2013-06-03
Abstract
The exchange rate of the digital currency Bitcoin (BTC) passed the US$200/BTC1 mark earlier this year – a fact that has not escaped the attention of cybercriminals. Micky Pun takes a look at one of the latest Bitcoin-mining malware families.
Copyright © 2013 Virus Bulletin
The exchange rate of the digital currency Bitcoin (BTC) passed the USD$200/BTC1 mark earlier this year – a fact that has not escaped the attention of cybercriminals who have sought ways to capitalize on the popularity and increasing value of the currency. This article will take a look at the latest Bitcoin operation in the cybercrime world and analyse the latest Bitcoin-mining malware family.
There are three major types of Bitcoin-related malware:
Wallet-stealing
Bitcoin-mining (or ‘freeloading’)
A combination of the above
As the name suggests, wallet-stealing malware focuses on illegally accessing Bitcoin ‘wallets’. A Bitcoin wallet is loosely the equivalent on the Bitcoin network of a physical wallet. The wallet contains private keys which allow the user to spend the Bitcoins allocated to their Bitcoin addresses [1]. An online wallet can be compromised by having its login information stolen, while an offline wallet can be ‘stolen’ by infecting the Bitcoin-mining client or simply retrieving the wallet file if it is not encrypted in the system.
Bitcoin mining is the process of making computer hardware perform mathematical calculations for the Bitcoin network to confirm transactions and increase security. As a reward, Bitcoin miners can collect fees for the transactions they confirm, along with newly created Bitcoins [2]. Where Bitcoin mining malware is concerned, a Bitcoin miner first has to secretly be installed on a victim’s system. This will then join the Bitcoin pool and start mining for the criminal’s account.
The third kind of Bitcoin malware combines both wallet stealing and Bitcoin mining, and has been seen in botnets such as Kelihos.
In this article, we will focus on the latest Bitcoin mining malware distributed by SkyBot and NgrBot. (To avoid confusion with legitimate Bitcoin miners, I will refer to this type of malware as Bitcoin ‘freeloaders’.)
Before examining the latest Bitcoin freeloader, it is worth looking back at what one looked like two years ago. In August 2011, there was a Bitcoin freeloader (MD5:a9c88a209db76deb4fe9f1a9f8f47971) in the wild which used the same version of the Ufasoft Bitcoin miner as is used by the latest one. This malware, detected by many vendors as Hstart/Hiddenstart, featured a trivial payload delivery method. A WinRar file with self-extracting archive using a configuration file (Figure 1) would load the launcher (‘hstart.exe’) after decompression.
The launcher would then create a process that runs a malicious batch file (‘x.bat’ in Figure 1). The malicious batch file would execute the Ufasoft Bitcoin miner (‘x11811.exe’) with commands instructing it to utilize the current machine as a Bitcoin miner contributing to the criminal’s account.
Detected by Fortinet as W32/CoinMine.UIE!tr, the latest Bitcoin freeloader (MD5: 26ed87a390426197599a08443a4e64ac) has some similarities with the earlier one. Since the system has already been compromised by the bot client prior to downloading the freeloader, the binary is not packed or encrypted. Hidden behind some visually obfuscating codes and anti debug tricks, the malicious part of the freeloader is not apparent at first glance and could easily be mistaken for a legitimate Bitcoin miner by an anti-virus engine. In the resource section of the executable, there is a ‘DATA’ section which stores an unencrypted version of Ufasoft Bitcoin miner 0.20 (DLL). Most importantly, the command that ensures the Bitcoin miner is run for the criminal’s gain is stored in the ‘CONFIG’ section. Before executing the payload, the malware will first add auto-run registry entries to ensure that it runs every time the computer is started. After that, the malware creates a suspended new process (see Figure 3) with the current executable file using commands extracted from the ‘CONFIG’ resource. This new process makes detecting the malware more difficult.
(Click here to view a larger version of Figure 3.)
Obviously, the original malicious executable would not be able to interpret the commands called. The newly created process is intended as a platform for the malware to inject the legitimate Bitcoin miner such that when the process is eventually resumed, it will run the command that tells the compromised computer to start putting money into the criminal’s pocket (see Figure 4).
The diagram shown in Figure 5 illustrates how the money made through mining on the victim’s computer reaches the criminal’s pocket. As seen in the previous section, the malware will execute a command that enrols the victim’s computer in a mining activity. This activity was assigned to the criminal when an account was created at the mining pool server. When the victim’s computer sends a ‘get work’ request to the pool server through the legitimate Bitcoin miner client, it will receive a mathematical problem to solve. All computers infected with this malware will perform the same actions and join the pool involuntarily. As a result, the number of miners under the criminal’s account increases and the percentage payout to this account when a solution is reached will also increase. The newly created Bitcoins will be sent to Bitcoin addresses that are under the criminal’s control and it will be impossible to trace back to the criminal because there are numerous ways in which the Bitcoins can be retrieved anonymously. For example, for only a 0.5% transaction fee, the ‘send shared’ privacy service will break the chain of addresses by swapping your Bitcoins with those of multiple users. With various Bitcoin mixing (‘laundering’) services available on the Internet, Bitcoin’s anonymity makes it easy for an unskilled person to engage in criminal activity.
Table 1 summarizes the parameters used by this family of Bitcoin-mining malware.
| Bitcoin pool server | Proxy used |
|---|---|
| api.bitcoin.cz | 80.83.125.243 |
| pool.bitclockers.com | |
| pit.deepbit.net | |
| 50btc.com | apple.skc.su |
| eu.triplemining.com | 74.208.213.196/74.208.170.25/apple.skc.su |
| eu2.triplemining.com | |
| stratum.triplemining.com | 74.208.149.142 |
| Btcguild.com | 208.93.155.94 |
| mine2.btcguild.com | |
| De.btcguild.com | 199.180.128.183 |
| us2.eclipsemc.com | |
| 92.23.236.102 | |
| 94.242.198.64 | |
| 94.102.50.53 | |
| Eligiusshit.st | |
| mining.eligius.st | |
| uclid.es | |
| ssl.nemaradio.net (malicious domain for hosting other malware) | apple.skc.su |
| vps.x1x2.in (also hosting NgrBot in France Paris Gandi) |
Table 1. Summary of Bitcoin pool servers and proxies used by criminals.
From the table, we can tell that the criminal uses a diverse range of pool-mining methods offered by different servers. Additional proxy servers are provided in certain cases to enhance the victim miners’ productivity – which could, for example, be affected by an unstable Internet connection.
Each transaction is deemed to be public knowledge as network confirmation is necessary. When a criminal decides to show off the proof of his crime by using the address as his username, it is possible to trace a fraction of the money he has made from his victims. Indeed, we have encountered this during our analysis. For example:
-o http://mining.eligius.st:8337 -u 1PyoNmwdNP7PQWQwjCLiK8Av5V9eAGhKcL -p x
The 34-byte number starting with 1 suggests that this username might be a transaction address. Searching the database which holds information about all transactions can show us how much money a criminal has made. The report shown in Figure 6 shows that there were a lot of newly generated coins – suggesting that this address was actively engaged in mining activity during April.
(Click here to view a larger version of Figure 6.)
The result shows that one of the addresses has made 1.75 BTC so far, which is roughly equivalent to US$350 at the current market rate. That might not seem like much, but we have to keep in mind that this is just one of the many addresses that the criminal is using. In addition, the really profitable part in the Bitcoin business is selling Bitcoins that were previously mined or otherwise gained when their value was low.
The recent rise in Bitcoin value has given cybercriminals significant incentive to work on Bitcoin related malware. Unless the Bitcoin mining software is re-implemented, it will be more convenient for cybercriminals to take an existing client and repackage it so that it executes the malicious commands stealthily.
Thanks to its anonymity, Bitcoin is a favourable currency among cybercriminals. However, it is unknown at this time whether all these criminal activities will cripple the Bitcoin economy. Since Bitcoin is a limited resource, there will theoretically come a day when no more Bitcoins can be mined. Some people might consider the current Bitcoin mining business a once-in-a-lifetime opportunity, since only a reasonable amount of resources are needed to generate revenue. This might not be the case in the future. As Bitcoin has finally gained some major public attention this year, we expect to see more advances in Bitcoin malware in the near future.
.jpg)