rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
March 17, 2012, 04:01:39 AM |
|
85.214.124.168 resolves to h1816161.stratoserver.net.
The following A records are set to 85.214.124.168: antirechts-team.de, enlight-visuals.de, geknicktemit.de, jas-transport.com, muemmelmann.com
The bolded domain is the only one out of the list that is active. Either the botnet op works there, or (more likely) he has compromised that server to be his pool. Anyone feel like contacting them to see what they say?
EDIT: nvm, stupid he.net search only returning a halfassed set of results. Robtex shows better info, seems that it is a shared host.
|
|
|
|
Shadow383
|
|
March 17, 2012, 06:20:45 AM |
|
One question that comes to mind... 1.3TH/s at current price/difficulty is over $30k per week in bitcoins. I know it's fairly easy to launder funds through mt gox, but surely if they're selling any significant portion of what they mine there would be red flags somewhere? I can believe it though, and to be honest I think the problem's only going to get worse
|
|
|
|
Turbor
Legendary
Offline
Activity: 1022
Merit: 1000
BitMinter
|
|
March 17, 2012, 10:05:50 AM |
|
So far, Sudo is only talking. He refused to point some of his hashpower to BitMinter to back up what he claims !
|
|
|
|
dizzy1
|
|
March 18, 2012, 07:43:54 AM |
|
Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.
|
|
|
|
PulsedMedia
|
|
March 18, 2012, 07:48:09 AM |
|
Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.
I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ...
|
|
|
|
pieppiep
|
|
March 18, 2012, 07:51:04 AM |
|
Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.
I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ... Well, you never know if it was found earlier and kept secret to build a strong big botnet.
|
|
|
|
PulsedMedia
|
|
March 18, 2012, 08:29:17 AM |
|
Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.
I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ... Well, you never know if it was found earlier and kept secret to build a strong big botnet. Very much true, but still a denial of service exploit does not give full access ... So in this case it's not the case.
|
|
|
|
pieppiep
|
|
March 18, 2012, 08:41:28 AM |
|
Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.
I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ... Well, you never know if it was found earlier and kept secret to build a strong big botnet. Very much true, but still a denial of service exploit does not give full access ... So in this case it's not the case. http://technet.microsoft.com/en-us/security/bulletin/ms12-020On this webpage it says "Vulnerabilities in Remote Desktop Could Allow Remote Code Execution"
|
|
|
|
PulsedMedia
|
|
March 18, 2012, 08:43:58 AM |
|
Ok, i think i recalled wrong :/
|
|
|
|
Isokivi
|
|
March 18, 2012, 02:10:44 PM |
|
I've been watching this thread for a while and today came up with a way to possibly confirm if this new miner indeed is a botnet, I e-mailed an active researcher in a major company dealing in antiviral/security-software, I have no way of knowing if the mail will ever be even read or responded to. However should I get a reply I will be reporting in.
|
Bitcoin trinkets now on my online store: btc trinkets.com <- Bitcoin Tiepins, cufflinks, lapel pins, keychains, card holders and challenge coins.
|
|
|
ArticMine
Legendary
Offline
Activity: 2282
Merit: 1050
Monero Core Team
|
|
March 18, 2012, 04:06:27 PM |
|
This is what Im looking at: http://bitcoin.sipa.be/speed-lin-2k.pngAnd obviously not the 8 hour avg green line, but the 3 day estimate. Though variability is high enough to make firm conclusions impossible, its not quite what youd expect if 1.3 TH joined the network out of the blue. There is no spike up, its flat or down best I can tell. DrHaribo did have another hypothesis; rather than stealing blocks he suggested it might be possible for an attacker with a botnet to intercept a % of winning blocks of other pools to keep difficulty down. That would show up in stats eventually, but made me wonder why we arent using HTTPS on our miners to prevent such sabotage in the first place. One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be. It would affect all pools and solo miners running infected Microsoft Windows No increase in over all network hashrate or difficulty A significant drop in reward vs expected reward as shown for example by Bitminter https://bitminter.com/stats/rewardsZero transaction blocks as a way of minimizing the risk of detection Infected machines not mining Bitcoins can be used for other illegal activities One way to test this is for the larger pool operators to test if miners using GNU / Linux are statistically "luckier" than those using Microsoft Windows.
|
|
|
|
DeepBit
Donator
Hero Member
Offline
Activity: 532
Merit: 501
We have cookies
|
|
March 18, 2012, 04:11:48 PM |
|
One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be. It's impossible unless this malware also provides all those miners with work too.
|
Welcome to my bitcoin mining pool: https://deepbit.net ~ 3600 GH/s, Both payment schemes, instant payout, no invalid blocks ! Coming soon: ICBIT Trading platform
|
|
|
roomservice
|
|
March 18, 2012, 04:21:25 PM |
|
You still wonder who this is? Ok, let me quote myself I bet this company here is testing one of their fpga/asic products: http://www.sevensols.com/It's located in Granada, Spain. That's where the ip is from.
|
"Tonight's the night. And it's going to happen again, and again. It has to happen. Nice night."
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
March 18, 2012, 04:21:39 PM |
|
I bet this company here is testing one of their fpga/asic products: http://www.sevensols.com/It's located in Granada, Spain. That's where the ip is from. Hmm, Granada. Lots of sun. All the mountains around are full of windmills. Maybe someones making good use of surpluses from wind/solar? EDIT: tried to read the thread, but it's too long. Is there consenus it was/is sevensols?
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
ArticMine
Legendary
Offline
Activity: 2282
Merit: 1050
Monero Core Team
|
|
March 18, 2012, 04:27:55 PM |
|
One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be. It's impossible unless this malware also provides all those miners with work too. If the malware also provides work effectively stealing a portion of the hash rate it would still have the impact I mentioned. If would appear to the pool that it is taking longer to solve to block.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
March 18, 2012, 04:32:07 PM |
|
One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be. It's impossible unless this malware also provides all those miners with work too. If the malware also provides work effectively stealing a portion of the hash rate it would still have the impact I mentioned. Couldn't it just intercept golden nonces and discard them? That would cause bad luck, with the same/high hashrate.
|
|
|
|
Isokivi
|
|
March 18, 2012, 05:51:10 PM |
|
I've been watching this thread for a while and today came up with a way to possibly confirm if this new miner indeed is a botnet, I e-mailed an active researcher in a major company dealing in antiviral/security-software, I have no way of knowing if the mail will ever be even read or responded to. However should I get a reply I will be reporting in.
I got a reply: (translated to english) " We have seen a few bitcoin botnets... I'll check if any match the discription." If it's a botnet then this could potentially mean trouble for it in long run
|
Bitcoin trinkets now on my online store: btc trinkets.com <- Bitcoin Tiepins, cufflinks, lapel pins, keychains, card holders and challenge coins.
|
|
|
deepceleron
Legendary
Offline
Activity: 1512
Merit: 1036
|
|
March 18, 2012, 06:27:50 PM |
|
One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be. It's impossible unless this malware also provides all those miners with work too. If the malware also provides work effectively stealing a portion of the hash rate it would still have the impact I mentioned. Couldn't it just intercept golden nonces and discard them? That would cause bad luck, with the same/high hashrate. When mining, you are doing a brute force hashing of everything that will go into a block. The merkle tree you are hashing includes the address that a block will pay out to if it is found, along with a "coinbase", which is per-worker information added by the pool to make a miner's work unique. You are also hashing all the transactions to be included in the block. Mystery miner's blocks have zero transactions, they are different than a normal pool's blocks. Because of the pool-specific and worker-specific data included in a block, you cannot simply pick out certain hashes like one that solves a block and send them somewhere else, they would still pay to the original wallet's address as that information is embedded in what is being hashed. If the miners were getting altered work, they could not send it back to the original pool as the shares would be invalid, they would not be hashes of what the pool was requesting. In order to steal work, the attacker would have to pWN the pool. If you can get into deepbit and silently get 10% of their block finds to pay to your wallet, that's better than just stealing their wallet once. As about half the pools here have been compromised at some point, we see that getting in is possible, but rootkitting and altering pool software to make a continuous undetectable diversion of mining rewards would be more difficult. If it's a botnet then this could potentially mean trouble for it in long run A yet-undetected botnet seems difficult to believe, it would be on the scale of Zeus2. I have seen no bitcoin bot alerts since Sept 2011 and those were naive trojans. CPU mining my Core 2 Quad (probably faster than the average internet-connected computer) gets 11mhash/s; to get into the 2000ghash/s the miner is likely doing, they would need 200,000 such fulltime botty machines. A CPU+GPU bot would need fewer, but I have a feeling that systems with GPUs running mining-capable drivers that can hash faster than their CPU are in the minority, if we were to survey all Internet-connected machines worldwide.
|
|
|
|
gusti
Legendary
Offline
Activity: 1099
Merit: 1000
|
|
March 18, 2012, 06:33:13 PM |
|
Could this be a vulnerability, or backdoor introduced by any popular mining software programmer, which might be stealing and redirecting a % of hashing power ? (my apologies to all good faith programmers for the accusations pulled out of my ass)
|
If you don't own the private keys, you don't own the coins.
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
March 18, 2012, 06:35:32 PM |
|
watching
Goat, just click 'notify' instead of posting in the thread to 'watch' it I just tried this and you must be joking, c_k: that sends emails! I don't want my inbox full of "topic reply: whatever"-messages. I want replies to show up behind the "Show new replies to your posts."-links. Any other way to achieve this than using "subscribe"-posts? [goes to find out how to remove that notification crap]
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
|