- What is Bitcoin?
Bitcoin is an online decentralised virtual currency based on an open source, P2P protocol. Bitcoins can be transferred using a computer without relying on a financial institution.
If you haven’t heard about Bitcoin I recommend you watch the following video:
Both the Bitcoin creation and transfer is performed by computers called “miners” that confirm the bitcoin’s creation by adding the information to a decentralised database. Bitcoins get harder to generate all the time. There are more that 10 million bitcoins in circulation today. The Bitcoin design only lets the creation of 21 million and that limit will be reached during the year 2140.
The Bitcoin wallet is what gives you ownership of one or more Bitcoin addresses. You can use those addresses to send and receive coins from other users.
Due to the complexity of mining bitcoins if you mine on your own it may be a long time until you can make some return. Bitcoin pools are places where multiple users can work together to make bitcoins and share benefits in a fair way.
Finally, you can buy and sell bitcoins using several real-world currencies (EUR, USD ..) using several exchanges.
Threat Landscape
Due to the growing popularity of the Bitcoin, it has become an attractive and profitable target for cybercriminals. During the last few years, we have seen an increase in the number of attacks and threats involving the virtual currency. The bad guys have adapted their tools to steal bitcoins from victims, use compromised systems to mine bitcoins and obtain benefit from it. On the other hand, virtual exchanges are also victims and we have seen how the attackers have phished the users of those exchanges and how they have performed Denial of Service attacks to destabilize the exchange rate and profit.
Wallet stealing
During the last few years, the capability of stealing the wallet.dat file has been added to several malware families. In addition, new malware families have appeared with the objective of stealing the wallet file from the infected machines.
Bitcoin mining
Apart from stealing the Bitcoin wallet, the number of malware families that can use the victim’s computer power to mine Bitcoins is getting bigger and bigger.
We have found samples that install the Bitcoin daemon in the victim but the most frequently used technique is adding a piece of code that connects to a mining pool (public or private) to mine bitcoins.
You can find variants of very well known malware families such as Zeus/Zbot that added this capability. As an example, we found a Zeus variant more than a year ago that had installed the Bitcoin daemon to mine bitcoins using the infected systems. That specific variant was distributed using Fake e-mail messages containing a link to the malicious file.
Once the system got infected the Bitcoin client bitcoind was installed in the system. The Zeus variant was using a different configuration file from:
http://www[.]anshaa[.]com/z/config.bin
In the last few months several Dorkbot variants including one that was using Skype to spread added the capability of mining bitcoins.
Once the system gets compromised, a version of the Ufasoft Bitcoin miner is started. In this case, the attacker is running his own pooling server.
The Ufasoft software contacts the mining pool server via HTTP:
We have seen samples contacting the following servers that are owned by the same guys behind the botnet:
suppp[.]cantvenlinea[.]biz:1942
ahora[.]revisiondelpc[.]ru:2142
xhuehs[.]cantvenlinea[.]ru:1942
keep[.]hustling4life[.]biz:2142
That infrastructure has been running for at least 5 months.
Another gang has been running several Bitcoin mining servers for more than a year now. They have used Dorkbot as well as other malicious software to infect systems and use their computer power to mine bitcoins. Following is the list of malicious servers they have been using:
m1[.]m94vo3[.]com
xxa[.]m94vo3[.]com
pool[.]dload[.]asia
abcpool[.]dload[.]asia
thehood[.]k4912m[.]com
abc[.]dload[.]asia
paljacinke[.]aquarium-stakany[.]org
entropy[.]k4912m[.]com
xxx[.]z0k3[.]org
xdx[.]8xx5[.]org
xd[.]x1x9[.]asia
xD[.]x3x9[.]asia
www[.]ewgtr[.]us
www[.]btcminers[.]biz
sfx[.]dload[.]asia
thehood[.]k4912m[.]com
We have found instances where the malicious actors are also mining Litecoins that is another virtual currency similar to Bitcoin.
During the analysis of one of the malicious servers that was used to compromise users we found a GUI application that the attackers are using to build “Silent Miners” that are basically processes that run on the background, connect to the server pool that you configure and mine Litecoins/Bitcoins for you.
The program will generate an executable file prepared to run in the background. It makes it very easy for the attackers to include or distribute the executable in the botnets they are already running.
Apart from the infrastructure we have unveiled, we have found many different malwares with Bitcoin mining capabilities in the last few weeks. Some of them are distributed as fake software in P2P networks, using malicious web redirects (Blackhole Exploit Kit), Fake AV’s, etc.
A lot of them also use public mining pools that are also used by regular users to mine bitcoins. Following is a list of malicious binaries we have found as well as the pool server and username they use:
| Hash | Server | Username |
|---|---|---|
| b21183ebee87ea86acd11e25a3a3b0d1 | notroll.in:6332 | tromm.5 |
| 7fdf03f888932a384b0089d391f01b2e | mining.eligius.st:8337 | 1663o1jPydX5fgTNsAW33owbsyC1gpwbvn |
| 544b1a3b310ebb9dc9a9d3858c8c7fe4 | pool.50btc.com:8332 | 169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi |
| 9b7a5ab5e06c46b88e3182457b1e9a0f | pool.50btc.com:8332 | 17F8N9AvEWSWRMgfR2WncDxhHCm2zLMgST |
| 6ba659c9f3de5b5d45a77b12c5ca1e7b | mining.eligius.st:8337 | 17VJ4nebUbfBoydRC7vLynQruXyqMCDY1W |
| e26686c56297f259e936454e4ea3f7ae | mining.eligius.st:8337 | 17VJ4nebUbfBoydRC7vLynQruXyqMCDY1W |
| ae1350e85fb01777d6b5f93384f23bdc | mining.eligius.st: 8337 | 1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX |
| d770554455a70f3a3ad8e3326ddca765 | mining.eligius.st:8337 | 1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX |
| d911d82dc184bbfc952b77cb4cb1b743 | mining.eligius.st:8337 | 1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX |
| 2f0312e6c46cd6e045f3be88e16ecb74 | pool.50btc.com:8332 | 1Dt8Ai9uNhupwxejr8PN631XTpbECTfQ2y |
| e64d98da86cf03ff6088b48612870f83 | pool.50btc.com:8332 | 1Dt8Ai9uNhupwxejr8PN631XTpbECTfQ2y |
| 20d5c788a075113145261ee5dfab0fa0 | mining.eligius.st:8337 | 1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fA |
| 500d53fbf363ce31d75447a7ac335516 | mining.eligius.st:8337 | 1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fA |
| e61b38b75d1cfefe9f631231666a9211 | mining.eligius.st:8337 | 1H1xa5PV522hUKfBqvfXPqu7buS5q9ckiW |
| 1a155713d6ff01a3e949730d6fe868d9 | mining.eligius.st:8337 | 1HH1Geovwhxq2UnNt6tiscF2kMsxYEVCRM |
| d726542997e8aaca1c8c2809cc859f04 | pool.50btc.com:8332 | 1Hy8HbYrLPrXhGko2SmkUtMjBvBpVDEeMh |
| 974b155cef5cb549dcd81b62d26a7d7e | mining.eligius.st:8337 | 1Kjvxd9CbnYbigcC13gS5VAd2asNcdVSyH |
| 9384cb2d2b69d4023dbe2260b789c509 | mining.eligius.st:8337 | 1KyxrBp8mJRt3U6Q12LfuNLonZ9JHLYnbM |
| 9f878f2f555e690d447060bff7856dac | mining.eligius.st:8337 | 1NqV1Dy7jH4SLXgbihQDRYA9qKgqnSfaVJ |
| bfe45e910c94c49e63e969cc2dd8c806 | mining.eligius.st:8337 | 1PyoNmwdNP7PQWQwjCLiK8Av5V9eAGhKcL:x |
| bb0449dcb53723f6cb58d7024c16f887 | mining.eligius.st:8337 | 1Q3TM64corp7BCYY98pa88w9RoZSfxrH8 |
| 9a48fe740b8feff35b1dbc07ab99d949 | pool.50btc.com:8332 | 1qGYbXUe48RjdAoHuRhs4vvm118XMY6e3 |
| 35c3c3506064dbad08ba3a8a1ccd742b | eiswoj.uktop40chart.co.uk:80 | 2thread |
| e32caa62ef6e67e82c2b95c3b2b66db4 | litecoinpool.org:3333 | 8r9di23217.97123y92 |
| 13052239a6a852a4eee3febe10268e25 | notroll.in:6332 | appap.6 |
| 6111ebdfcf7c58c953271dcbd594a417 | litecoinpool.org:9332 | aspen.4 |
| 1c5458ed87729b711310b6f0baf270bf | pool.50btc.com:8332 | blackweader@hotmail.com_dodi |
| 5271a38bd18c8ad51d5e3b158db11b38 | eu.triplemining.com:8344 | Bool_Bool |
| 49d8ce6f361cc87f85fe12f4df73bda5 | us2.eclipsemc.com:8337 | cartoon1996_hm9gjp |
| 815ccc9f6a48cab368e41647c8f81722 | us2.eclipsemc.com:8337 | cartoon1996_server |
| 2a79e90f44bd136b3a977fe9fc93c1e0 | pool.50btc.com:8332 | cbargas3443@outlook.com |
| 0eece32d0d55449366eae4462a4781c7 | eu.triplemining.com:8344 | comp_pony |
| cc3dc3b176bbc34444117057659e9e14 | de.btcguild.com:8332 | cviper_1 |
| 75bd6e532370c06c567718d68e551647 | pool.50btc.com:8332 | edwardpafford220@outlook.com |
| 20c05310dc8bb6dd2cf0e4c642e475a1 | uscentral.btcguild.com:8332 | epix6_datacenter1 |
| 4decdf42f9eaf230768220edb361a0e0 | uscentral.btcguild.com:8332 | epix6_datacenter1 |
| 8c5fd67f62fbccf02f8e0e306341713d | uscentral.btcguild.com:8332 | epix6_datacenter1 |
| 38831b2e4e6ead08c23f7387919999af | pool.50btc.com:8332 | franklinandrus99@outlook.com |
| 44ab7103e31a41b53401cedcabf9de6f | us2.eclipsemc.com:8337 | happyworld_3 |
| b08ef6df987e03e86cc9af30942e8fd2 | us2.eclipsemc.com:8337 | happyworld_3 |
| 2d150ca060ed2d89ff031c0060275c99 | notroll.in:6332 | happyworld3000.1 |
| d1cc70aa60e76879da80303f0f79a894 | dns.domain-crawlers.com:8332 | haqidodges@gmail.com |
| 135cbc204145e63f7af441fff85f4ec7 | pool.50btc.com:8332 | i0nn@mail.ru_4 |
| 854387049a16de49fc6a02655c38c4eb | eu.triplemining.com:8344 | IamX_Worker1 |
| a401a4a5051feb11fe594aad9b4bdf95 | pool.50btc.com:8332 | Jasoncharles848@outlook.com |
| 4b8ad799881c4a79a32ea2a6576a8037 | mine3.btcguild.com:8332 | JennyEsta_666fuckerhead |
| ff925fbce01271e6a033febc27703762 | gief3.25u.com:8332 | jowsie_cheap2 |
| 3e4ef7f6727217b01c38ffcab91ef3c9 | pool.50btc.com:8332 | jrodriguez442@outlook.com |
| add443fe32e35fb4a46e35ed2052b6f6 | miningpool.com:9350 | koji35.3 |
| 4d4fa3c12eb5f77529e08bb9873e54e1 | eu.triplemining.com:8344 | lezoum2010_pocket |
| 3f5589b0c8fc9b049e5fde81a642db6c | eu.triplemining.com:8344 | loadrs2009_1 |
| 1fc06c8cdcbcff1fd5ecf07ded4bed93 | us2.eclipsemc.com:8337 | m1nd_jorgee |
| ae08c3c4ab1e43ce8201b572b0b45115 | eu.triplemining.com:8344 | madhav007_pudge007 |
| 47d21779b4e1d7195ae3eceafa1b163d | ltcmine.ru:3333 | MinerG_0 |
| ae03b006bb3eb6dcb2a64e3533862367 | ltcmine.ru:3333 | MinerG_17 |
| c3f67b7b4d3d5152757fd71bca6fbbfe | ltcmine.ru:3333 | MinerG_18 |
| 202dfdf0ced47d213e833d8a92012d90 | ltcmine.ru:3333 | MinerG_26 |
| 0ed23a28270a27e5a4332ae521ee70b8 | ltcmine.ru:3333 | MinerG_34 |
| 3e348e07f5d98929baa0cb88f00cd8cf | ltcmine.ru:3333 | MinerG_7 |
| eb375ba9447d20401ee17192c2f9010d | ltcmine.ru:3333 | MinerG_8 |
| c1d4410b41ed7f534457f077370067a6 | us2.eclipsemc.com:8337 | moi_worker |
| 20c258e021449365a42f9b2fc7d0d4c8 | us2.eclipsemc.com:8337 | Mystical_pike |
| 2164bd712071628549a25f5eb97a5f35 | us2.eclipsemc.com:8337 | N785O1c_3cxQO9S |
| 2bab5ce7b48baea90b11244278bd6d57 | mine2.btcguild.com:8332 | o2521666_1 |
| 92b4c95a10d12132138ef15f44c9b9fc | pool.50btc.com:8332 | pinkywesen@secure-mail.biz |
| 86ac869662e4b8f0422fb9cbca77d72e | pool.50btc.com:8332 | popa_zade@yahoo.com |
| c6cf7161100ff107b59b7b07db6 | pool.50btc.com:8332 | popa_zade@yahoo.com |
| b7752d762c5a9ac883caaefd1cc19c1b | eu.triplemining.com:8344 | pr3m1era_Bossnigger |
| 67e591f09ae0cea47f920878f100baa8 | pool.50btc.com:8332 | rainbow101@outlook.com |
| 3b6c8728ac3ee82a06bca7096265d666 | pool.50btc.com:8332 | rthrockmorton212@outlook.com |
| 3eb76d2427c283d2c4b9b396bef275a2 | pool.50btc.com:8332 | ryancaswell772@outlook.com |
| 8f4ad4c95adef240f8edb5f3da09f164 | us2.eclipsemc.com:8337 | shrooms_mining |
| da99275413845905166e8470980a155f | eu.triplemining.com:8344 | Sisocviper_siso |
| 7f1ef23a0076cedaeec0b7bb55b9702d | eu.triplemining.com:8344 | smackos_aliens |
| 1f85e27b2bd33c4d0ca377ad696fa563 | us2.eclipsemc.com:8337 | SSnack_worker |
| bbfe230a8471e2b5d807df3368836bce | eu.triplemining.com:8344 | Strick3n_stricken |
| 0b04c1538e5f3a37a81ec2086810b8e1 | pool.50btc.com:8332 | svintaz@mail.ru_7 |
| b51128a0d8626a9b36f25679854d137e | uswest.btcguild.com:8332 | tester20122_3 |
| ccf5f50c9f919dbd9c0cc9a313ef5a2d | pool.50btc.com:8332 | titorjohn@rocketmail.com |
| 3d31545f1889fa7593defb5f8bbc915a | pool.50btc.com:8332 | TOGRI2012@hotmail.com |
| 43cc15d6178c0fa7845fe257a58f5e0b | notroll.in:6332 | tophosts.1 |
| 9425c6b7654e8e9ceba5894862e28970 | notroll.in:6332 | tromm.14 |
| 865341e5ae9e6fd01eca8e6bb31b4e5d | us2.eclipsemc.com:8337 | vapor_worker |
| ce38c3479d126c80298e0fe76e73e8e5 | pool.50btc.com:8332 | victory2egy@yahoo.com |
| d20be24e318844a56d3f38f2d1061dde | pool.50btc.com:8332 | victory2egy@yahoo.com |
| c24700038e25f4ed1aea01bc374ed5a1 | pool.50btc.com:8332 | victory2egy@yahoo.com_v |
| d11b21251ef6f8f84efc7130525a4785 | pool.50btc.com:8332 | vincentbaty87@outlook.com |
Show me the money
As you can see in the previous table some of the bad guys were using Bitcoin addresses instead of usernames to connect to the pool servers.
Due to the openness of the Bitcoin’s protocol, we can access the information and the transactions done by those accounts.
169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi, 91.39938806 BTC ,$ 8,317.34
17F8N9AvEWSWRMgfR2WncDxhHCm2zLMgST, 20.89356766 BTC , $ 1,901.31
1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX, 420.81569559 BTC, $ 38,294.23
1H1xa5PV522hUKfBqvfXPqu7buS5q9ckiW, 31.00274179 BTC , $ 2,821.25
1Kjvxd9CbnYbigcC13gS5VAd2asNcdVSyH, 88.99839055 BTC , $ 8,098.85
1KyxrBp8mJRt3U6Q12LfuNLonZ9JHLYnbM, 77.55520657 BTC , $ 7,057.52
1Q3TM64corp7BCYY98pa88w9RoZSfxrH8, 48.69058357 BTC , $ 4,430.84
For instance, we can see these two Bitcoin addresses probably belong to the same bad actors:
169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi
1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
Those two accounts sent most of the money to the following account:
1827x95K36G3NFxDqiNwo6aE1rH55Ua3p5
That Bitcoin address received a total amount of 1050.21 BTC in the last few months. If the bad guys sold that amount of bitcoins some days ago when a single Bitcoin was worth $265 they could have made $278k. Not bad for a small Botnet!
MtGox Fake sites
Mtgox is the largest Bitcoin exchange where you can trade Bitcoins for EUR/US, etc. In the last few weeks, the increased popularity of both Bitcoin and Mtgox has made it an attractive target for attackers.
Last week, we detected several websites that were attempting to target Mtgox users. An attacker set up the fake website www[.]mtgox-chat[.]info:
The malicious server looks like an official Mtgox website with a chat on it. Once the user enters the site it will try to load a malicious Java applet:
The Java applet will download and execute a binary file from a remote site.
Once the file is executed the victim gets infected and the system will contact the C&C server on:
tamere123[.]no-ip[.]org
Having access to the victim’s system the attacker can now get the Mtgox’s credentials and steal the money/bitcoins from the victim.
Impact on the enterprise
The detection of mining software in your network could indicate either a misuse of resources by your employees or an infection that could lead to financial losses.
The following best practices will help you prevent these threats:
- Keep software up to date
- Update your Antivirus signatures
- Run a Vulnerability Assessment Program
- Monitor your networks to detect suspicious network behaviors.
AlienVault Unified Security Management (USM) will detect all the threats mentioned on the blog post:
If you want to increase your network visibility you can try our Unified Security Management solution or download the Open Source version.
