In the past we’ve reported a couple of attacks involving malware that turns affected systems into Bitcoin miners, and we also said that cybercriminals will increasingly do so in the future. Recently we encountered another malware –a familiar and known malware family — that turns the system into a Bitcoin miner.
TDL4 is a well known variant of the TDSS malware family known for evading detection by antivirus products by infecting affected systems’ boot sector. We’ve been monitoring developments related to TDSS, and earlier this year we saw TDL4 exhibit propagation routines through a worm component that Trend Micro detects as WORM_OTORUN.ASH.
In our research we found that recent variants of WORM_OTORUN.ASH contain code that attempts to participate in a Bitcoin pool, Deepbit.
The screenshot in Figure 1 shows some parameters that include “getwork”, which is a parameter to get a job from the mining pool. A job is a Bitcoin block header which the miner, (in this case the affected system) hashes in order to earn a Bitcoin share. In Bitcoin pools, users sign up and join a network of miners to work on the same jobs for faster payout.
Based on Trend Micro™ Smart Protection Network™ data, WORM_OTORUN.ASH’s distribution has expanded to other parts of the globe in the past few months. The Trend Micro™ Smart Protection Network™ constantly analyzes data from the feedback of millions of customers around the world, including geographic distribution of malware. This allows us to monitor how widespread any particular malware is in real time, as well as determine other steps that can be taken to mitigate the threat.
For a clearer illustration, refer to Figure 2 below.
During our monitoring, we have observed as well that WORM_OTORUN.ASH’s command and control (C&C) servers were hosted by dubious Internet Service Providers (ISPs) located in Europe, particularly in Ukraine, Romania, and the Netherlands.Is There Something New Here?
Not really. Cybercriminals will continue to find ways to monetize their malicious activities, and Bitcoin is just a new way for them to do so. Bitcoin has earned the attention of crooks for several reasons, one of which is the fact that Bitcoin is a direct source of income.
In addition, the concept of pooled mining complements the nature of botnets – multiple zombie PCs contribute to the generation of a Bitcoin block, and the reward will end up at the hands of cybercriminals – at the infected users’ expense.
This proves to be not very good news for victims, as Bitcoin-mining bots will probably eat up infected systems’ resources. On a more positive note, however, Bitcoin mining will compromise the covertness of a malware since the high CPU usage might lead the user to suspect system infection.
As seen in TDL4 and WORM_OTORUN.ASH, it wouldn’t surprise me if Bitcoin mining becomes a trend in today’s botnets. We might just encounter more BOTcoin miners in the near future.