Comment
Author: Admin | 2025-04-28
Files to be injected into svchost.exe, and a list of command servers Alureon connects to. Figure 14 shows an example of an Alureon configuration file:Figure 14: Alureon configuration file.On 14 September 2011, Kaspersky Lab researchers published a blog post [37] detailing an update to the Alureon configuration file they noticed was made at the start of August 2011. As Sergey Golovanov detailed, a 'new section [tslcaloc] has appeared in the TDSS configuration files', listing underneath it an executable run with the familiar miner parameters:[tslcaloc]Svchost.exe=180| -g yes –t 1 -0 http://pacrim.eclipsemc.com:8337/ -u -p So it's obvious that the gang behind Alureon decided that bitcoin mining was now fair game by updating their creations to include this functionality. But, it seems Trojan:Win32/Alureon wasn't the only component of this conglomeration to receive a Bitcoin update.RorpianWorm:Win32/Rorpian, a family of worms that spread through network shares and the LNK vulnerability MS10-046, downloads Win32/Alureon onto compromised machines and is developed by the same authors. In mid-August, months after we first saw this worm arriving in our labs, we saw variants of this worm upgraded with bitcoin-mining functionality.Now, what makes this upgrade different from the Win32/Alureon component, as well as most other malware we've discussed in this paper so far, is that the authors of this worm decided to implement the bitcoin-mining code themselves, rather than rely on a freely available mining utility.As mentioned in the 'How mining works' section, bitcoin miners communicate with mining pool servers using the JSON-RPC remote procedure protocol. Win32/Rorpian uses the same protocol to communicate with the server http://188.229.89.120 :8334, retrieving data from the server using a getwork request and calculating the hashes on the returned data before it posts the results to the server. This same server is used by Rorpian to download additional malware, and was registered in Romania.KelihosBackdoor:Win32/Kelihos.B, a prevalent backdoor variant of the Kelihos family that includes functionality to send spam emails, download files, communicate with other infected computers, and steal sensitive information, also has bitcoins in its sights, with new code modules included in this variant that steal the Bitcoin wallet and perform mining.The wallet-stealing module contains code that grabs the wallet.dat file if it exists in the following file locations (default locations in WinXP and Win 7 & Vista):%APPDATA%\Bitcoin\wallet.dat%APPDATA%\Roaming\Bitcoin\wallet.datThe mining module contains code that performs bitcoin mining as ordered from its controller, allowing it to perform hashing on blocks it receives from its control server (Figure 15).Figure 15: Kelihos bitcoin-mining module.BafruzBackdoor:Win32/Bafruz is a backdoor trojan used in a P2P botnet, and contains multiple components that can be downloaded onto a compromised machine through communication with its peers. Components of Bafruz include functionality to:Disable anti-virus software and display fake anti-virus alertsHijack Facebook and Vkontakte accountsPerform HTTP and UDP DDoS attacksDownload additional malwareDownload bitcoin-mining softwareRun a Bitcoin server and allocate tasks to mining components.When the Bitcoin server component is installed on a compromised machine, it listens for incoming RPC connections from the client components to allocate work for them. The client is able to download three bitcoin miners
Add Comment