Antonio Angelino

Antonio Angelino


December 2017
MTWTFSS
« Sep  
 123
45678910
11121314151617
18192021222324
25262728293031

Categories


Bitcoin mining malware, analysis of an infection

Antonio AngelinoAntonio Angelino

When an attacker manages to compromise and get root access to a server or your notebook, his main goal usually is to steal sensitive information, to use it as a bridgehead for attacking other targets, to send spam or deny a service for causing money losses.

When I started my sysadmin career path, more than ten years ago, almost all software exploits were used with the previously explained goals in mind, but something is changing since the crypto-currencies have begun to spread and gain real value.

Bitcoin is the most famous crypto-currency nowadays. Bitcoins can be obtained in exchange for legal currencies (dollar, euro, yen, yuan and so on) or as a reward for your processing work. You offer your computing power to verify and record payments into the public ledger. This activity is called mining and is rewarded by transaction fees and newly created bitcoins.

Bitcoin mining requires a huge amount of computation power, so miners usually create computing clusters for being able to generate them. Mining clusters can be heterogeneous: any kind of digital appliance connected to the Internet is a good candidate for joining the cluster. More powerful is the appliance CPU (or GPU), more valuable is the appliance itself.

Attackers are starting to make profit by gaining access to servers, notebooks, smartphones or even simple appliances (smart washing machines, refrigerators, televisions, CCTV security cameras and so on) and stealing CPU/GPU cycles for mining crypto-currencies.

Mining bitcoins by using low-end CPUs is quite impossible nowadays, but there are several crypto-currencies that are easier to mine. That’s why attackers have been targeting Litecoins and Dogecoins, which literally are millions of times easier to mine.

Trend Micro found a mining malware in several Android apps, a couple of which were listed in the official Google Play Store and they have been downloaded by millions of users.

Johannes Ullrich realized that there was a network of CCTV security cameras that were being used to mine for Dogecoin.

You can usually notice a mining malware on a smart phone due to the loss of performance or its “puzzling” overheat, but you may not recognize a similar issue on a modern multicore/multi-socket server. Mining malware tends to keep a low profile. Even if a mining malware uses the 100% of one core of a 12-core CPU, it’s only using the 8% of the whole CPU power and it may not be noticed.

Analysis of a mining malware infection

I found the previously described scenario during two security audits requested by two different customers. There were more than 20 servers used for mining Litecoins, all hacked using the same technique.

The hacked servers hosted several vulnerable WordPress platforms, they have been used to download and execute the following malicious PHP script.

The script contains an ELF malware library inside the $so32 variable (I removed it). It was used to change how /usr/bin/host acts. At line #37, you can see how the attacker “prelinks” (LD_PRELOAD) a bogus libworker.so before launching /usr/bin/host (a legitimate and clean system binary).

The attacker uses /usr/bin/host as a cron fallback if the access to cron is denied.

The main features of this script are:

After a successful execution of the previous script, the server crontab of the audited servers looked like the following one:

Thanks to the first cron task, a remote PERL script was downloaded every 10 seconds. This is the source code of the last downloaded PERL script:

The script executes some cleanup tasks, checks the server environment, creates a hidden directory inside the /tmp directory called “.ice-unix”, and then it downloads and extracts a tar.gz file that contains the minerd software. The last command configures and executes the parasite mining software.

The miner joins a mining pool, called “wemineltc”, through the stratum protocol and it uses a random username between “spdrman.0” and “spdrman.11”.

The malware tries to camouflage itself by :

By checking the web server logs and the creation date of several files and directories, I discovered that the parasite mining processes had been run for 3/4 months and no one noticed it!

How to prevent similar threats?

You should keep updated the Operating System and all user applications, do system hardening and schedule weekly security checks. Checking a global dashboard with server resource statistics and installing rkhunter or similar tools doesn’t guarantee that your servers don’t become zombies manipulated by a remote puppet master.

Entrepreneur, Manager, Cloud Engineer.