Bitcoin Forum
November 24, 2017, 11:50:46 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Is your miner a botnet slave ?  (Read 6877 times)
Hippie Tech
aka Amenstop
Legendary
*
Offline Offline

Activity: 1456


All cryptos are FIAT digital currency. Do not use.


View Profile WWW
January 22, 2013, 02:38:40 AM
 #1

Hio and good day BTCland. Smiley

How prevalent is this ? And what can we do to stop it.

Someone pointed this 'freaknik' out to me a few weeks ago. He likes to brag about his thievery. This was taken from the chat log at Peerbet.org.



http://threatpost.ca/en_us/blogs/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012



pEACe

1511524246
Hero Member
*
Offline Offline

Posts: 1511524246

View Profile Personal Message (Offline)

Ignore
1511524246
Reply with quote  #2

1511524246
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511524246
Hero Member
*
Offline Offline

Posts: 1511524246

View Profile Personal Message (Offline)

Ignore
1511524246
Reply with quote  #2

1511524246
Report to moderator
zvs
Legendary
*
Offline Offline

Activity: 1484


I have some bitcoins. Somewhere.


View Profile WWW
January 22, 2013, 03:59:46 AM
 #2

on pools that let you list all the miners, look for all the people at 10-25mhash

Dacentec, best deals for US dedicated servers. They regularly restock $20-$25 Opterons with 8-16GB RAM & 2x1-2TB HDD's (ofc, usually lots of other good stuff to choose from).  I did a Serverbear benchmark of one of my $20/mo Opteron (June last year), it's here.  Have had about a half dozen different servers with Dacentec, & none have failed to sustain at least 40MB/s (burst higher). My favorite is a 12-month rent-to-own ZT Systems 2XL5520 16GB 2x2TB SATA for $40/month (got lucky with the 'off-brand', haven't seen a RTO 2xL5520 for under $50/mo since -- at least for monthly contracts).  wholesaleinternet.com has some ancient 2-core intel CPUs @ $10/mo sometimes (I got an Intel Core 2 6300 @ 1.86GHz, with a 250GB HDD with 46000 hours on it, LOL. $20 @ Dacentec is much better, if you can grab one). joesdatacenter.com (same location as Wholesale Internet) also occasionally has specials (or if you don't want to wait, it has an AMD Opteron 170 @ $16/mo).
mufa23
Legendary
*
Offline Offline

Activity: 1022


I'd fight Gandhi.


View Profile
January 22, 2013, 04:42:51 AM
 #3

"The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact."

Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.

Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker
1l1l11ll1l
Hero Member
*****
Offline Offline

Activity: 868



View Profile
January 22, 2013, 05:16:14 AM
 #4

"The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact."

Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.

Whoa! Over 9000 botnets! How many slaves in each botnet!?

           ▄▄█████████▄▄
       ▄████▀▀       ▀▀████▄
     ▄██▀▀               ▀▀██▄
    ██▀                    ████
   ██                     ███▀██
  ██                    ▄██▀   ██
 ██                    ▄██      ██
██▀                  ▄██▀      ▄███
██                  ▄██      ▄██▀██
██                 ██▀    ▄███▀  ██
██               ▄██▀   ▄██▀     ██
██▄             ▄██  ▄███▀      ▄██
 ██           ▄██▀ ▄██▀         ██
  ██         ▄██▄███▀          ██
   ██       █████▀            ██
    ██▄   ▄████▀            ▄██
     ▀██▄███▀            ▄▄██▀
       ▀████▄▄       ▄▄████▀
           ▀▀█████████▀▀
.L I V E T R E E   A D E P T TM.
Own the future of entertainment
The World's 1st Community-Powered,
Film, TV and Content Network  ★
Hippie Tech
aka Amenstop
Legendary
*
Offline Offline

Activity: 1456


All cryptos are FIAT digital currency. Do not use.


View Profile WWW
January 22, 2013, 05:39:34 AM
 #5

on pools that let you list all the miners, look for all the people at 10-25mhash

I see them at BTCmine all the time. I've also seen them at one of the p2p pools.
http://btcmine.com/toplist/

How many shares per day will 1 Ghash/s get you ?

I'm averaging 21.5k with my 1.05 - 1.15 Ghash/s.

mufa23
Legendary
*
Offline Offline

Activity: 1022


I'd fight Gandhi.


View Profile
January 22, 2013, 06:12:33 AM
 #6

"The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact."

Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.

Whoa! Over 9000 botnets! How many slaves in each botnet!?
'bout tree fiddy

Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker
Unacceptable
Legendary
*
Offline Offline

Activity: 2212



View Profile
January 22, 2013, 07:30:46 AM
 #7

"The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact."

Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.

Whoa! Over 9000 botnets! How many slaves in each botnet!?
'bout tree fiddy

http://www.youtube.com/watch?v=9cn7xfBpZ3M

                  Cheesy Grin Cheesy Grin Cheesy Grin

"If you run into an asshole in the morning, you ran into an asshole. If you run into assholes all day long, you are the asshole."  -Raylan Givens
Got GOXXED ?? https://www.youtube.com/watch?v=9KiqRpPiJAU&feature=youtu.be
"An ASIC being late is perfectly normal, predictable, and legal..."Hashfast & BFL slogan Smiley
dan9575
Jr. Member
*
Offline Offline

Activity: 34


View Profile
January 26, 2013, 05:16:52 PM
 #8

ACIS will hurt these botnet guys hardcore, they'll probably switch over to ppc once that happens.
webosftw
Full Member
***
Offline Offline

Activity: 165



View Profile
January 26, 2013, 06:26:15 PM
 #9

ACIS will hurt these botnet guys hardcore, they'll probably switch over to ppc once that happens.
Do you really think so? I saw a guy mining 40GH/s with a 10k net.
detro
Jr. Member
*
Offline Offline

Activity: 45


will accept btc for rare lockpicking equipment.


View Profile WWW
January 29, 2013, 04:22:08 PM
 #10

As a Security Analyst at a large MSSP and someone who is very active in Info-sec, I can certainly verify that many of these botnets are in existence and we have caught quite a few of them. Zeroaccess is the BTC baron of the botnet world currently due to it being pushed by almost every very up to date Exploit Kit around today and being extremely difficult to track as well as remove.

For those who are familiar with exploit kits feel free to skip this paragraph:
Exploit Kits serve numerous exploits to a user when visiting a site utilizing recent exploits which target Java , Adobe Flash, Reader, Firefox, Internet Explorer and Windows in General, you can read more about them here, https://krebsonsecurity.com/?s=exploit+kit&x=0&y=0 Simply scroll down for the latest news on Exploit Kits, the creators behind them and the arsenal of exploits they will use against you to install their malicious payload. Naked Security goes more into ZeroAccess in-depth here http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ and Sopho's article on ZeroAccess and mining http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf .


Now aside from the ones utilizing ZeroAccess we have tons of other black hats utilizing other bot types with a bitcoin mining payload alongside their keylogger's, form grabbers, ACH transaction browser MITM setups and whatever other plugins or payloads they decide to add. Many of the Bitcoin botnets we have found will utilize SSH, RDP and VNC scanners once they compromise the host which checks for a few basic account names and passwords while scanning for more victims.

A fellow colleague in info-sec runs a site in which he disassembles these botnet's and posts their details such as the gateway, command and control servers it is using, bitcoin mining information and the landing pages. If you browse the site @ exposedbotnets.com and go through a few posts you will come across details like the ones pasted below which he has gleamed from their insecure Botnet setups. I am only allowed to publically post about the ones I catch via my own Honeypot / HoneyClient at home and not the numerous ones we have found at work.
Not to mention that most of the botnet operators have gotten smart enough to proxy the traffic back to the mining pools Keep in mind i have removed any information regarding the botnet's landing pages or infection vectors simply some bitcoin info recently gleamed and yes i did star out **** a racial slur for one of these d-bags worker names.

Botnet Server:  zeonyx

Some bitcoin mining infos:
http://Slinky:abc123@pool.bitclockers.com:8332
http://Zeroexe7_Zero8:n*****1@eu.triplemining.com:8344
http://Zeroexe7_Indian:n*****1@us2.eclipsemc.com:8337


Botnet Server:   gwassnet

I'm going to guess this is the same guy as the other gwass domain.
Also, bitcoin mining info: http://Hung:28787@pool.bitclockers.com:8332

Personally we have seen many using 50btc, bitclockers and the ones listed above.

Id love to know if anyone who has experience running a pool could help me think of ways to track down botnet related mining activity and find a way to stop it. And yes i know once the ASIC fairy comes and blesses us all with new rigs this wont be an issue, except many of the more sophisticated samples we are finding and unable to track back to the pool are utilizing gpu mining as well with some code that looks like it may have been borrowed from the bitminter client.

So as I said earlier if any pool operators have suggestions on tracking these rogue BTC botnets via other methods feel free to shoot me a PM.

Thanks,
detro

zvs
Legendary
*
Offline Offline

Activity: 1484


I have some bitcoins. Somewhere.


View Profile WWW
January 29, 2013, 04:28:13 PM
 #11

Exploit Kits serve numerous exploits to a user when visiting a site utilizing recent exploits which target Java , Adobe Flash, Reader, Firefox, Internet Explorer and Windows in General, you can read more about them here, https://krebsonsecurity.com/?s=exploit+kit&x=0&y=0 Simply scroll down for the latest news on Exploit Kits, the creators behind them and the arsenal of exploits they will use against you to install their malicious payload. Naked Security goes more into ZeroAccess in-depth here http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ and Sopho's article on ZeroAccess and mining http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf .
java and adobe flash are the devil.

though I haven't had anything worse than Realplayer (what a PoS that is nowadays) in the last 15 years or so *knock on wood*

just watching my facebook feed, it's easy to see how many people will randomly click on links

(and watching w00tw00t spam)

Dacentec, best deals for US dedicated servers. They regularly restock $20-$25 Opterons with 8-16GB RAM & 2x1-2TB HDD's (ofc, usually lots of other good stuff to choose from).  I did a Serverbear benchmark of one of my $20/mo Opteron (June last year), it's here.  Have had about a half dozen different servers with Dacentec, & none have failed to sustain at least 40MB/s (burst higher). My favorite is a 12-month rent-to-own ZT Systems 2XL5520 16GB 2x2TB SATA for $40/month (got lucky with the 'off-brand', haven't seen a RTO 2xL5520 for under $50/mo since -- at least for monthly contracts).  wholesaleinternet.com has some ancient 2-core intel CPUs @ $10/mo sometimes (I got an Intel Core 2 6300 @ 1.86GHz, with a 250GB HDD with 46000 hours on it, LOL. $20 @ Dacentec is much better, if you can grab one). joesdatacenter.com (same location as Wholesale Internet) also occasionally has specials (or if you don't want to wait, it has an AMD Opteron 170 @ $16/mo).
crazyates
Legendary
*
Offline Offline

Activity: 952



View Profile
January 29, 2013, 04:43:46 PM
 #12

Exploit Kits serve numerous exploits to a user when visiting a site utilizing recent exploits which target Java , Adobe Flash, Reader, Firefox, Internet Explorer and Windows in General, you can read more about them here, https://krebsonsecurity.com/?s=exploit+kit&x=0&y=0 Simply scroll down for the latest news on Exploit Kits, the creators behind them and the arsenal of exploits they will use against you to install their malicious payload. Naked Security goes more into ZeroAccess in-depth here http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ and Sopho's article on ZeroAccess and mining http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf .
java and adobe flash are the devil.

though I haven't had anything worse than Realplayer (what a PoS that is nowadays) in the last 15 years or so *knock on wood*

just watching my facebook feed, it's easy to see how many people will randomly click on links

(and watching w00tw00t spam porn)
FTFY

Tips? 1crazy8pMqgwJ7tX7ZPZmyPwFbc6xZKM9
Previous Trade History - Sale Thread
Hippie Tech
aka Amenstop
Legendary
*
Offline Offline

Activity: 1456


All cryptos are FIAT digital currency. Do not use.


View Profile WWW
January 29, 2013, 10:10:23 PM
 #13

Thank you for the info Detro. Smiley

I hope there will soon be a way to detect and stop them without having to manually monitor each gpu/miner for lost hash power.

pEACe

bowen151
Hero Member
*****
Offline Offline

Activity: 630


Caveat Emptor


View Profile
February 04, 2013, 01:21:21 PM
 #14

Unless im mistaken you can rent out botnets if you trawl through the underwebs enough. Payments is taken in, yes thats right, you guessed it.....bitcoin

-Buying/Selling graphics cards every month
--Buying BTC every month £/$/€200+ wanted
---UK based re-seller of physical bitcoins  Click here to buy
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!