Author

Topic: Hidden miner software? http://www.bitcoindriveprice.com/ (Read 2354 times)

hero member
Activity: 910
Merit: 1004
buy silver!
hero member
Activity: 910
Merit: 1004
buy silver!
Hi,
 
here are the relevant web server log entries.
 
2014.01.30:
 
23:58:24.237 [qtp1093804284-39801] INFO  code.lib.BitMinterOpenIDVendor
- User SgtMoth logged in from 79.183.71.69 with OpenID handle
https://www.google.com/accounts/o8/id?id=AItOawl3gwngW02OnsMjL4IaoZrIORTLQxh9MxQ
23:59:23.603 [qtp1093804284-39901] INFO  code.snippet.Cashouts - SgtMoth
(from 79.183.71.69) set new NMC auto cash out settings. Threshold
1991.00000000 Address NKoRGdKkDHNQSTXwednEdyMsgnJA2oyxk2 Enable: on
23:59:51.711 [qtp1093804284-39787] INFO  code.snippet.Send - Not enough
funds! SgtMoth tried to send 374.04698537 NMC to address
NKoRGdKkDHNQSTXwednEdyMsgnJA2oyxk2
 
2014.01.31:
 
00:00:06.181 [qtp1093804284-39785] INFO  code.snippet.Send - SgtMoth
sent 374 NMC to address NKoRGdKkDHNQSTXwednEdyMsgnJA2oyxk2
 
Timestamps are in UTC.
 
Info on the company owning the IP address he connected from, probably
his ISP:
 
http://whois.net/ip-address-lookup/79.183.71.69



thats all the info i have on him
newbie
Activity: 32
Merit: 0
Good job on finding some evidence. Ill sort this one out Smiley
full member
Activity: 215
Merit: 100
There's two possibilities.
1.same person spreading same malware
2.both malware have been encrypted using the same method

Are the sites still operating? If so can you forward me the domains and ill take them down.

Thanks.

Glad I took these 2 domains down today, hopefully that will have prevented some potential victims from losing their btc.
The first one was asicminersoft.com, now seems to be empty (I see only "Welcome ! Site asicminersoft.com just created. Real content coming soon." there), second one with the same content is minersoftware.com - still functioning. However the problem is there's no direct link to a trial now on the site, I managed to find it in google cache: q="site:minersoftware.com" -> http://webcache.googleusercontent.com/search?q=cache:vqMlzDWaJnsJ:minersoftware.com/free-7-days-trial/+&cd=8&hl=en&ct=clnk&lr=lang_en -> minersoftware.com/wp-content/uploads/2013/12/BitcoinMinerSoftware.rar (file is still there)

Virustotal.com for .rar: https://www.virustotal.com/en/file/6902c37d7458b33d5969859377efc5f9310c820476167ff4f234dae450158593/analysis/1387073852/ (this one is not AutoIt based, just a 26Kb trojan)

And there was bitcoinwisdom.net, which redirected to skyminerlabs.com, which hosted a similar AutoIt-based malware, you seem to terminate it already Smiley

Re: "same person spreading same malware", the scripts were not really similar, at least size was wildly different 800kb to 20mb or so. Maybe there's some generator out there.
newbie
Activity: 32
Merit: 0
...

One of them is then a copy of AutoIt engine, and another is an encrypted AutoIt script.
There's two possibilities.
1.same person spreading same malware
2.both malware have been encrypted using the same method

Are the sites still operating? If so can you forward me the domains and ill take them down.

Thanks.

Glad I took these 2 domains down today, hopefully that will have prevented some potential victims from losing their btc.
full member
Activity: 215
Merit: 100
C:\Documents and Settings\Administrator\bbany
C:\Documents and Settings\Administrator\bbany\JkjQmRMVf.QSP
C:\Documents and Settings\Administrator\bbany\UUEROZbb.RXS
C:\Documents and Settings\Administrator\bbany\__tmp_rar_sfx_access_check_416609
C:\Documents and Settings\Administrator\bbany\iRAjSEv.VPC
C:\Documents and Settings\Administrator\bbany\laRO.exe
C:\Documents and Settings\Administrator\bbany\nNCigjkgoI.vbs

Seems to be a similar set of files to what I found on another site: https://bitcointalksearch.org/topic/m.3989992

One of them is then a copy of AutoIt engine, and another is an encrypted AutoIt script.
newbie
Activity: 32
Merit: 0
Both websites have been taken down.

Mission accomplished. Wink
newbie
Activity: 32
Merit: 0
Please have a look at the attached PNG file.
https://i.imgur.com/8q74Mhc.png

You may notice that not many antiviruses have picked up the file. This is because the file data has been obfuscated, in essence what this does is encrypt the information so that variables/strings which are usually detected by antiviruses are not detected in this case. Although the virus has an equal effect as one which is detected by an antivirus, this bypasses AV detections.

Avast has recognised the file as a virus, this is noted. - the virus itself has been compressed and the data has been encrypted, no ordinary file would need this.



http://anubis.iseclab.org/?action=result&task_id=14da8ed3789a7a6f40127038770170b4d&format=html
PDF Version:http://anubis.iseclab.org/?action=result&task_id=14da8ed3789a7a6f40127038770170b4d&format=pdf

Anubis is used to analyze malware. It gives an indication of what processes are running / created by the malware itself.
Please have a look at the report which indicates what the file "DrivePrice.exe" Does.

I will proceed to explain to you what the file does.

HKLM\​Software\​Classes    1    Key Change,Value Change    3
HKLM\​Software\​Classes\​CLSID    1    Key Change,Value Change    2
HKLM\​Software\​Microsoft\​COM3    1    Key Change,Value Change    6
HKU    1    Key Change,Value Change    4



The file upon execution, automatically creates a startup module so that every time the computer opens up, the file will automatically execute without user request.



C:\Documents and Settings\Administrator\bbany
C:\Documents and Settings\Administrator\bbany\JkjQmRMVf.QSP
C:\Documents and Settings\Administrator\bbany\UUEROZbb.RXS
C:\Documents and Settings\Administrator\bbany\__tmp_rar_sfx_access_check_416609
C:\Documents and Settings\Administrator\bbany\iRAjSEv.VPC
C:\Documents and Settings\Administrator\bbany\laRO.exe
C:\Documents and Settings\Administrator\bbany\nNCigjkgoI.vbs



Files of the malware are duplicated throughout the computer to increase the chance of the virus staying on the computer. If an antivirus was to delete one instance of the virus, the virus has enough information to duplicate and attack again.


There is no reason for a legitimate file to:
1. Create multiple instances of the file
2. Create registry keys in the computer to boot up automatically upon computer startup.
3. Be detected by an antivirus
newbie
Activity: 7
Merit: 0
Chris

Thanks for the info - I've learned a lot from you already. I'm using another PC for changing passwords and was planning to reinstall the infected PC except I've got some software that I can't afford to lose on it at the moment. If the PC can be cleaned instead of wiped it would be a better option for me.

I use Sunbelt Vipre which is great for blocking viruses but this little gremlin wasn't detected even by a manual scan. Malwarebytes picked up the log directory and deleted it but I can't tell whether the PC is clean since I don't know how the thiefware works. If you could provide the info on checking if the PC is clean I would be very thankful.

I've followed your three steps to report the sites and I'll be going onto Twitter and Facebook searching for other victims of this scam.

Looking at the volume on BTC-e, there are potentially thousands of bitcoin being syphoned off.  I would put the alert out on BTC-e chat but ironically I don't have enough funds to be allowed to chat Smiley

Thanks and best wishes
newbie
Activity: 32
Merit: 0
Just a quick question? Are you using the same PC which you had been infected on? If so, dependant on the malware itself, you may still be infected. I can provide you with some info on how to make sure you're completely free of any malware if required.


Truth is, these websites will operate no matter how hard you try. The best we can do is shut them down before another unsuspecting user falls for the trap.

I've managed to file an IC3 report on this. However I need your help.

http://who.is/whois/bitcoindriveprice.com
http://who.is/whois/skyminerlabs.com

Whois guard = protected meaning the details of the owner of the site aren't visible to the public eye.

However, looking at the info the web hosting company which provided the webhosting/domain has a report email.

Please send a report to: [email protected] - make sure to let them know the following.

1.the site is being used for malicious intention with the purpose to steal user data.
2.IC3 complaint form has been initiated.
3.users have lost money from this person.

The webhosting company may even decide to pursue their own legal action as what the hacker has done goes against T+C's of the site.


P.s - my bad, I thought by obvious standard it was easy to distinguish what is a scam site and what isn't. Nonetheless that's not for me to be debating about, I'm just here trying to get rid of the low life scums who try and benefit from others misfortune.


Let me know if anyone needs help related to this topic.


 
newbie
Activity: 7
Merit: 0
Hiya,

Just a quick question:

1. Are you stupid, or are you stupid?


Nice people skills there Chris. I know many very intelligent people that have no interest in IT and so wouldn't be able to tell the difference between trojans and utils until it's too late.  Lets not get too egotistical on our geek abilities and lets try to help each other out with a bit of respect.  And if you're wondering, yes I got caught out and lost my bitcoins - so by your criteria, I'm stupid - no offence taken.

Thanks, HighSociety. I was directed to that website due to references mentioning http://www.bitcoindriveprice.com/ over bitcoinwisdom.com which i felt was lacking in info.

The website doesn't look too convincing but the amount of comments elsewhere promoting it can be seductive.

I did a google search to check it out and came up with these results:
thuckgood      4 Days Ago   salt, www.bitcoindriveprice.com is better then bitcoinwisdom in my choice test it...
btce1s   18 Hours Ago   smedia2010, lol true, anyone now should wait until price drop look here it will be happen soon: www.bitcoindriveprice.com
http://dcaz.net/user/thuckgood - pushing this website all over this page.
http://dcaz.net/user/btce1s - pushing this website all over this page.
olliebtce   Can the moderator ban btce1s: !!! If you look at their history they keep plugging their scam website www.bitcoindriveprice.com.
00:45:32   btce1s   DBOOTYNABBER, BTC going to drop to 550$ today look at the analystics www.bitcoindriveprice.com
00:49:33   btce1s   jhovanny8, dont look on fiat they giving false result look here: www.bitcoindriveprice.com
http://dcaz.net/user/hardergamer - 3 entries on 22/12/2013
17:09:57   evilsim   my antivirus telling me this page is a trap - www.bitcoindriveprice.com

http://www.skyminerlabs.com/drive/ is another website to beware of - a replica of www.bitcoindriveprice.com that contains the same download link address.

http://wscheck.com/trust-report/bitcoindriveprice.com  -the website is less than a week old.

I think driveprice is a keylogger for the fraudulent benefit of thuckgood and/or btce1s, which I think is one of the biggest threats to bitcoin take-up for the regular guy.  Bitcoin maybe secure but the exchanges aren't, which means bitcoin funds are far more vulnerable than in banks.

The bitcoin world is still very much the wild wild west and open to thieves and pirates. You only have to look at BTC-e's troll box to see the type of people rife at the moment. Trying to screw each other over with pump and dumps. There are some helpful comments but mostly full of ego battles and name calling.


OK, so assuming that BTCDriveprice is a logger. How many people have already clicked on the download and lost money?

I will help all I can to help get it back and bring the scumbag to justice. I want the financial revolution to kick out the bankers, I don't want the people screwing each other over.

I'll share more info here later as I learn more - but if any techie whizzes out there can help then that would be cool too.


newbie
Activity: 32
Merit: 0
Hiya,

Just a quick question:

1. Are you stupid, or are you stupid? - Downloading an executable file which is just shouting VIRUS VIRUS VIRUS, IM HERE TO STEAL YOUR WALLET ALONG WITH ANY SAVED PASSWORDS ON YOUR COMPUTER TO TAKE ALL YOUR PERSONAL INFORMATION/MONEY AND RUN.


Use some common sense.


On another note, having used wireshark to trace the connection (In a safe environment ofcourse) I have got a valid IP address. I shall create an IC3 report along with a complaint to the webhosting company to shutdown the site.

Have a good day all, if you need help with anything malware related. I'm your man.

 Cool
newbie
Activity: 26
Merit: 0
Hi all,

I downloaded a file which was listed on this website.  It was zipped with an executable. So my spider sense was tingeling ofcourse.
Now this executable creates several hidden files @ AppData\Local\Temp\raxnm\ whiclh are only visible through using cmd and dir/a
I'm very curious what these files are. I'm wondering if it's some
kind of hidden miningsoftware or a keylogger for bitcoin wallets?


I attached these hidden files in a zip @ the link below.

http://www.sharebeast.com/0kldteijxrlx


*Be aware that if you download the file from the site to not run the executable but instead open it with winrar.

I hope you guys can help me to crack this case Cheesy

Thanks
Jump to: