SonicWALL Security Center
Share: Linkedin Share Facebook Like


Back to SonicALERT


Yoshi Bitcoin Mining Botnet (June 29, 2012)



Description


The Dell Sonicwall UTM research team received reports of a continually growing Bitcoin miner Botnet. Bitcoin miner Trojans continue to be an evolving threat. They gather many infected machines together to form a botnet and use public mining pools to contribute to the generation of bitcoins. The bitcoins can be later converted into fiat currency. Malware of this nature has also been covered in a previous sonicalert.

The Trojan performs the following DNS queries:

      jus{removed}.tf
      dire{removed}.tv
      hot{removed}.com
      s320.hot{removed}.com
      eu.triplemining.com
      eu2.triplemining.com
The Trojan creates the following files on the filesystem:
  • %WINDIR%\system32\conhostd.exe [Detected as GAV: Miner.C (Trojan)]
  • %WINDIR%\system32\svchost64.exe [Detected as GAV: Miner.YSH (Trojan)]

The Trojan creates the following registry key in the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run conhostd.exe "%WINDIR%\system32\conhostd.exe"

The Trojan makes the following request to determine how to download and run the mining module:

The Trojan downloads a commandline bitcoin miner from a public file hosting site:

The mining software contains the following commandline options:

The Trojan also downloads a bitcoin mining controller module [Detected as GAV: Miner.C (Trojan)]. The module contains the following configuration data:

Upon successful setup the Trojan will invoke the bitcoin miner. The mining software uses most of the CPU resources of the compromised machine. The software is also capable of utilizing ATI GPU's as suggested in the configuration data and commandline options.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Miner.C (Trojan)
  • GAV: Miner.A_2 (Trojan)
  • GAV: Miner.YSH (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#DellSecurity
© 2014 Dell | Privacy Policy | Conditions for use | Feedback  Version: 8.2.5  S1MSW05
Live Demo | SonicALERT