SignFlow engineers terminate menacing Bitcoin virus

Featured

pic for SignFlow bitcoin blogA dangerous Bitcoin-mining virus has been detected and disabled by two of our IT experts.

A potentially devastating Bitcoin-mining virus has been stopped in its tracks, thanks to the vigilance and quick actions of SignFlow (a PBSA brand) engineers William Vermaak and Morne Wilken.

Vermaak and Wilken detected malicious activity on one of their customer’s servers last week, immediately analysed the source of the virus and un-infected the server.

According to Vermaak, the virus had gone undetected by all available virus packages. “We submitted samples to ESET the next day and [the company] immediately responded from its virus lab in Denmark, confirming the virus was wild and that detection for the threat had been added to its latest definition updates.”

Founded in 1992, ESET is a Slovakia-based IT security company that offers anti-virus and firewall products such as ESET NOD32. The security company named the virus winlog.VBS – VBS/TrojanDownloader.Agent.QE trojan winlog.bat – BAT/CoinMiner.UG Trojan.

By the time of detection, the virus had already infected 0.04% of Windows computers in South Africa, while Russia was hardest hit, with 0.5% of all Windows computers infected. Windows is currently the most popular end-user operating system in the world.

Essentially a Bitcoin-mining virus, the Winlog Virus downloads a Bitcoin CPU miner on the victim’s computer, and then mines Bitcoins for the virus originator. Vermaak says this type of virus is particularly evasive. “It tries to make itself resilient and configures various system schedules to start it again if it’s stopped. The virus will also install itself on the system as a system service.

“The virus infiltrates the System Registry and changes some keys to make itself run again if it’s shut down. Shortcuts on the victims’s Desktop are modified to run the virus and these then run the original program, in an attempt to mask it’s presence. The virus also copies itself into various other files on the system – including Microsoft.exe – to try ensure resilience.”

Prevalent pest

According to Manuel Corregedor, chief operations officer at information security company Telspace Systems, Bitcoin-mining viruses have become rampant. “There has definitely, in recent times, been an increase in Bitcoin-mining viruses – in particular the diversification of the type of currencies they mine.”

Almost three months ago, Russian president Vladimir Putin’s Internet advisor, Herman Klimenko, issued a dire public warning that 20 to 30 percent of all computers in Russia were infected with computer malware designed to turn devices into Bitcoin-mining machines.

At the time Klimenko told Moscow-based news broadcaster RBC that viruses that install bitcoin-mining software are the “most common and most dangerous” type of computer malware in existence.

Corregedor says the main issue Bitcoin-mining malware creates, is that it negatively impacts the performance of the victim’s computer. “[The malware] does this by stealing/utilising the infected computer’s resources (CPU, GPU, RAM, etc). This may result, over time, in increased wear and tear, which may cause the computer to fail or cease.” On top of this destructive consequence, he adds, there are other costs associated with increased power consumption.

But this destructive malware goes even further. Apart from the said performance impact, Corregedor notes that – apart from mining Bitcoins – it  has also been seen launching web- and network-based attacks, such denial of service attacks, login brute force attacks and web application attacks.

“It should also be noted that the danger [with Bitcoin-mining malware] is further increased due to the fact that [it] has been found to be infecting Internet of Things devices i.e. web cameras, routers, Network Attached Storage devices, etc.  The infections have mainly occurred due to these devices having default credentials configured on them – for example user name admin and password admin on a router.”

Protection pointers

Corregedor says users can protect themselves against these kinds of malicious virtual attacks by ensuring their operating systems (Windows, Linux etc) are up to date with the latest security updates (patches).

He gives the following pointers:

  • Ensure you have anti-virus software installed and that it is up to date
  • Ensure your devices are not using any default login credentials and/or weak login credentials, in particular devices such as routers
  • Enable/install a Firewall
  • Install a HIPS (Host Intrusion Prevention System)
  • Be cautious/aware when it comes to receiving unexpected emails with attachments and/or installing potentially unwanted software

“Attackers are constantly scanning the internet looking for devices that are not up to date and/or are not configured securely (for example using default credentials).  Once such systems are identified, they are infected with malware,” he warns.

“Additionally, attackers are also constantly sending out spam/phishing emails that contain malicious attachments.”

Corregedor says, while South Africa is just as vulnerable as any country when it comes to infection, the country’s lack of a National Information Security Awareness campaign could render it in deeper danger.