Research by Daniel Cid. Authored by Dre Armeda.
One thing you can’t take away from some of the attackers we deal with everyday is their creativity. From time to time we write about new trends we’re seeing, and this post is no different. We’re seeing a new tactic recently, and it may be affecting your pockets, even if you’re not into the latest trend of using digital currency.
Digital currency you say?
I sure did! Bitcoin to be exact.
Bitcoin is not widely adopted yet, and the currency currently trades outside the control of centralized banks. You may not know what a Bitcoin is, and don’t worry, a lot of people still don’t.
This doesn’t mean this isn’t important, or doesn’t apply to you, so make sure to read on and learn.
From the Bitcoin website:
Bitcoin is a digital currency, a protocol, and a software that enables
- Instant peer-to-peer transactions
- Worldwide payments
- Low or zero processing fees
- And much more!
Still not following? Here’s a better definition that may help:
Bitcoin is an experimental, decentralized digital currency that enables instant payments to anyone, anywhere in the world. Bitcoin uses peer-to-peer technology to operate with no central authority: managing transactions and issuing money is carried out collectively by the network.
Here is a quick video explaining the peer-to-peer, open source currency:
This sounds awesome to me. An anti-authoritarian currency that’s already in active use, and being adopted by some pretty big names!
If you’re a WordPress.com user, you can now pay for upgrades using Bitcoin. Ever purchase anything on Etsy.com? That’s right, there are currently near 100 vendors accepting the digital payment option. NameCheap, Reddit, and 4Chan round up a quick list of names featured in a Mashable article about Bitcoin recently.
Staying power is still undetermined, but for now the currency continues to grow, and that’s important to know.
Mining for Gold
Now that you have a better understanding of this growing crypto-currency, we’re going to chat a bit about generating the currency, and then we’ll move on to our little discovery.
Although we’d all love to have a real money tree, you’re in the wrong forest if you think you found it here. However, the currency still needs to be generated, and it’s a fairly complex process named Mining.
Paper money is usually created and distributed by goverments, in the case of Bitcoin, there is no government. With Bitcoin you have Miners. Bitcoin Miners are entities that use special software to solve difficult math problems, and in exchange are issued a certain amount of Bitcoins.
Here’s a great video explaining the process of Mining, it’s importance, and how heavy the process can be.
In the early days Miners were quickly solving the math problems needed to generate bitcoins locally on their personal computers. This became more difficult because the intensity of processing power needed to solve the necessary math problems continued to rise as the network of Miners grew. The math problems continued to become more resource intensive which lead to the production of commercial processors that were reprogrammed for Mining specifically.
The processes and technologies used to generate Bitcoins has seen various iterations. Even today as more Miners join the network, the math problems continue to grow more complex.
This is where Pools come into play. Pools are groups or units of Miners. Pools are able to solve problems faster, and in turn are rewarded for their contributions. Although this distributes the heavy resource lead, it certainly doesn’t offload the resource requirement completely. There is still a demand for processing power and resources to perform the computations needed to solve the problems.
Where do we go to get these resources if we want to compute faster? In there lies our little discovery.
What the Falcon?
We see a lot of different attacks. We see a lot of vulnerabilities leading to various categories of compromised websites. Our research in this case leads us towards a different type of payload, a different type of exploit. To be fair, this is a new world of digital payment, there will likely be future efforts by attackers.
Instead of injecting malware or SPAM, or even performing the usual malicious acts we normally blog about, the attackers are hiding Bitcoin Mining software below the application layer in the stack. Ultimately what they are doing is attacking server to leverage its resources for their Mining purposes.
How’s it Happening?
The first case we discovered was a few weeks ago. A website we were cleaning was suspended for using far too many resources. During remediation we took a look at the process list and what do you know, hidden inside /var/www/site.com/wp-content/plugins/akismet/mysqld
we found a Miner running and masking itself as the mysqld binary.
We took a quick look at the processor resources by running the top command in terminal:
30104 userx 18 0 311m 9176 2020 S 97.2 0.3 4916:23 ./mysqld --url https://pool.give-me-ltc.com:8080
The top results show that this mysqld binary has been running for many hours and consuming almost 100% of the CPU resources. Keep in mind that this is a large web server hosting thousands of websites. After a few days pegged at 100% CPU usage the hosting company noticed and shut the client down.
That was the first case, but not the last. What first appeared to be an anomaly is not repetitive. Here is a sample from another website that was banned for using too many resources:
Again a quick top command and the proof is in the pudding:
22274 usery 20 0 249m 4612 824 S 29.1 0.0 124:39.70 ../mine.16 --url=https://vibehacks.net/ --userpass=HIDDEN
Although the resource usage wasn’t as intensive in this case, they were still very high. This time top showed that a binary named /mine.16 had been running for days using almost 30% of the CPU for mining purposes.
The attackers seem to leverage services like give-me-ltc.com where everyone can put resources to mine bitcoins/litecoins. When the resources are successful in solving the mathematical problems, everyone receives their share of the pie. Now, we’re not implying that give-me-ltc.com is malicious by any means, and we have no data to say otherwise. The attackers just seem to be leveraging compromised servers to join the give-me-ltc.com pool of miners.
Using Minerd
During our analysis, we found that the attackers were using a modified version of minerd for mine for Litecoins and Bitcoins. In addition to the mining, all servers we worked on also had a PHP based backdoor that gave the attackers full control of the site.
As of the time of this post, it was already being flagged by Avast as: Win32:Crypt-OSW.
What’s the Impact
Directly to bitcoin miners and users, none really. For website owners this could be a signicant issue. There is an high risk of outages and for monetary loss, and if you’re a website owner or manager, you should take this threat seriously.
What can you do? Nothing we haven’t evangelized 100 times! Make sure you’re minimizing risk with the following 5 principles:
- Update ALL software on the server
- Remove all files and software not in use
- Limit access to accounts and use proper roles
- Strong and unique passwords are key
- Institute a backup schedule off site
We don’t really know how widespread this new trend is yet, but when we started to see one server after another with the same issues, we knew something was going on.
Our team will continue to analyze this binary and growth and we will share on follow up posts.
13 comments
very nice publish, i definitely love this website, keep on it
So much hoax can ruin the economy.
Thanks, Tony! What is the attack vector used against the server?
1. I suppose that it’s possible to deduce (from Daniel Cid’s blog post “Apache Binary Backdoors on Cpanel-based servers”) that the AV is cPanel itself, eh?
2. If the attacker’s preferred method of preventing the removal of the trojan’ed binary is to set the “immutable” file attribute, could that same tactic be employed to prevent hack?
Has MITRE issued a CVE Identifier for this vulnerability yet?
Has US-CERT issued an alert or a bulletin for this vulnerability yet?
I enjoyed it and hope it will grow more. good luck
I am very happy to visit and read this information. Thank you for this wonderful article that you share with us
Hum. The share may have known, would be more beneficial for your post.
I am glad to catch idea from your article. It has information I have been searching for a long time. Thanks so much
Comments are closed.