Introduction:
As a simple one-card bitcoin miner, I consider the whole project to be more of an interesting experiment in economics and psychology. That said, people will happily pay real money for bitcoins, which leads us into what we've found below...
Background:
I normally mine as part of Eligius pool, and often can be found lurking on the IRC channel on Freenode. One day a user joined who claimed a copy of Internet Explorer was consuming all of their CPU and making everything run slow. The process in question was also connecting to the pool, which was how the user had found their way to the IRC channel.
Analysis:
A little digging turned up two files, both disguised as Internet Explorer (iexplore.exe), which were placed in the default location for Internet Explorer, under subdirectories "src" and "bin". These subdirectories were then hidden to stop the average user finding them.
The file in the "bin" directory turned out to be a copy of CGMiner with an altered filename and header to make it appear to be Internet Explorer 8. There was nothing else particularly unusual about the file, which was being executed with other command-line preferences setting the destination server, username and password (which on Eligius, is a bitcoin address and something random respectively).
The file in the "src" directory was a lot more interesting. This file took no command-line preferences and gave no output on execution. Delving into a disassembly of the file showed it to apparently be written using .NET, and turned up a string: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support
With this knowledge in mind, I set out to find something that could reverse AutoIt compiled scripts back to something more human readable. As it would happen, quite a wide range of tools exist for this task, and getting the script was no harder than downloading and running a simple open source program. The script showed quite clearly what the file was supposed to do:
Disinfectant steps and final notes:
Disinfecting this little trojan should be as simple as killing all instances of iexplore.exe from your process list, then deleting the offending "src" and "bin" directories from within the Internet Explorer folder in Program Files. You will likely need to unhide and grant yourself permission to the directories in order to delete them. After the files have been deleted, reset the registry entry for Internet Explorer (as mentioned above in the analysis) back to its previous or default setting.
What was quite odd about this trojan was its apparent lack of command and control functions. Much of the malware out there has some form of "call home" functionality in order to allow the attacker to update or modify their malware. This means that the miner trojan itself is either an independent segment of an existing botnet, or an internet equivilent of a dumb missile, possibly installed through a drive-by browser hijack or similar exploit.
The reason the attacker chose to point the trojan towards the Eligius pool is almost certainly due to the pool not requiring any form of sign-up or authentication (which makes it very easy to use and maintain for miners). The username specified is a bitcoin address, which is the only detail required to ensure shares are paid out. This means that unfortunately, the attacker is pretty much impossible to track down.
Either way, if you are reading this page because you have been or are infected, you really should scan your computer for malware, even if your existing anti-virus package reports no infections. Try multiple scanning products, there are many free versions out there!
Feel free to donate to 1LmJ7KvbXMLyNGCn9s6qhf7aLYJ7JvCmkF if you find this article interesting or useful!