Bitcoin Forum
December 11, 2016, 04:11:20 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Bitcoin miner virus/malware found in the wild  (Read 3673 times)
bluikster
Newbie
*
Offline Offline

Activity: 3


View Profile
October 11, 2011, 07:08:46 AM
 #1

Hi, I had to create an account to tell/warn/spread awareness about this.

There seems to be a "bitcoin miner malware" spreading. One office PC had its CPU at 100% pretty much constantly if network was connected. There is one good Google hit about it and a few Chinese/Japanese Google hits that do not have anything interesting.

There is a process "ping.exe" running under svchost, with command line:
"C:\WINDOWS\System32\ping.exe" -g no -t 1 -o httX://re********-startup.com:8344/ -u *** -p *********
The "re********-startup.com" resolves at the moment to:
re********-startup.com has address 38.99.169.85
re********-startup.com has address 38.99.169.86
re********-startup.com has address 38.99.169.87
re********-startup.com has address 184.82.193.155

I have censored the address. If people think it is a good idea to publicize it, I can. The censored username/pass I will not publicize.

Someone already have noticed it few weeks back. See for details:
http://www.virustotal.com/file-scan/report.html?id=f2868ba54f077bf77f24d36648e5a631ad7a672cbbaf18a2dcb3bced94ccbd00-1316899029

But the poster did not notice the obvious connection to bitcoin!

I have the binary soon and will do some analysis on it. I am an IT professional with a little experience in doing binary analysis.
I believe I am the first one to find this one out, does anyone have estimates how wide-spread this is?

I am not familiar with mining but do the command line switches look familiar to some public miner?
1481429480
Hero Member
*
Offline Offline

Posts: 1481429480

View Profile Personal Message (Offline)

Ignore
1481429480
Reply with quote  #2

1481429480
Report to moderator
1481429480
Hero Member
*
Offline Offline

Posts: 1481429480

View Profile Personal Message (Offline)

Ignore
1481429480
Reply with quote  #2

1481429480
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
bluikster
Newbie
*
Offline Offline

Activity: 3


View Profile
October 11, 2011, 08:42:15 AM
 #2

After initial looks:
- the ping.exe binary itself seems pretty unremarkable
- it loads a miner called "bitcoin-miner" ufasoft's miner, I will find from where so I have all the files I need and can wipe the old system

"Generated by Ufasoft VLIW compiler" - it uses GPU also, I bet someone is making nice amount of bitcoins with these.
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
October 11, 2011, 08:54:16 AM
 #3

It's CGMiner.

bluikster
Newbie
*
Offline Offline

Activity: 3


View Profile
October 11, 2011, 09:04:45 AM
 #4

It's CGMiner.


I edited above, the evidence seems to point to "Ufasoft's miner". I will check about CGMiner also, thank you.
edit: definitely Ufasoft's miner, the command line usage matches as does all the other strings about Ufasoft.

Now if I could just find where are the files this gets loaded from.. Anyone with better malware analysis want to help me? I have forgotten most of my olly skills..
zakna
Newbie
*
Offline Offline

Activity: 1


View Profile
October 17, 2011, 11:02:48 PM
 #5

i have the same problem i want to get rid of that crap .... only temporary soluce for me was to disable the ping.exe process

ShareCoin:SjJVKS3c6UZMC85HViTWHiQMwpWtTuba94
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!