command line switches look familiar to some public miner?
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!