A
mining botnet is spreading across the internet. It mostly spreads through social
networking sites and instant messenger. Once installed it downloads
the mining software and uses the system resource to solve Bitcoin blocks in
order to generate more Bitcoins. It also steals personal and financial information
from the infected system.
The file Sexy-IMAGE-DSC0000S4DF87911.jpeg.exe D2B1FB926828778D993C1CD6C6894164 comes with a photo thumbnail
to get user attention. When you click on the link it gets installed in user
system.
This
bot creates a copy of itself in the %USERPROFILE%\Application Data Folder and a random valued run entry to it.
Injects
malicious code into the running processes and does hooking by modifying first
5 bytes of the below routines with an JMP instruction leading to the malicious
routine. Downloads payload from free file hosting websites.
http://s546.hotfile.com/get/ac412325e76c9322271a960286bd486de0ba9ce1/4f10697c/2/c5b3fb429fdcb61b/86e5ee5/Bmw_M3.exe
kernel32.dll!CopyFileA
kernel32.dll!CopyFileW
kernel32.dll!CreateFileA
kernel32.dll!CreateFileW
kernel32.dll!MoveFileA
kernel32.dll!MoveFileW
ntdll.dll!LdrLoadDll
ntdll.dll!NtEnumerateValueKey
ntdll.dll!NtQueryDirectoryFile
ntdll.dll!NtResumeThread
WININET.dll!HttpSendRequestA
WININET.dll!HttpSendRequestW
WININET.dll!InternetWriteFile
WS2_32.dll!GetAddrInfoW
WS2_32.dll!send
Above seen hooks will hide the
presence of the malware in the infected system.
This bot blocks user from accessing
certain security domains.
Creates
following Mutex objects to mark its presence.
\BaseNamedObjects\1b37f31f-Mutex
\BaseNamedObjects\1b37f31f_0
It
monitors for instant messaging process in the memory and spreads through them.
It can
also spread through removable drives and it is capable of composing messages
with malicious link and send them through compromised social networking account.
The account can be from any of these sites Facebook, Twitter, Bebo, Friendster
and Vkontakte.
It
steals user credentials when they try to login certain websites.
Bitcoin is nothing but a digital currency. The bitcoin blocks
are created for every transaction made and solving these blocks will get
rewarded. Botnet uses the infected system’s computaional power to mine bitcoins
and earn money. Below you can see the botnet using the CUDA GPU computing to
solve the bitcoin block.
The
bot contacts the C & C server to get command as well as to update itself.
Below seen are some of the sites contacted by the bot.
xL.x1x2.in
appupdate.org
xL.0days.me
myupload01.info
xL.a7aneek.net
xL.honeycat.org
xL.5days.in
xL.psybnc.cz
No comments:
Post a Comment