In the past we reported a couple of attacks involving malware that turn infected systems into Bitcoin miners. We also said that cybercriminals will increasingly do so in the future. We recently encountered another familiar and well-known malware family—TDL4—that turns infected systems into Bitcoin miners.
TDL4 is a well-known TDSS variant that evades antivirus detection by infecting systems’ boot sector. We have since been monitoring TDSS-related developments. Earlier this year, we saw TDL4 exhibit propagation routines through a worm component that Trend Micro detects as WORM_OTORUN.ASH.
In the course of our research, we found that recent variants of WORM_OTORUN.ASH contain code that attempts to participate in a Bitcoin pool known as Deepbit.
Figure 1 shows some parameters that include getwork, which gets a job from the mining pool. A job is a Bitcoin block header which the miner, in this case the infected system, hashes in order to earn a Bitcoin share. In Bitcoin pools, users sign up and join a network of miners to work on the same jobs for faster payout.
Based on Trend Micro™ Smart Protection Network™ data, WORM_OTORUN.ASH’s distribution has expanded to other parts of the globe in the past few months. Trend Micro Smart Protection Network, which constantly analyzes data, including geographic distribution, from the feedback of millions of Trend Micro customers worldwide, allows us to monitor how widespread any particular malware is in real time as well as to determine other steps that we can take to mitigate these threats.
For a clearer illustration, refer to Figure 2 below.
During our monitoring, we also observed that WORM_OTORUN.ASH’s command-and-control (C&C) servers were hosted by dubious Internet service providers (ISPs) located in Europe, particularly in the Ukraine, Romania, and the Netherlands.
Is There Something New Here?
Not really. Cybercriminals will continue to find ways to monetize their malicious activities; Bitcoin is just one more means for them to do so. Bitcoin earned the attention of crooks for several reasons, one of which is the fact that it is a direct source of income.
In addition, the concept of pooled mining complements the nature of botnets. Multiple zombie PCs contribute to the generation of a Bitcoin block with rewards ending up in cybercriminals’ hands at the infected users’ expense.
This is not very good news for victims, as Bitcoin-mining bots will probably eat up infected systems’ resources. On a more positive note, however, Bitcoin mining will compromise the covertness of a malware since the high CPU usage can alert the user to possible system infections.
As seen in TDL4 and WORM_OTORUN.ASH, it wouldn’t surprise me if Bitcoin mining becomes a trend among today’s botnets. We may just encounter more “BOTcoin miners” in the near future.