SA white hat hackers disable Bitcoin-mining virus

Published by ITWeb on 17 October 2017.

A dangerous Bitcoin-mining virus has been detected and disabled by two Johannesburg-based IT experts.

A potentially devastating Bitcoin-mining virus has been stopped in its tracks, thanks to the vigilance and quick actions of two local IT experts.

Although mining Bitcoin with regular computer hardware is no longer profitable, that isn’t keeping criminals from giving it a try. Over the past few years, there have been several types of Bitcoin-mining malware, infecting computers all over the world.

White hat ethical hacker William Vermaak, from PBSA’s digital arm pbDigital, and senior software developer, Morne Wilken, detected malicious activity on one of their customer’s servers last week.

The two immediately analysed the source of the virus and uninfected the server. “Unfortunately, the only trace left in the code by the originator is the Bitcoin wallet that the Bitcoins will be deposited into. To trace the Bitcoin wallet is extremely difficult and you will need a police warrant to get any information from the Bitcoin companies hosting the wallet,” says Vermaak.

According to Vermaak, the virus had gone undetected by all available virus packages. “We submitted samples to ESET the next day and [the company] immediately responded from its virus lab in Denmark, confirming the virus was wild and that detection for the threat had been added to its latest definition updates.”

Founded in 1992, ESET is a Slovakia-based IT security company that offers anti-virus and firewall products such as ESET NOD32. The security company named the virus winlog.VBS – VBS/TrojanDownloader.Agent.QE trojan winlog.bat – BAT/CoinMiner.UG Trojan.

By the time of detection, the virus had infected 0.04% of Windows computers in SA, while Russia was hardest hit, with 0.5% of all Windows computers infected. Windows is currently the most popular end-user operating system in the world.

Essentially, a Bitcoin-mining virus, the Winlog Virus downloads a Bitcoin CPU miner on the victim’s computer, and then mines Bitcoins for the virus originator. Vermaak says this type of virus is particularly evasive.

“It tries to make itself resilient and configures various system schedules to start it again if it’s stopped. The virus will also install itself on the system as a system service. It infiltrates the System Registry and changes some keys to make itself run again if it’s shut down,” Vermaak explains.

“Shortcuts on the victim’s desktop are modified to run the virus and these then run the original program, in an attempt to mask its presence. The virus also copies itself into various other files on the system – including Microsoft.exe – to ensure resilience.”

Bitcoin-mining machines

Almost three months ago, Russian president Vladimir Putin’s Internet advisor, Herman Klimenko, issued a dire public warning that 20% to 30% of all computers in Russia were infected with computer malware designed to turn devices into Bitcoin-mining machines.

At the time Klimenko told Moscow-based news broadcaster RBC that viruses that install bitcoin-mining software are the “most common and most dangerous” type of computer malware in existence.

With the surge in Bitcoin-mining viruses, Vermaak says: “You need to keep your anti-virus software updated, and your operating system on the latest updates.

“With the growing demand for Bitcoin, this is sure to escalate in the near future, but it is still very new so hopefully we’ve stopped this method of infection for now.

“These days there is no such thing as a bulletproof system. Everything has got some weakness whether it’s a known or unknown vulnerability. Someone will find a vector that no one will think of to gain access to a system and use it to their advantage. The only thing you can do is to minimise the risk by using a good anti-virus package and to do backups regularly,” Vermaak concludes.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s