About the only thing that using Bitcoin-mining malware has ter common with real mining is how dirty you should feel while doing it.
With Bitcoin mining, the work isn’t about digging a slot ter the earth and pulling out the raw materials, spil with normal mining. Rather it’s about about finding fuckholes te someone’s security and digging ter to set up a long-term mining operation.
To understand the influence of this type of malware, wij very first need to understand what the attackers are attempting to do and why.
What are Bitcoins and what is Bitcoin mining?
Bitcoins are “a peer-to-peer payment system introduced spil open source software.” The digital currency created and used ter the system is alternatively referred to spil a virtual currency, electronic money, or a cryptocurrency.
Bitcoin mining is harshly defined spil the processing of transactions ter a digital currency system, ter which the records of current Bitcoin transactions (blocks) are appended to the record of past transactions (block chain).
With this fresh skill wij can look at the process of a Bitcoin mining malware operation. The most common questions I get asked about Bitcoin mining malware are:
“How does Bitcoin malware get into users’ systems?”
“Why are they using my machine?”
“How do I know they are there?”
“What can I do to zekering them from getting on my systems?”
“What does a Bitcoin mining malware look like on my system?”
Why are they targeting my machine?
Bitcoin mining is a computationally requesting process that gets more and more intense overheen time. Bitcoin is mined ter blocks, and since it takes significant computing power to mine each block, the malicious miners join up and form what are referred to spil mining pools/networks. The idea behind this mining pool is that each participant who provides some computing power gets te terugwedstrijd their share of the revenue proportional to the amount they participated. Te the example of Bitcoin mining malware, the attacker would be the foot beneficiary of the mining efforts instead of a team of willing participants.
How do Bitcoin miners get into users’ system?
Bitcoin mining malware uses the same methods spil most other malware to build up access to an endpoint. Mechanisms like malicious downloads, emails with malicious linksom or attachments, and already-installed malware are the most common and effective methods of delivery.
A well-known example of one of thesis technologies, the watering crevice attack method, wasgoed reported on ter January 2014. Ter this example, malicious ads were served to Yahoo! users spil they visited a webpagina. The malware downloaded from those malicious ads wasgoed designed to convert computers into a Bitcoin mining operation.
It leveraged known vulnerabilities te Java to install itself on computers that visited the ads.yahoo.com webpagina. The payload downloaded to each successfully exploited laptop varied te its contents. Some payloads were just Bitcoin mining malware, while others contained credential-stealing Trojans like Zeus or more common generic remote access contraptions (RATs).
How do I know they are there?
There are a few ways to know a processor-intensive malicious application has bot installed on a system. The most demonstrable to the user is a significantly noticeable spectacle influence on the infected host. I have read about Bitcoin malware variants that are “user aware” and only run when there are no users logged te or when CPU usage is below a specified threshold.
Another indicator would be copious amounts of network connections made inbetween the infected host and the server. This communication will contain fresh instructions from the server, possibly fresh malware to install on the host, information on the blocks mined from the host, and other information defined by the attacker.
Eventually, there will also be opstopping artifacts. A few artifacts from the sample I analyzed (to be introduced te future blog posts) were executables and dll’s te the %appdata% directory.
What can I do to zekering them from getting on my systems?
Application whitelisting or similar security software te a high-enforcement mode (block unknown) would prevent thesis unknown and unapproved executables from running and installing. Ter my next postbode, I will provide a high-level analysis of the behavior of a sample of Bitcoin mining malware.