Malicious mining in my computer facility

[newtocryptocurrency]

Hi,

I run a computer facility with internet access.

Recently I found out that many of my computers had CPU miners running and mining for the same wallet address.
I know how to stop all those processes and clean up my system.

1. But I want to know if it is possible to trace the person who put the programs in the machines.

I see the miner exe file and a batch file to execute the exe with a wallet address. Is there anything I can do with this?

2. Also I want to know how to find out if this happens again. (Since I have good machines, I couldn't really tell any speed compromise because of the miners. This time I accidentally opened task manager and found these processes hogging up my CPUs.
But I can't keep doing this every time on every machine.)

Thank you

[110110101]

1) It is not very likely that you can track down an individual based on a crypto address. You would need more things to go by, say a shipping address if the coins have been spent somewhere. If you know what currency was being mined, try looking for a Block explorer and see if the coins can be traced somewhere. Maybe an exchange?

The forensics make this kind of tracing hard, but not impossible. You could try to reach out to the community behind the coin for further help.

2) You need to ask yourself how your security was compromised.
- Do you have many people accessing these machines?
- Do you have external services running?
- Is everything up to date?
- Where they miners running as a specific user? Admin/Root or a unprivileged account?
- Many antivirus software suites will block CPU miners as malicious software, do you have something like this installed?
- Check old logs if you have them, try to find out who and/or when the software was installed. If no logs are available, what has happened to them?
- For Linux it is trivial to setup an external box that duplicates system/access logs, so even if a host machine is compromised the logs are intact on the second box. I do not know about Windows, perhaps this is possible to do.
- If the software was installed externally, consider wiping your boxes and going over the security of your network.

These where some things just off the top of my head, there are probably tons more to check and do, but start looking for tracks and locking down your boxes.

[sandor111]

Install a keylogger on all of the computers, that's the only way to really to track down his identity if he decides to log on Facebook or something.

[newtocryptocurrency]

@110110101, Thank you for your reply.

1) Isn't what you say against the principle of anonymity that is surrounded with crypto currencies?
fwiw, it is `Monero` I think that was mined.

Anyway, even if the currency was exchanged somewhere for bitcoins or even real money from bitcoins, how does it help to know?
I'm just trying to trace the flow of information here.

One can't tell the real identity of a person behind a wallet address. So as long as money is being transferred around in the form of crypto currencies, it doesn't really help in knowing the real identity of the person.

Only when the person exchanges the crypto currency with real money will his actual identity be revealed. Am I right here?

I'm not really bent on getting the guy who did this. I might just warn and let him off if I find him. I'm more curious about how all this works

2) I've never really stressed on security. (Good blokes used to use my computers. )
- They don't use the admin account, but a less privileged one. All this mining happened in the less privileged one itself.
- I think the exe was brought in a device or something and run with no extra privileges. It would be too much of a restriction if executing binaries was restricted right?
- My Microsoft Security Essentials didn't say a thing about the exe.
- About the logs, what exactly did you mean by logs? There was no installation or registry entry made. The exes *were copied and pasted and run* IMO. I doubt if there were fetched via the network. Since the machines aren't turned off, the miners kept running. :/

[5w00p]

The coin (s)he mined is designed to be completely anonymous, so you will likely have to find a different way to ascertain who the perpetrator is/was.

He or she has good taste in altcoins, imho.
Good luck

[newtocryptocurrency]

The coin (s)he mined is designed to be completely anonymous, so you will likely have to find a different way to ascertain who the perpetrator is/was.

He or she has good taste in altcoins, imho.
Good luck

You mean the coin being Monero makes things harder?

What about waiting till he exchanges it for actual money? Will I be able to find him then?

Also, on a related note, will he be able to avoid even the above situation by making a dummy Monero to Monero transfer where both accounts are his?

Thanks

[jwinterm]

The coin (s)he mined is designed to be completely anonymous, so you will likely have to find a different way to ascertain who the perpetrator is/was.

He or she has good taste in altcoins, imho.
Good luck

You mean the coin being Monero makes things harder?

What about waiting till he exchanges it for actual money? Will I be able to find him then?

Also, on a related note, will he be able to avoid even the above situation by making a dummy Monero to Monero transfer where both accounts are his?

Thanks

He or she wouldn't even need to make dummy transfers. Each transaction is designed to be completely anonymous, so you can't track the transfer from the pool to his/her wallet, nor from wallet to exchange. You're not going to track them down this way.

I'm assuming people don't have to log onto the computers, otherwise you would have caught them already, but really the only way I can think of is to check the modified date on the miner and batch files (see when they were put on each computer), and see if you can figure out who was using that comp at that time.

[MaxDZ8]

OP, do you have access to network inspectors or something?

Miners usually communicate using JSON-RPC, maybe you could rig up something to monitor the network and looking up for the correct packets. Is this a possibility for you?

[williamj2543]

Probably some kid trying to make some bitcoins. Check the security cameras to see the use of the machines. Someone had to install the software, or maybe someone remote desktop from an external location.

[5w00p]

Yes, the Monero (aka XMR) is bad-ass and can't be traced.  So, forget about Magnum P.I.-ing him that way...

And I doubt he will cash out to fiat.  He probably only mined a few Monero and it isn't like this stuff is worth much (yet).

He probably holds it for now and maybe sells it for bitcoin on an exchange, and odds are that you were his mark in this little mining scam he pulled and he probably has access to his own computer(s)...

If you really wanted to catch him, you probably should not alert him to the fact that you know about it.  Play dumb and find a way to catch him in the act of checking on his miners. 

Really, you know this stuff is cool and you should probably thank him for exposing you to it.  Get some security measures on your comps if you really want to prevent "malicious" stuff from going on.

I gather that you are in Australia or thereabouts because you said "good blokes" but even if the dudes are all cool as a breeze, somebody is always going to try to find a way to make a buck at your expense, if you let them.
 

[newtocryptocurrency]

OP, do you have access to network inspectors or something?

Miners usually communicate using JSON-RPC, maybe you could rig up something to monitor the network and looking up for the correct packets. Is this a possibility for you?

Yeah I do. Wireshark?
Is this suggestion to know when something like this happens again? (although, it wouldn't help me trace him right?)

[newtocryptocurrency]

Yes, the Monero (aka XMR) is bad-ass and can't be traced.  So, forget about Magnum P.I.-ing him that way...

And I doubt he will cash out to fiat.  He probably only mined a few Monero and it isn't like this stuff is worth much (yet).

He probably holds it for now and maybe sells it for bitcoin on an exchange, and odds are that you were his mark in this little mining scam he pulled and he probably has access to his own computer(s)...

If you really wanted to catch him, you probably should not alert him to the fact that you know about it.  Play dumb and find a way to catch him in the act of checking on his miners. 

Really, you know this stuff is cool and you should probably thank him for exposing you to it.  Get some security measures on your comps if you really want to prevent "malicious" stuff from going on.

I gather that you are in Australia or thereabouts because you said "good blokes" but even if the dudes are all cool as a breeze, somebody is always going to try to find a way to make a buck at your expense, if you let them.
 

Thanks for the suggestions Makes sense

[110110101]

@110110101, Thank you for your reply.

1) Isn't what you say against the principle of anonymity that is surrounded with crypto currencies?
fwiw, it is `Monero` I think that was mined.

Anyway, even if the currency was exchanged somewhere for bitcoins or even real money from bitcoins, how does it help to know?
I'm just trying to trace the flow of information here.

One can't tell the real identity of a person behind a wallet address. So as long as money is being transferred around in the form of crypto currencies, it doesn't really help in knowing the real identity of the person.

Only when the person exchanges the crypto currency with real money will his actual identity be revealed. Am I right here?

I'm not really bent on getting the guy who did this. I might just warn and let him off if I find him. I'm more curious about how all this works

2) I've never really stressed on security. (Good blokes used to use my computers. )
- They don't use the admin account, but a less privileged one. All this mining happened in the less privileged one itself.
- I think the exe was brought in a device or something and run with no extra privileges. It would be too much of a restriction if executing binaries was restricted right?
- My Microsoft Security Essentials didn't say a thing about the exe.
- About the logs, what exactly did you mean by logs? There was no installation or registry entry made. The exes *were copied and pasted and run* IMO. I doubt if there were fetched via the network. Since the machines aren't turned off, the miners kept running. :/

Hey Newtocrypto,

I was referring to the fact the most cryptocurrencies used to be pseudo-anonymous, BTC included. One cannot link an address to an individual directly, but the Blockchain makes it possible to follow transactions as the coins are moving around. Maybe a long shot, but if you can trace a payment to an exchange, authorities could ask for server logs, check where the accessing IP came from and make the paperwork done for getting an address connected to the IP.

The attacker could spend the coins at an online store where he/she gives their name and address for shipping. Basically many of the older cryptos could possibly be traced back to an individual, sometimes it's feasible, other times not.

The new generation cryptocurrencies are attempting to be anonymous, so the arguments above become irrelevant in this case.

For logs and auditing, if the attacker had hacked an external service running, you would have probably found access logs, error logs and the like showing who accessed and what they were doing. Now I get the picture that some guy put in a usb thumb stick and started his miner. Apparently MSE doesn't block these programs, I believe ZoneAlarm does. Same for Comodo Internet Security. I don't run Norton, McAffe etc so I can't speak about them.

I understand that you are running a Windows computer hall. Maybe look at sandboxing your systems and having a scheduled reboot at night? That way if an attacker puts in a miner, the system is rolled back to a clean state and the attacker may only make use of the resources for less than 24h. This would limit the damage and still leave the boxes OK for all other everyday users doing their work. Perhaps a better way than trying to catch this fellow, is to decrease the incentive for setting up mining software on the boxes.

[MaxDZ8]

Yeah I do. Wireshark?
Is this suggestion to know when something like this happens again? (although, it wouldn't help me trace him right?)

Something like it.
I cannot help you in setting up the protection but I can describe you the protocol being used for pooled mining (if you don't want to mess up with google searching for it).

[hiddensphinx]

maybe try installing process blocker with admin privileges ? - http://www.processblocker.com/

[Wealthy]

Hi,

I run a computer facility with internet access.

Recently I found out that many of my computers had CPU miners running and mining for the same wallet address.
I know how to stop all those processes and clean up my system.

1. But I want to know if it is possible to trace the person who put the programs in the machines.

I see the miner exe file and a batch file to execute the exe with a wallet address. Is there anything I can do with this?

2. Also I want to know how to find out if this happens again. (Since I have good machines, I couldn't really tell any speed compromise because of the miners. This time I accidentally opened task manager and found these processes hogging up my CPUs.
But I can't keep doing this every time on every machine.)

Thank you

It's hard to trace to trace unless you have quite good knowledge on programming.It may have gotten into your system by any means Internet being the first.Somebody might have installed a program that had the miner program attached.Miner malwares are as low as 10 KiB in size and are hidden and encrypted not to get detected by antiviruses.

[newtocryptocurrency]

Yeah I do. Wireshark?
Is this suggestion to know when something like this happens again? (although, it wouldn't help me trace him right?)

Something like it.
I cannot help you in setting up the protection but I can describe you the protocol being used for pooled mining (if you don't want to mess up with google searching for it).

Please do

[MaxDZ8]

Replying before I forget.

I'm having quite some issues this week and I'm not sure I can dedicate efforts to this. Can you drop me a line at the end of the week so this bumps up again?

BTW, the protocol I'll describe is for standard BTC-derived coins. I've been told CryptoNote coins are farly different. Hopefully that will still be enough to give you an idea for a first prototype.