Trend Micro recently came across a botnet that turns an infected system into an involuntary Bitcoin miner. Bitcoin is a digital currency that uses peer-to-peer (P2P) networks to track and verify transactions. Bitcoins are generated by a free Bitcoin miner application.
The malware, detected as BKDR_BTMINE.MNR, installs the mining software in systems. It uses the system’s resources to solve Bitcoin blocks in order to generate more Bitcoins.
A Bitcoin “block” is a complex cryptographic problem. Solving a block currently pays out 50 Bitcoins and blocks are created every time a Bitcoin transaction is made. The process of solving these blocks is called “mining.” The only way to solve a block is by brute forcing, which eats up system resources. To speed up the computation of a block, mining pools are created. The equation is split up into pieces and is solved by multiple systems. The incentive is based on how much a miner contributes to the solution.
Here, BKDR_BTMINE.MNR installs three different mining software that run whatever the system’s processing speed allows. To help speed up processing, the malware downloads necessary drivers for the infected system’s GPU and CPU. If blocks are solved, attackers gain ownership of the generated Bitcoins.
We also found another malware detected as BKDR_BTMINE.DDOS, which is a component of BKDR_BTMINE.MNR. BKDR_BTMINE.DDOS can perform distributed denial of service (DDoS) attacks on targeted entities. The malware can also obtain a list of targeted websites from remote sites. The DDoS component may be used to attack competing Bitcoin miners and can limit their processing power. The malware also tries to communicate with a long list of IP addresses. A list of more than 2,000 IP addresses is hardcoded in the malware and is constantly updated upon execution.
Right now, Bitcoins are worth more than US$8 each. With the value of Bitcoins constantly rising, the number of malware related to Bitcoin mining will inevitably increase as well. Because Bitcoins make use of P2P sharing, the charges incurred are a lot lower compared with transferring money through banks or clearinghouses. In addition, Bitcoin transactions are anonymous and can be used anywhere without limits. Bitcoin usage is gaining popularity in Web transactions because of these advantages, which also raise some security issues. To stay safe, encrypt all wallets as soon as you leave your system. Use a strong, unique password for wallet encryption.
Trend Micro protects product users from this attack via the Smart Protection Network by blocking all related files and URLs.
