VPNの脆弱性に関する不安が広がっています。ZPAの60日間無料トライアルを利用して、VPNからの移行のメリットをお確かめください。

Zscalerのブログ

Zscalerの最新ブログ情報を受信

購読する
セキュリティリサーチ

Bitcoin Miner Utilizing IRC Worm

image
CHRIS MANNON
5月 09, 2014 - 3 分で読了
Bitcoin miners have given a new reason for attackers to communicate en mass with infected users.  IRC worms are not exactly the most hip way to communicate, but they remain effective at sending and receiving commands.  I recently came across several samples which bit coin mining examples leveraging IRC.  The malicious binary, once installed, queries for the network shares connected to the victim's PC, drops a file, and creates an autorun.inf file to infect anyone unfortunate enough to use that same network share.

First, we see that the threat has many different variants at a single location
Image
A portion of the malicious content on this IP.


This IP's urlquery report is also picking up some shady content on this IP.  Unfortunately, the Virustotal score at the time of analysis was 1/52.

The first thing the threat does is install itself to any network shares on the victim's system.
 
Image
The file 'snkb0pt.exe' is installed in 'netshare:/snkb0pt/'
Image
It also installs an autorun.inf file among files used to store content retrieved from victims.

Next, it installs itself as a service on the victim's PC to ensure that it can't easily be removed. Image File Execution Options are also created.  This will ensure that the malware can install as the "debugger" for a frequently-run program (such as Explorer) and thereby inject itself into the execution sequence.  Further explanation about this methodology seen here.
 
Image
A service is created along with edits to Image File Execution Options.
Image
Autorun additions are also created to establish itself at boot.
The malicious network share file is clearly calling shell32.dll in order to exploit other systems connected to this network share through a created autorun.inf file. 
 
Image
That clsid is allows the executable to launch differently than in Explorer.
Image
The export file stored in the network share stores information about what systems are infected.

There was not much IRC activity, but the framework exists to login to the attackers channel and receive commands for further action.
 
Image
Connection is established
 
Image
First attempt
 
Image
A connection remains open, beaconing for further contact.

I analyzed all available samples and compiled a list of phone home DNS requests made by all the variants.
Image
Of all samples collected, these dns requests were made.

Due to the high volume of variation in the samples, standard AV solutions only catch certain instances of the threat.

Sample 1

Sample 2

In the second instance, we see that some vendors have flagged the malware as a bitcoin miner.  A sandbox analysis of the second sample has strings related to a Bitcoin Mining application known as xptminer

The implications are that this threat infects one user and anyone connecting to a malicious network share. Infected machines then begin communicating to a server which manages bitcoin mining operations.
 
form submtited
お読みいただきありがとうございました

このブログは役に立ちましたか?

dots pattern

Zscalerの最新ブログ情報を受信

このフォームを送信することで、Zscalerのプライバシー ポリシーに同意したものとみなされます。