As a Security Analyst at a large MSSP and someone who is very active in Info-sec, I can certainly verify that many of these botnets are in existence and we have caught quite a few of them. Zeroaccess is the BTC baron of the botnet world currently due to it being pushed by almost every very up to date Exploit Kit around today and being extremely difficult to track as well as remove.
For those who are familiar with exploit kits feel free to skip this paragraph:
Exploit Kits serve numerous exploits to a user when visiting a site utilizing recent exploits which target Java , Adobe Flash, Reader, Firefox, Internet Explorer and Windows in General, you can read more about them here,
https://krebsonsecurity.com/?s=exploit+kit&x=0&y=0 Simply scroll down for the latest news on Exploit Kits, the creators behind them and the arsenal of exploits they will use against you to install their malicious payload. Naked Security goes more into ZeroAccess in-depth here
http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ and Sopho's article on ZeroAccess and mining
http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf .
Now aside from the ones utilizing ZeroAccess we have tons of other black hats utilizing other bot types with a bitcoin mining payload alongside their keylogger's, form grabbers, ACH transaction browser MITM setups and whatever other plugins or payloads they decide to add. Many of the Bitcoin botnets we have found will utilize SSH, RDP and VNC scanners once they compromise the host which checks for a few basic account names and passwords while scanning for more victims.
A fellow colleague in info-sec runs a site in which he disassembles these botnet's and posts their details such as the gateway, command and control servers it is using, bitcoin mining information and the landing pages. If you browse the site @ exposedbotnets.com and go through a few posts you will come across details like the ones pasted below which he has gleamed from their insecure Botnet setups. I am only allowed to publically post about the ones I catch via my own Honeypot / HoneyClient at home and not the numerous ones we have found at work.
Not to mention that most of the botnet operators have gotten smart enough to proxy the traffic back to the mining pools Keep in mind i have removed any information regarding the botnet's landing pages or infection vectors simply some bitcoin info recently gleamed and yes i did star out **** a racial slur for one of these d-bags worker names.
Botnet Server: zeonyx
Some bitcoin mining infos:
http://Slinky:abc123@pool.bitclockers.com:8332http://Zeroexe7_Zero8:n*****1@eu.triplemining.com:8344
http://Zeroexe7_Indian:n*****1@us2.eclipsemc.com:8337
Botnet Server: gwassnet
I'm going to guess this is the same guy as the other gwass domain.
Also, bitcoin mining info:
http://Hung:28787@pool.bitclockers.com:8332 Personally we have seen many using 50btc, bitclockers and the ones listed above.
Id love to know if anyone who has experience running a pool could help me think of ways to track down botnet related mining activity and find a way to stop it. And yes i know once the ASIC fairy comes and blesses us all with new rigs this wont be an issue, except many of the more sophisticated samples we are finding and unable to track back to the pool are utilizing gpu mining as well with some code that looks like it may have been borrowed from the bitminter client.
So as I said earlier if any pool operators have suggestions on tracking these rogue BTC botnets via other methods feel free to shoot me a PM.
Thanks,
detro
