Bitcoin Forum
February 21, 2017, 07:52:16 AM *
News: Latest stable version of Bitcoin Core: 0.13.2  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Bitcoin miner virus/malware found in the wild  (Read 3687 times)
bluikster
Newbie
*
Offline Offline

Activity: 3


View Profile
October 11, 2011, 07:08:46 AM
 #1

Hi, I had to create an account to tell/warn/spread awareness about this.

There seems to be a "bitcoin miner malware" spreading. One office PC had its CPU at 100% pretty much constantly if network was connected. There is one good Google hit about it and a few Chinese/Japanese Google hits that do not have anything interesting.

There is a process "ping.exe" running under svchost, with command line:
"C:\WINDOWS\System32\ping.exe" -g no -t 1 -o httX://re********-startup.com:8344/ -u *** -p *********
The "re********-startup.com" resolves at the moment to:
re********-startup.com has address 38.99.169.85
re********-startup.com has address 38.99.169.86
re********-startup.com has address 38.99.169.87
re********-startup.com has address 184.82.193.155

I have censored the address. If people think it is a good idea to publicize it, I can. The censored username/pass I will not publicize.

Someone already have noticed it few weeks back. See for details:
http://www.virustotal.com/file-scan/report.html?id=f2868ba54f077bf77f24d36648e5a631ad7a672cbbaf18a2dcb3bced94ccbd00-1316899029

But the poster did not notice the obvious connection to bitcoin!

I have the binary soon and will do some analysis on it. I am an IT professional with a little experience in doing binary analysis.
I believe I am the first one to find this one out, does anyone have estimates how wide-spread this is?

I am not familiar with mining but do the command line switches look familiar to some public miner?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
bluikster
Newbie
*
Offline Offline

Activity: 3


View Profile
October 11, 2011, 08:42:15 AM
 #2

After initial looks:
- the ping.exe binary itself seems pretty unremarkable
- it loads a miner called "bitcoin-miner" ufasoft's miner, I will find from where so I have all the files I need and can wipe the old system

"Generated by Ufasoft VLIW compiler" - it uses GPU also, I bet someone is making nice amount of bitcoins with these.
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
October 11, 2011, 08:54:16 AM
 #3

It's CGMiner.

bluikster
Newbie
*
Offline Offline

Activity: 3


View Profile
October 11, 2011, 09:04:45 AM
 #4

It's CGMiner.


I edited above, the evidence seems to point to "Ufasoft's miner". I will check about CGMiner also, thank you.
edit: definitely Ufasoft's miner, the command line usage matches as does all the other strings about Ufasoft.

Now if I could just find where are the files this gets loaded from.. Anyone with better malware analysis want to help me? I have forgotten most of my olly skills..
zakna
Newbie
*
Offline Offline

Activity: 1


View Profile
October 17, 2011, 11:02:48 PM
 #5

i have the same problem i want to get rid of that crap .... only temporary soluce for me was to disable the ping.exe process

ShareCoin:SjJVKS3c6UZMC85HViTWHiQMwpWtTuba94
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!