Bitcoin Forum
March 31, 2017, 12:40:07 AM *
News: Latest stable version of Bitcoin Core: 0.14.0  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Bitcoin miner virus/malware found in the wild  (Read 3694 times)
bluikster
Newbie
*
Offline Offline

Activity: 3


View Profile
October 11, 2011, 07:08:46 AM
 #1

Hi, I had to create an account to tell/warn/spread awareness about this.

There seems to be a "bitcoin miner malware" spreading. One office PC had its CPU at 100% pretty much constantly if network was connected. There is one good Google hit about it and a few Chinese/Japanese Google hits that do not have anything interesting.

There is a process "ping.exe" running under svchost, with command line:
"C:\WINDOWS\System32\ping.exe" -g no -t 1 -o httX://re********-startup.com:8344/ -u *** -p *********
The "re********-startup.com" resolves at the moment to:
re********-startup.com has address 38.99.169.85
re********-startup.com has address 38.99.169.86
re********-startup.com has address 38.99.169.87
re********-startup.com has address 184.82.193.155

I have censored the address. If people think it is a good idea to publicize it, I can. The censored username/pass I will not publicize.

Someone already have noticed it few weeks back. See for details:
http://www.virustotal.com/file-scan/report.html?id=f2868ba54f077bf77f24d36648e5a631ad7a672cbbaf18a2dcb3bced94ccbd00-1316899029

But the poster did not notice the obvious connection to bitcoin!

I have the binary soon and will do some analysis on it. I am an IT professional with a little experience in doing binary analysis.
I believe I am the first one to find this one out, does anyone have estimates how wide-spread this is?

I am not familiar with mining but do the command line switches look familiar to some public miner?
1490920807
Hero Member
*
Offline Offline

Posts: 1490920807

View Profile Personal Message (Offline)

Ignore
1490920807
Reply with quote  #2

1490920807
Report to moderator
1490920807
Hero Member
*
Offline Offline

Posts: 1490920807

View Profile Personal Message (Offline)

Ignore
1490920807
Reply with quote  #2

1490920807
Report to moderator
1490920807
Hero Member
*
Offline Offline

Posts: 1490920807

View Profile Personal Message (Offline)

Ignore
1490920807
Reply with quote  #2

1490920807
Report to moderator
Creating a Bitcoin client that fully implements the network protocol is extremely difficult. Bitcoin-Qt is the only known safe implementation of a full node. Some other projects attempt to compete, but it is not recommended to use such software for anything serious. (Lightweight clients like Electrum and MultiBit are OK.)
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1490920807
Hero Member
*
Offline Offline

Posts: 1490920807

View Profile Personal Message (Offline)

Ignore
1490920807
Reply with quote  #2

1490920807
Report to moderator
bluikster
Newbie
*
Offline Offline

Activity: 3


View Profile
October 11, 2011, 08:42:15 AM
 #2

After initial looks:
- the ping.exe binary itself seems pretty unremarkable
- it loads a miner called "bitcoin-miner" ufasoft's miner, I will find from where so I have all the files I need and can wipe the old system

"Generated by Ufasoft VLIW compiler" - it uses GPU also, I bet someone is making nice amount of bitcoins with these.
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
October 11, 2011, 08:54:16 AM
 #3

It's CGMiner.

bluikster
Newbie
*
Offline Offline

Activity: 3


View Profile
October 11, 2011, 09:04:45 AM
 #4

It's CGMiner.


I edited above, the evidence seems to point to "Ufasoft's miner". I will check about CGMiner also, thank you.
edit: definitely Ufasoft's miner, the command line usage matches as does all the other strings about Ufasoft.

Now if I could just find where are the files this gets loaded from.. Anyone with better malware analysis want to help me? I have forgotten most of my olly skills..
zakna
Newbie
*
Offline Offline

Activity: 1


View Profile
October 17, 2011, 11:02:48 PM
 #5

i have the same problem i want to get rid of that crap .... only temporary soluce for me was to disable the ping.exe process

ShareCoin:SjJVKS3c6UZMC85HViTWHiQMwpWtTuba94
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!