Mining botnets are back

October 2017 Editor's Choice, Information Security

The Kaspersky Lab anti-malware research team has identified two botnets made of computers infected with malware, which silently installs cryptocurrency miners – legitimate software used to create (‘mine’) virtual currencies based on blockchain technology. In one instance researchers were able to estimate that a 4000-machine network could bring its owners up to $30 000 a month, and in another instance researchers witnessed criminals jackpotting more than $200 000 from a 5000-PC botnet.

The architecture of Bitcoin and other cryptocurrencies suggests that in addition to buying cryptocurrency, a user can create a new currency unit (or coin) by utilising the computing power of machines that have specialised mining software installed. At the same time, according to the concept of cryptocurrencies, the more coins that are produced, the more time and computing power is required to create a new coin.

Several years ago, the malware silently installing Bitcoin miners (that uses victim’s computers to mine currency for cybercriminals), was a common thing on the threat landscape, but the more Bitcoins that were mined, the harder it became to mine new ones – and at some point the process became useless: the potential financial gain that a criminal could get from a bitcoin mining endeavour would not cover the investment they would need to put into the creation and distribution of malware, and the support of backend infrastructure required.

However, the price of Bitcoin – the first and the most famous cryptocurrency – which has been skyrocketing in recent years from hundreds to thousands of dollars per coin, ignited a real cryptocurrency fever around the world. Hundreds of enthusiast groups and startups have started releasing their own Bitcoin alternatives, many of which also gained significant market value in a relatively short period of time.

These changes in the cryptocurrency markets have inevitably attracted the attention of cybercriminals, which are now turning back to fraud schemes, during which they silently install cryptocurrency mining software on thousands of PCs.

Based on results of recent research by Kaspersky Lab experts, the criminals behind the newly-discovered botnets distribute the mining software with the help of adware programmes, which victims are installing voluntarily. After the adware programme is installed on the victim’s computer, it downloads a malicious component: the miner installer. This component installs the mining software, and in addition, performs some activities to make sure the miner works for as long as possible. These activities include:

• An attempt to disable security software.

• Tracking all application launches and suspending their own activities if a programme that monitors system activities or running processes is started.

• Ensuring a copy of the mining software is always present on the hard drive, and restoring it if it is deleted.

As soon as the first coins are mined, they are transferred to wallets belonging to criminals, leaving victims with an oddly underperforming computer and slightly higher electricity bills than normal. Based on Kaspersky Lab observations, criminals tend to mine two cryptocurrencies: Zcash and Monero. These particular currencies are probably chosen because they provide a reliable way to anonymise transactions and wallet owners.

The first signs of malicious miners returning were spotted by Kaspersky Lab as early as December 2016, when a company researcher reported at least 1000 computers infected with malware, which was mining Zcash – a cryptocurrency which was launched at the end of October 2016. At that time – thanks to the price of Zcash which has been growing rapidly – that botnet could bring its owners as much as $6000 per week. The emergence of new mining botnets was then predicted and the results of recent research confirm that the prediction was correct.

“The major problem with malicious miners is that it is really hard to reliably detect such activity, because the malware is using completely legitimate mining software, which in a normal situation could also be installed by a legitimate user. Another alarming thing which we have identified while observing these two new botnets, is that the malicious miners are themselves becoming valuable on the underground market. We’ve seen criminals offering so-called miner builders: software which allows anyone who is willing to pay for full version, to create their own mining botnet. This means that the botnets we’ve recently identified are certainly not the last ones”, said Evgeny Lopatin, malware analyst at Kaspersky Lab.

In order to prevent their computer from turning into an electricity harvesting zombie, which works hard to make money for criminals, Kaspersky Lab researchers advise users to follow the measures below:

• Do not install suspicious software from untrusted sources on your PC.

• The adware detection feature may be disabled by default in your security solution. Make sure you enable it.

• Use a proven Internet security solution in order to protect your digital environment from all possible threats including malicious miners.

• If you are running a server, make sure it is protected with a security solution, as servers are lucrative targets for criminals thanks to their high computing performance (in comparison to the average PC).

Kaspersky Lab products successfully detect and block the malware spreading malicious mining software with the following detection names:

• RiskTool.Win32.BitCoinMiner.hxao

• PDM:Trojan.Win32.Generic

Learn more about newly discovered malicious mining botnets on www.securelist.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Standards for fire detection
SAQCC (Fire) Editor's Choice Fire & Safety Associations
With the increased number of devastating fires reported throughout South Africa, adequate and suitable fire detection cannot be overstated. SAQCC Fire will publish a series of articles in SMART Security Solutions to provide insight into fire detection requirements and importance.

Read more...
Taking fire safety seriously
G2 Fire Editor's Choice Fire & Safety Security Services & Risk Management
To gain insights into how fire systems must be designed, installed and maintained, SMART Security Solutions asked Nichola Allan, MD of G2 Fire, for some insights into the local fire market.

Read more...
The best of local and international
Technoswitch Fire Detection & Suppression Editor's Choice
SMART Security Solutions speaks to Technoswitch’s Managing Director, Brett Birch, to learn more about the company and how it serves the fire safety market in South and sub-Saharan Africa.

Read more...
Surveillance on the perimeter
Axis Communications SA Hikvision South Africa Technews Publishing Editor's Choice Perimeter Security, Alarms & Intruder Detection
Cameras have long been a feature in perimeter security, with varying reports of success and failure, often dependent on the cameras’ planning, installation and configuration, as well as their integration with other perimeter solutions and centralised management platforms.

Read more...
Onyyx wireless alarm
Technews Publishing Editor's Choice Smart Home Automation
IDS has introduced Onyyx, a wireless alarm system engineered to provide complete system control via the Onyyx app or keyring, as well as seamless installation.

Read more...
Visual verification raises the security game
Technews Publishing Inhep Electronics Holdings Videofied SA Editor's Choice Perimeter Security, Alarms & Intruder Detection
Incorporating alarm signals with live surveillance footage, visual verification enables a human observer in a control room (onsite or offsite) to gain a clear understanding of the situation, thereby facilitating informed decision-making.

Read more...
The AX Hybrid PRO Series offers reliable wired and wireless protection
Hikvision South Africa Editor's Choice Perimeter Security, Alarms & Intruder Detection Products & Solutions
Hikvision has announced the launch of a new AX Hybrid PRO alarm system with innovative Hikvision ‘Speed-X’ transmission technology. This system offers reliable wired protection while delivering expanded flexibility with seamless wireless integration.

Read more...
A critical component of perimeter security
Nemtek Electric Fencing Products Gallagher Technews Publishing Stafix Editor's Choice Perimeter Security, Alarms & Intruder Detection Integrated Solutions
Electric fences are standard in South Africa, but today, they also need to be able to integrate with other technologies and become part of a broader perimeter security solution.

Read more...
SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...