Author

Topic: Found a Trojan Miner not caught by any A/V I've thrown at it. (Read 3475 times)

legendary
Activity: 1610
Merit: 1000
Crackpot Idealist
YES!! to #1 BIGTIME

You'd be surprised how much protection you get from one simple addon. If you browser doesn't support it, don't use that browser.
sr. member
Activity: 616
Merit: 250
1)

 If not already doing so it would be wise to run Noscript addon for Firefox.

 In case the reader isn't aware of Noscript:

 By default Noscript blocks all java-scripts except for what is already it's whitelist, even those can be deleted from the whitelist as desired. The user can either make webpages/sites permanently whitelisted or merely temporary for that lone visit. I rarely allow any java-scripts to run on any PC. I also run Ad Block Plus to further block potentially malicious files. Of course this is on my casual PC's.

 Take the time to learn how to use Noscript. Put it up on your toolbar in Firefox for easy reach. I prefer the popup java-script blocking surfing notices at the bottom on the browser, out of my line of site, and for them to disappear in 5 seconds. All Noscript settings can be backed up in a plain .txt file, name it Noscript settings. It takes a bit of getting used to and dealing with, but soon it will be second nature, and it will make your life surfing the internet exponentially safer. (block all things google except what must be unblocked in certain situations, there are times certain google.zzz items will be needed to allow their java-script functions. Same for other items. Even some webpages wont load at all until that page is allowed to run it's java-scripting (a sign of a lousy web page builder, or a fancy page, or a page with malicious java-script or some other code that will load with the java-script code).

 The most important thing to do while surfing is run Noscript.

 For Opera Portable run ScriptKeeper.

 Toss Crome and Chromium in the trash where they belong.

 Internet Explorer is for Internet Banking, if that, nothing else.



 Next to Noscript the next most important thing to do is run Ccleaner after every web surfing session to clean out all the temporary files. Many malicious files love to hide in temporary folders. Cleaning them out pronto greatly aids fixing things before they become a big problem.


2)

 A "Wallet PC" should be isolated from doing nothing but "wallets". Nothing else, ever, if at all possible. Take extreme measures until hardware wallets and other devices roll out and have been proven to be reliable and safe. This is all at the users own risk. Be smart.


 Before the Fanboy club arrives:

 Although I have been a huge Linux fan for well over a decade I take little comfort in hiding through obscurity when I can't as much verify hardly any internal settings myself. That said I like Mint Mate but prefer Tails myself.

 Sadly Linux hasn't been shaken out anywhere near as much as it's fan-boys dream it has to date. Sure it's open source, and it's been tested rigorously, and endlessly. And just like Windows and Mac's it gets patch after patch after patch due to flaw after flaw after flaw. That wont be changing anytime soon from the looks of things. Toss in odds are that big bro can walk right into Linux too, just in case that dream has been cast into one's mind too. Always verify... https://www.ixquick.com/ and https://startpage.com/ are your real friends.

 That said Linux is extremely likely to be much safer by default than any Windows PC set at default settings.

 But then none of my Windows PC's are even remotely close to their default settings in many dozens of places deep inside windows services, local security policy, network adapters and remote admin settings. Been that way for a decade now, and they only get more locked down every year. Not to mention locking down the router too. I hardly ever have any problems with Windows, and when it happens it's always because of a malicious file downloaded. Sadly many malicious files are polymorphic (undetectable). Don't forget that!

 I used to laugh and laugh when fools would state only Windows get viruses, and that Unix, Apple, whatever can't be hacked, wont get infected, bla bla bla. Nonsense. Of course today, fast forward a decade, and at least many understand those facts, but sadly not anywhere near 100%.

 Sadly most of the Linux fan boys don't know how secure many vulnerable windows services, let alone shore up many local security policy settings. Much less know how to set the page file to be encrypted or to have it cleared (wiped) at shutdown so that on reboot a 'run once' item doesn't ruin things. So there are some hints on what to learn about. Toss in most fan boys are likely terrified to touch a windows registry and well yea, if your like that, and refuse to learn, then yea, go use a Linux Distro, and cross your fingers. At least that's safer than Win 7 at it's most vulnerable default settings!!!


3)

 Learn how to lock down whatever you use, or your gambling until a safe hardware wallet is fully defined and vetted. And even then nothing is ever "100% secure" when plugged into the internet, as we all already know. I simply wont give out what wasn't easy to learn and even that much more difficult to explain. It's well explained elsewhere, go find it. Needless to say Win 7 doesn't require as much as Win XP used to require, but it still requires many dozens of tweaks to get semi-secure.


4)

 But the number one way to ruin your day is to surf where you shouldn't be surfing, that and not running Noscript at it's default settings (no java-scripting except it's own whitelist items, if that). Do those two things and you on your way to the two most important things. That and don't go tweaking (hacking) windows unless your certain you know what your doing, or doing it on a PC that doesn't matter (a casual PC that never doesn't anything important such as financial things, logging in to email, tax and accounting software, etc.).

 Above all else don't run with java-scripting enabled on any bitcoin/cryptocurrency related sites! Just don't do it. And if you do be extra wary and never do so on a PC that has your Wallets on it, nor transfer files from that PC to the Wallet PC.


 It's all there on the internet to learn. And I already mentioned whom your best friends there are above.



Caveat emptor
sr. member
Activity: 280
Merit: 250
I'm confused:

1) Wouldn't this show up as a process under task manager?

2) Wouldn't properly set security permissions require user assent for any downloads?

1. I think it did show up, but he needed to do further digging to find what it did, what it ran, etc.

2. No, as long as it doesn't need Administrative Access, it can do what it wants without a dialog. For most computers, downloading a file doesn't require UAC, so it can do it mostly undetected.
The process that showed up as named "Windows media sharing service" running on 2 cpus, which was just a copy of xptMiner running with some command line options, that was hidden and set to low priority, This was being run by a small DLL file that quit after starting the miner. Outside of that there was no other unusual process running that I could find or any strange open ports that I couldn't trace back too legitimate software.

exploits do just that, they bypass security by taking advantage of a bug or flaw in software to gain Administrator/root access without the OS/user knowing it happened, then executing what ever code/command they want. When its not detected, blocked or known, it's general referred to as a "0day exploit".

For now I'm going too assume it came in from a website that exploits browsers to get the miner on without much intervention from scans/resident anti-virus since the DLL is fairly basic it doesn't set off allot of red flags.
legendary
Activity: 858
Merit: 1000
I'm confused:

1) Wouldn't this show up as a process under task manager?

2) Wouldn't properly set security permissions require user assent for any downloads?

1. I think it did show up, but he needed to do further digging to find what it did, what it ran, etc.

2. No, as long as it doesn't need Administrative Access, it can do what it wants without a dialog. For most computers, downloading a file doesn't require UAC, so it can do it mostly undetected.
hero member
Activity: 578
Merit: 508
I'm confused:

1) Wouldn't this show up as a process under task manager?

2) Wouldn't properly set security permissions require user assent for any downloads?
hero member
Activity: 616
Merit: 500
Every one must aware about it.  Good information mate.
sr. member
Activity: 386
Merit: 250
Any idea where it came from?
member
Activity: 71
Merit: 10
It seems if your hobby or business involves downloading foreign software, a good AV is mandatory.
sr. member
Activity: 280
Merit: 250
Forgot about virustotal, here is what it has to say,
https://www.virustotal.com/en/file/fbcfc2edd8b61f92bc15c07b2bb19597eab84b0cdac843d07229f0c73989829d/analysis/1400026612/

I restored the machine from an image anyway but in the mean time its been found on another machine that has never run any wallets or miner software just browsing and some gaming.
sr. member
Activity: 285
Merit: 250
Turning money into heat since 2011.
And they went to the trouble to optimize for 32/64 bit  Tongue
Did you drop a copy on virustotal.com to see if any AV vendors pick it up?
legendary
Activity: 1610
Merit: 1000
Crackpot Idealist
if you suspect a rootkit/nasty I recommend rkill and TDSSkill for windoze

both have saved me from nuking the harddrive when confronted with a nasty infection
sr. member
Activity: 280
Merit: 250
A little heads up,
Recently I found xptMiner was being silently installed on my windows wallet/miner PC. After unpacking with UPX and digging around the DLL I've found its mining (prime?) with the following credentials on YPool,

-u x12121212121212.15992C5B5E80 -p E64001AE8673
-u x12121212121212.319302B4FC9B -p 8EAD3FED8A47

A DLL downloads the miner from Dropbox using these 2 URLs:
https://dl.dropboxusercontent.com/s/ae4kr9qozv9h7qu/wmpnetwk64.bin
https://dl.dropboxusercontent.com/s/deyrqj982z2nvmq/wmpnetwk32.bin

Hides its self in "\Users\{USERNAME}\AppData\Roaming\Microsoft\Windows\Recent" as 2 files "wmpnetwk.dll" and "wmpnetwk.exe" with a registry key to auto start the DLL as the EXE seems to be an untouched version of xptMiner that gets executed with a command line with the above usernames and passwords. The files can't be seen in explorer but they are visible from a Command Prompt(cmd).
Still cant find where the DLL is coming from despite removing it twice manually already and doing scans with various tools, so probably just going to restore an image of the OS to take care of rootkit/installer and be done with it.

Edit: seems a friend has it on one of his as-well.
Jump to: