Wonder who this solominer is? 88.6.216.9

[rjk]

85.214.124.168 resolves to h1816161.stratoserver.net.

The following A records are set to 85.214.124.168:
antirechts-team.de, enlight-visuals.de, geknicktemit.de, jas-transport.com, muemmelmann.com

The bolded domain is the only one out of the list that is active. Either the botnet op works there, or (more likely) he has compromised that server to be his pool. Anyone feel like contacting them to see what they say?

EDIT: nvm, stupid he.net search only returning a halfassed set of results. Robtex shows better info, seems that it is a shared host.

[1714483410]

1714483410

[1714483410]

1714483410

[1714483410]

1714483410

[1714483410]

1714483410

[Shadow383]

One question that comes to mind...

1.3TH/s at current price/difficulty is over $30k per week in bitcoins.
I know it's fairly easy to launder funds through mt gox, but surely if they're selling any significant portion of what they mine there would be red flags somewhere?

I can believe it though, and to be honest I think the problem's only going to get worse 

[Turbor]

So far, Sudo is only talking. He refused to point some of his hashpower to BitMinter to back up what he claims !

[dizzy1]

Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.

[PulsedMedia]

Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.

I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ...

[pieppiep]

Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.

I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ...

Well, you never know if it was found earlier and kept secret to build a strong big botnet.

[PulsedMedia]

Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.

I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ...

Well, you never know if it was found earlier and kept secret to build a strong big botnet.

Very much true, but still a denial of service exploit does not give full access ... So in this case it's not the case.

[pieppiep]

Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.

I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ...

Well, you never know if it was found earlier and kept secret to build a strong big botnet.

Very much true, but still a denial of service exploit does not give full access ... So in this case it's not the case.

http://technet.microsoft.com/en-us/security/bulletin/ms12-020
On this webpage it says "Vulnerabilities in Remote Desktop Could Allow Remote Code Execution"

[PulsedMedia]

http://technet.microsoft.com/en-us/security/bulletin/ms12-020
On this webpage it says "Vulnerabilities in Remote Desktop Could Allow Remote Code Execution"

Ok, i think i recalled wrong :/

[Isokivi]

I've been watching this thread for a while and today came up with a way to possibly confirm if this new miner indeed is a botnet, I e-mailed an active researcher in a major company dealing in antiviral/security-software, I have no way of knowing if the mail will ever be even read or responded to. However should I get a reply I will be reporting in.

[ArticMine]

This is what Im looking at:
http://bitcoin.sipa.be/speed-lin-2k.png

And obviously not the 8 hour avg green line, but the 3 day estimate. Though variability is high enough to  make firm conclusions impossible,  its not quite what youd expect if 1.3 TH joined the network out of the blue. There is no spike up, its flat or down best I can tell.

DrHaribo did have another hypothesis; rather than stealing blocks he suggested it might be possible for an attacker with a botnet to intercept a % of winning blocks of other pools to keep difficulty down. That would show up in stats eventually, but made me wonder why we arent using HTTPS on our miners to prevent such sabotage in the first place.

One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.
It would affect all pools and solo miners running infected Microsoft Windows
No increase in over all network hashrate or difficulty
A significant drop in reward vs expected reward as shown for example by Bitminter https://bitminter.com/stats/rewards
Zero transaction blocks as a way of minimizing the risk of detection
Infected machines not mining Bitcoins can be used for other illegal activities

One way to test this is for the larger pool operators to test if miners using GNU / Linux are statistically "luckier" than those using Microsoft Windows.

[DeepBit]

One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.

It's impossible unless this malware also provides all those miners with work too.

[roomservice]

You still wonder who this is? Ok, let me quote myself 

I bet this company here is testing one of their fpga/asic products: http://www.sevensols.com/

It's located in Granada, Spain. That's where the ip is from.

[molecular]

I bet this company here is testing one of their fpga/asic products: http://www.sevensols.com/

It's located in Granada, Spain. That's where the ip is from.

Hmm, Granada. Lots of sun. All the mountains around are full of windmills. Maybe someones making good use of surpluses from wind/solar?

EDIT: tried to read the thread, but it's too long. Is there consenus it was/is sevensols?

[ArticMine]

One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.

It's impossible unless this malware also provides all those miners with work too.

If the malware also provides work effectively stealing a portion of the hash rate it would still have the impact I mentioned. If would appear to the pool that it is taking longer to solve to block.

[rjk]

One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.

It's impossible unless this malware also provides all those miners with work too.

If the malware also provides work effectively stealing a portion of the hash rate it would still have the impact I mentioned.

Couldn't it just intercept golden nonces and discard them? That would cause bad luck, with the same/high hashrate.

[Isokivi]

I've been watching this thread for a while and today came up with a way to possibly confirm if this new miner indeed is a botnet, I e-mailed an active researcher in a major company dealing in antiviral/security-software, I have no way of knowing if the mail will ever be even read or responded to. However should I get a reply I will be reporting in.

I got a reply:
(translated to english) "We have seen a few bitcoin botnets... I'll check if any match the discription."

If it's a botnet then this could potentially mean trouble for it in long run  

[deepceleron]

One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.

It's impossible unless this malware also provides all those miners with work too.

If the malware also provides work effectively stealing a portion of the hash rate it would still have the impact I mentioned.

Couldn't it just intercept golden nonces and discard them? That would cause bad luck, with the same/high hashrate.

When mining, you are doing a brute force hashing of everything that will go into a block. The merkle tree you are hashing includes the address that a block will pay out to if it is found, along with a "coinbase", which is per-worker information added by the pool to make a miner's work unique. You are also hashing all the transactions to be included in the block. Mystery miner's blocks have zero transactions, they are different than a normal pool's blocks.

Because of the pool-specific and worker-specific data included in a block, you cannot simply pick out certain hashes like one that solves a block and send them somewhere else, they would still pay to the original wallet's address as that information is embedded in what is being hashed. If the miners were getting altered work, they could not send it back to the original pool as the shares would be invalid, they would not be hashes of what the pool was requesting.

In order to steal work, the attacker would have to pWN the pool. If you can get into deepbit and silently get 10% of their block finds to pay to your wallet, that's better than just stealing their wallet once. As about half the pools here have been compromised at some point, we see that getting in is possible, but rootkitting and altering pool software to make a continuous undetectable diversion of mining rewards would be more difficult.

If it's a botnet then this could potentially mean trouble for it in long run  

A yet-undetected botnet seems difficult to believe, it would be on the scale of Zeus2. I have seen no bitcoin bot alerts since Sept 2011 and those were naive trojans. CPU mining my Core 2 Quad (probably faster than the average internet-connected computer) gets 11mhash/s; to get into the 2000ghash/s the miner is likely doing, they would need 200,000 such fulltime botty machines. A CPU+GPU bot would need fewer, but I have a feeling that systems with GPUs running mining-capable drivers that can hash faster than their CPU are in the minority, if we were to survey all Internet-connected machines worldwide.

[gusti]

Could this be a vulnerability, or backdoor introduced by any popular mining software programmer,
which might be stealing and redirecting a % of hashing power ?
(my apologies to all good faith programmers for the accusations pulled out of my ass)

[molecular]

watching

Goat, just click 'notify' instead of posting in the thread to 'watch' it

I just tried this and you must be joking, c_k: that sends emails! I don't want my inbox full of "topic reply: whatever"-messages. I want replies to show up behind the "Show new replies to your posts."-links. Any other way to achieve this than using "subscribe"-posts?

^{[goes to find out how to remove that notification crap]}