How cybercriminals are exploiting Bitcoin and other virtual currencies

April 16, 2013 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

- What is Bitcoin?

Bitcoin is an online descentralised virtual currency based on an open source, P2P protocol. Bitcoins can be transferred using a computer without relying on a financial institution.

If you haven’t heard about Bitcoin I recommend you watch the following video:

Both the Bitcoin creation and transfer is performed by computers called “miners” that confirm the bitcoin’s creation by adding the information to a descentralized database. Bitcoins get harder to generate all the time. There are more that 10 million bitcoins in circulation today. The Bitcoin design only lets the creation of 21 millions and that limit will be reached during the year 2140.

The Bitcoin wallet is what gives you ownership of one or more Bitcoin addresses. You can use those addresses to send and receive coins from other users.

Due to the complexity of mining bitcoins if you mine on your own it may be a long time until you can make some return. Bitcoin pools are places where multiple users can work together to make bitcoins and share benefits in a fair way.

Finally, you can buy and sell bitcoins using several real world currencies (EUR, USD ..) using several exchanges such as:

- MtGox

- BTC-E

- Virtex https://www.cavirtex.com/home [no longer available]

Threat Landscape

Due to the growing popularity of the Bitcoin it has become an attractive and profitable target for cybercriminals. During the last few years we have seen an increase in the number of attacks and threats involving the virtual currency. The bad guys have adapted their tools to steal bitcoins from victims, use compromised systems to mine bitcoins and obtain benefit from it. On the other hand virtual exchanges are also victims and we have seen how the attackers have phished the users of those exchanges and how they have performed Denial of Service attacks to destabilize the exchange rate and profit.

Wallet stealing

During the last few years the capability of stealing the wallet.dat file has been added to several malware families. In addition, new malware families have appeared with the objective of stealing the wallet file from the infected machines.

For example, a version of the Khelios malware that has been used to send Spam and steal data from infected systems added the capability to steal the wallet.dat file some time ago:

As a result if a Bitcoin’s user gets infected, the file containing the keys to use your bitcoin addresses will be stolen. The wallet file can be protected by a password but most of the malwares we have found have keylogging capabilities that could steal the wallet password as well.

Another example are several IRC botnets that are running based on the “AthenaIRCBot” source code that has the capability of stealing the wallet file as well:

Example: 08a9b6a933c8eac7919355d47a811aa2752df74473b8789bcfd567fb779708cd

- Bitcoin mining

Apart from stealing the Bitcoin wallet the number of malware families that can use the victim’s computer power to mine Bitcoins is getting bigger and bigger.

We have found samples that install the Bitcoin daemon in the victim but the most frequently used technique is adding a piece of code that connects to a mining pool (public or private) to mine bitcoins.

You can find variants of very well known malware families such as Zeus/Zbot that added this capability. As an example, we found a Zeus variant more than a year ago that had intalled the Bitcoin daemon to mine bitcoins using the infected systems.

That specific variant was distributed using Fake e-mail messages containing a link to the malicious file.

Once the system got infected the Bitcoin client bitcoind was installed in the system. The Zeus variant was using the configuration file from:

http://www[.]anshaa[.]com/z/config.bin

In the last few months several Dorkbot variants including one that was using Skype to spread added the capability of mining bitcoins.

Once the system gets compromised, a version of the Ufasoft Bitcoin miner is started. In this case the attacker is running his own pooling server.

The Ufasoft software contacts the mining pool server via HTTP:

We have seen samples contacting the following servers that are owned by the same guys behind the botnet:

suppp[.]cantvenlinea[.]biz:1942

ahora[.]revisiondelpc[.]ru:2142

xhuehs[.]cantvenlinea[.]ru:1942

keep[.]hustling4life[.]biz:2142

That infrastructure has been running for at least 5 months.

Another gang has been running several Bitcoin mining servers for more than a year now. They have used Dorkbot as well as other malicious software to infect systems and use their computer power to mine bitcoins. Following is the list of malicious servers they have been using:

m1[.]m94vo3[.]com

xxa[.]m94vo3[.]com

pool[.]dload[.]asia

abcpool[.]dload[.]asia

thehood[.]k4912m[.]com

abc[.]dload[.]asia

paljacinke[.]aquarium-stakany[.]org

entropy[.]k4912m[.]com

xxx[.]z0k3[.]org

xdx[.]8xx5[.]org

xd[.]x1x9[.]asia

xD[.]x3x9[.]asia

www[.]ewgtr[.]us

www[.]btcminers[.]biz

sfx[.]dload[.]asia

thehood[.]k4912m[.]com

We have found instances where the malicious actors are also mining Litecoins that is another virtual currency similar to Bitcoin.

During the analysis of one of the malicious servers that was used to compromise users we found a GUI application that the attackers are using to build “Silent Miners” that are basically processes that run on the background, connect to the server pool that you configure and mine Litecoins/Bitcoins for you:

The program will generate an executable file prepared to run in the background. It makes it very easy for the attackers to include or distribute the executable in the botnets they are already running.

Apart from the infrastructure we have unveiled, we have found many different malwares with Bitcoin mining capabilities in the last few weeks. Some of them are distributed as fake software in P2P networks, using malicious web redirects (Blackhole Exploit Kit), Fake AV’s, etc.

A lot of them also use public mining pools that are also used by regular users to mine bitcoins. Following is a list of malicious binaries we have found as well as the pool server and username they use:

HashServerUsername
b21183ebee87ea86acd11e25a3a3b0d1notroll.in:6332tromm.5
7fdf03f888932a384b0089d391f01b2emining.eligius.st:83371663o1jPydX5fgTNsAW33owbsyC1gpwbvn
544b1a3b310ebb9dc9a9d3858c8c7fe4pool.50btc.com:8332169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi
9b7a5ab5e06c46b88e3182457b1e9a0fpool.50btc.com:833217F8N9AvEWSWRMgfR2WncDxhHCm2zLMgST
6ba659c9f3de5b5d45a77b12c5ca1e7bmining.eligius.st:833717VJ4nebUbfBoydRC7vLynQruXyqMCDY1W
e26686c56297f259e936454e4ea3f7aemining.eligius.st:833717VJ4nebUbfBoydRC7vLynQruXyqMCDY1W
ae1350e85fb01777d6b5f93384f23bdcmining.eligius.st: 83371ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
d770554455a70f3a3ad8e3326ddca765mining.eligius.st:83371ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
d911d82dc184bbfc952b77cb4cb1b743mining.eligius.st:83371ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
2f0312e6c46cd6e045f3be88e16ecb74pool.50btc.com:83321Dt8Ai9uNhupwxejr8PN631XTpbECTfQ2y
e64d98da86cf03ff6088b48612870f83pool.50btc.com:83321Dt8Ai9uNhupwxejr8PN631XTpbECTfQ2y
20d5c788a075113145261ee5dfab0fa0mining.eligius.st:83371ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fA
500d53fbf363ce31d75447a7ac335516mining.eligius.st:83371ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fA
e61b38b75d1cfefe9f631231666a9211mining.eligius.st:83371H1xa5PV522hUKfBqvfXPqu7buS5q9ckiW
1a155713d6ff01a3e949730d6fe868d9mining.eligius.st:83371HH1Geovwhxq2UnNt6tiscF2kMsxYEVCRM
d726542997e8aaca1c8c2809cc859f04pool.50btc.com:83321Hy8HbYrLPrXhGko2SmkUtMjBvBpVDEeMh
974b155cef5cb549dcd81b62d26a7d7emining.eligius.st:83371Kjvxd9CbnYbigcC13gS5VAd2asNcdVSyH
9384cb2d2b69d4023dbe2260b789c509mining.eligius.st:83371KyxrBp8mJRt3U6Q12LfuNLonZ9JHLYnbM
9f878f2f555e690d447060bff7856dacmining.eligius.st:83371NqV1Dy7jH4SLXgbihQDRYA9qKgqnSfaVJ
bfe45e910c94c49e63e969cc2dd8c806mining.eligius.st:83371PyoNmwdNP7PQWQwjCLiK8Av5V9eAGhKcL:x
bb0449dcb53723f6cb58d7024c16f887mining.eligius.st:83371Q3TM64corp7BCYY98pa88w9RoZSfxrH8
9a48fe740b8feff35b1dbc07ab99d949pool.50btc.com:83321qGYbXUe48RjdAoHuRhs4vvm118XMY6e3
35c3c3506064dbad08ba3a8a1ccd742beiswoj.uktop40chart.co.uk:802thread
e32caa62ef6e67e82c2b95c3b2b66db4litecoinpool.org:33338r9di23217.97123y92
13052239a6a852a4eee3febe10268e25notroll.in:6332appap.6
6111ebdfcf7c58c953271dcbd594a417litecoinpool.org:9332aspen.4
1c5458ed87729b711310b6f0baf270bfpool.50btc.com:8332blackweader@hotmail.com_dodi
5271a38bd18c8ad51d5e3b158db11b38eu.triplemining.com:8344Bool_Bool
49d8ce6f361cc87f85fe12f4df73bda5us2.eclipsemc.com:8337cartoon1996_hm9gjp
815ccc9f6a48cab368e41647c8f81722us2.eclipsemc.com:8337cartoon1996_server
2a79e90f44bd136b3a977fe9fc93c1e0pool.50btc.com:8332cbargas3443@outlook.com
0eece32d0d55449366eae4462a4781c7eu.triplemining.com:8344comp_pony
cc3dc3b176bbc34444117057659e9e14de.btcguild.com:8332cviper_1
75bd6e532370c06c567718d68e551647pool.50btc.com:8332edwardpafford220@outlook.com
20c05310dc8bb6dd2cf0e4c642e475a1uscentral.btcguild.com:8332epix6_datacenter1
4decdf42f9eaf230768220edb361a0e0uscentral.btcguild.com:8332epix6_datacenter1
8c5fd67f62fbccf02f8e0e306341713duscentral.btcguild.com:8332epix6_datacenter1
38831b2e4e6ead08c23f7387919999afpool.50btc.com:8332franklinandrus99@outlook.com
44ab7103e31a41b53401cedcabf9de6fus2.eclipsemc.com:8337happyworld_3
b08ef6df987e03e86cc9af30942e8fd2us2.eclipsemc.com:8337happyworld_3
2d150ca060ed2d89ff031c0060275c99notroll.in:6332happyworld3000.1
d1cc70aa60e76879da80303f0f79a894dns.domain-crawlers.com:8332haqidodges@gmail.com
135cbc204145e63f7af441fff85f4ec7pool.50btc.com:8332i0nn@mail.ru_4
854387049a16de49fc6a02655c38c4ebeu.triplemining.com:8344IamX_Worker1
a401a4a5051feb11fe594aad9b4bdf95pool.50btc.com:8332Jasoncharles848@outlook.com
4b8ad799881c4a79a32ea2a6576a8037mine3.btcguild.com:8332JennyEsta_666fuckerhead
ff925fbce01271e6a033febc27703762gief3.25u.com:8332jowsie_cheap2
3e4ef7f6727217b01c38ffcab91ef3c9pool.50btc.com:8332jrodriguez442@outlook.com
add443fe32e35fb4a46e35ed2052b6f6miningpool.com:9350koji35.3
4d4fa3c12eb5f77529e08bb9873e54e1eu.triplemining.com:8344lezoum2010_pocket
3f5589b0c8fc9b049e5fde81a642db6ceu.triplemining.com:8344loadrs2009_1
1fc06c8cdcbcff1fd5ecf07ded4bed93us2.eclipsemc.com:8337m1nd_jorgee
ae08c3c4ab1e43ce8201b572b0b45115eu.triplemining.com:8344madhav007_pudge007
47d21779b4e1d7195ae3eceafa1b163dltcmine.ru:3333MinerG_0
ae03b006bb3eb6dcb2a64e3533862367ltcmine.ru:3333MinerG_17
c3f67b7b4d3d5152757fd71bca6fbbfeltcmine.ru:3333MinerG_18
202dfdf0ced47d213e833d8a92012d90ltcmine.ru:3333MinerG_26
0ed23a28270a27e5a4332ae521ee70b8ltcmine.ru:3333MinerG_34
3e348e07f5d98929baa0cb88f00cd8cfltcmine.ru:3333MinerG_7
eb375ba9447d20401ee17192c2f9010dltcmine.ru:3333MinerG_8
c1d4410b41ed7f534457f077370067a6us2.eclipsemc.com:8337moi_worker
20c258e021449365a42f9b2fc7d0d4c8us2.eclipsemc.com:8337Mystical_pike
2164bd712071628549a25f5eb97a5f35us2.eclipsemc.com:8337N785O1c_3cxQO9S
2bab5ce7b48baea90b11244278bd6d57mine2.btcguild.com:8332o2521666_1
92b4c95a10d12132138ef15f44c9b9fcpool.50btc.com:8332pinkywesen@secure-mail.biz
86ac869662e4b8f0422fb9cbca77d72epool.50btc.com:8332popa_zade@yahoo.com
c6cf7161100ff107b59b7b07db6pool.50btc.com:8332popa_zade@yahoo.com
b7752d762c5a9ac883caaefd1cc19c1beu.triplemining.com:8344pr3m1era_Bossnigger
67e591f09ae0cea47f920878f100baa8pool.50btc.com:8332rainbow101@outlook.com
3b6c8728ac3ee82a06bca7096265d666pool.50btc.com:8332rthrockmorton212@outlook.com
3eb76d2427c283d2c4b9b396bef275a2pool.50btc.com:8332ryancaswell772@outlook.com
8f4ad4c95adef240f8edb5f3da09f164us2.eclipsemc.com:8337shrooms_mining
da99275413845905166e8470980a155feu.triplemining.com:8344Sisocviper_siso
7f1ef23a0076cedaeec0b7bb55b9702deu.triplemining.com:8344smackos_aliens
1f85e27b2bd33c4d0ca377ad696fa563us2.eclipsemc.com:8337SSnack_worker
bbfe230a8471e2b5d807df3368836bceeu.triplemining.com:8344Strick3n_stricken
0b04c1538e5f3a37a81ec2086810b8e1pool.50btc.com:8332svintaz@mail.ru_7
b51128a0d8626a9b36f25679854d137euswest.btcguild.com:8332tester20122_3
ccf5f50c9f919dbd9c0cc9a313ef5a2dpool.50btc.com:8332titorjohn@rocketmail.com
3d31545f1889fa7593defb5f8bbc915apool.50btc.com:8332TOGRI2012@hotmail.com
43cc15d6178c0fa7845fe257a58f5e0bnotroll.in:6332tophosts.1
9425c6b7654e8e9ceba5894862e28970notroll.in:6332tromm.14
865341e5ae9e6fd01eca8e6bb31b4e5dus2.eclipsemc.com:8337vapor_worker
ce38c3479d126c80298e0fe76e73e8e5pool.50btc.com:8332victory2egy@yahoo.com
d20be24e318844a56d3f38f2d1061ddepool.50btc.com:8332victory2egy@yahoo.com
c24700038e25f4ed1aea01bc374ed5a1pool.50btc.com:8332victory2egy@yahoo.com_v
d11b21251ef6f8f84efc7130525a4785pool.50btc.com:8332vincentbaty87@outlook.com

Show me the money

As you can see in the previous table some of the bad guys were using Bitcoin addresses instead of usernames to connect to the pool servers.

Due to the openness of the Bitcoin’s protocol we can access the information and the transactions done by those accounts.

169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi, 91.39938806 BTC ,$ 8,317.34

17F8N9AvEWSWRMgfR2WncDxhHCm2zLMgST, 20.89356766 BTC , $ 1,901.31

1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX, 420.81569559 BTC, $ 38,294.23

1H1xa5PV522hUKfBqvfXPqu7buS5q9ckiW, 31.00274179 BTC , $ 2,821.25

1Kjvxd9CbnYbigcC13gS5VAd2asNcdVSyH, 88.99839055 BTC , $ 8,098.85

1KyxrBp8mJRt3U6Q12LfuNLonZ9JHLYnbM, 77.55520657 BTC , $ 7,057.52

1Q3TM64corp7BCYY98pa88w9RoZSfxrH8, 48.69058357 BTC , $ 4,430.84

For instance we can see these two Bitcoin addresses probably belong to the same bad actors:

169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi

1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX

Those two accounts sent most of the money to the following account:

1827x95K36G3NFxDqiNwo6aE1rH55Ua3p5

That Bitcoin address received a total amount of 1050.21 BTC in the last few months. If the bad guys sold that amount of bitcoins some days ago when a single Bitcoin was worth $265 they could have made $278k. Not bad for a small Botnet!

MtGox Fake sites

Mtgox is the largest Bitcoin exchange where you can trade Bitcoins for EUR/US, etc. In the last few weeks the increased popularity of both Bitcoin and Mtgox has made it an attractive target for attackers.

Last week, we detected several websites that were attempting to target Mtgox users. An attacker set up the fake website www[.]mtgox-chat[.]info:

Captura de pantalla 2013-04-16 a la(s) 11.23.18

The malicious server looks like an official Mtgox website with a chat on it. Once the user enters the site it will try to load a malicious Java applet:

Captura de pantalla 2013-04-16 a la(s) 11.26.30

The Java applet will download and execute a binary file from a remote site.

Once the file is executed the victim gets infected and the system will contact the C&C server on:

tamere123[.]no-ip[.]org

Having access to the victim’s system the attacker can now get the Mtgox’s credentials and steal the money/bitcoins from the victim.

Impact on the enterprise

The detection of mining software in your network could indicate either a misuse of resources by your employees or an infection that could lead to financial losses.

The following best practices will help you prevent these threats:

- Keep software up to date

- Update your Antivirus signatures

- Run a Vulnerability Assessment Program

- Monitor your networks to detect suspicious network behaviors.

AlienVault Unified Security Management (USM) will detect all the threats mentioned on the blog post (and it’s available as a Free 30 day trial download):

Captura de pantalla 2013-04-16 a la(s) 13.15.05

Captura de pantalla 2013-04-16 a la(s) 13.15.32

If you want to increase your network visibility you can try our Unified Security Management solution or download the Open Source version.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS