Yoshi Bitcoin Mining Botnet (June 29, 2012)
The Dell Sonicwall UTM research team received reports of a continually growing Bitcoin miner Botnet. Bitcoin miner Trojans continue to be an evolving threat. They gather many infected machines together to form a botnet and use public mining pools to contribute to the generation of bitcoins. The bitcoins can be later converted into fiat currency. Malware of this nature has also been covered in a previous sonicalert.
The Trojan performs the following DNS queries:
- jus{removed}.tf
- dire{removed}.tv
- hot{removed}.com
- s320.hot{removed}.com
- eu.triplemining.com
- eu2.triplemining.com
The Trojan creates the following files on the filesystem:
- %WINDIR%system32conhostd.exe [Detected as GAV: Miner.C (Trojan)]
- %WINDIR%system32svchost64.exe [Detected as GAV: Miner.YSH (Trojan)]
The Trojan creates the following registry key in the Windows registry to enable startup after reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun conhostd.exe “%WINDIR%system32conhostd.exe”
The Trojan makes the following request to determine how to download and run the mining module:
The Trojan downloads a commandline bitcoin miner from a public file hosting site:
The mining software contains the following commandline options:
The Trojan also downloads a bitcoin mining controller module [Detected as GAV: Miner.C (Trojan)]. The module contains the following configuration data:
Upon successful setup the Trojan will invoke the bitcoin miner. The mining software uses most of the CPU resources of the compromised machine. The software is also capable of utilizing ATI GPU’s as suggested in the configuration data and commandline options.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Miner.C (Trojan)
- GAV: Miner.A_2 (Trojan)
- GAV: Miner.YSH (Trojan)
