Topic: Is your miner a botnet slave ? (Read 7024 times)
Unless im mistaken you can rent out botnets if you trawl through the underwebs enough. Payments is taken in, yes thats right, you guessed it.....bitcoin
Thank you for the info Detro. 
I hope there will soon be a way to detect and stop them without having to manually monitor each gpu/miner for lost hash power.
pEACe
I hope there will soon be a way to detect and stop them without having to manually monitor each gpu/miner for lost hash power.
pEACe
Exploit Kits serve numerous exploits to a user when visiting a site utilizing recent exploits which target Java , Adobe Flash, Reader, Firefox, Internet Explorer and Windows in General, you can read more about them here, https://krebsonsecurity.com/?s=exploit+kit&x=0&y=0 Simply scroll down for the latest news on Exploit Kits, the creators behind them and the arsenal of exploits they will use against you to install their malicious payload. Naked Security goes more into ZeroAccess in-depth here http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ and Sopho's article on ZeroAccess and mining http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf .
java and adobe flash are the devil.though I haven't had anything worse than Realplayer (what a PoS that is nowadays) in the last 15 years or so *knock on wood*
just watching my facebook feed, it's easy to see how many people will randomly click on links
(and watching
Exploit Kits serve numerous exploits to a user when visiting a site utilizing recent exploits which target Java , Adobe Flash, Reader, Firefox, Internet Explorer and Windows in General, you can read more about them here, https://krebsonsecurity.com/?s=exploit+kit&x=0&y=0 Simply scroll down for the latest news on Exploit Kits, the creators behind them and the arsenal of exploits they will use against you to install their malicious payload. Naked Security goes more into ZeroAccess in-depth here http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ and Sopho's article on ZeroAccess and mining http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf .
java and adobe flash are the devil.though I haven't had anything worse than Realplayer (what a PoS that is nowadays) in the last 15 years or so *knock on wood*
just watching my facebook feed, it's easy to see how many people will randomly click on links
(and watching w00tw00t spam)
As a Security Analyst at a large MSSP and someone who is very active in Info-sec, I can certainly verify that many of these botnets are in existence and we have caught quite a few of them. Zeroaccess is the BTC baron of the botnet world currently due to it being pushed by almost every very up to date Exploit Kit around today and being extremely difficult to track as well as remove.
For those who are familiar with exploit kits feel free to skip this paragraph:
Exploit Kits serve numerous exploits to a user when visiting a site utilizing recent exploits which target Java , Adobe Flash, Reader, Firefox, Internet Explorer and Windows in General, you can read more about them here, https://krebsonsecurity.com/?s=exploit+kit&x=0&y=0 Simply scroll down for the latest news on Exploit Kits, the creators behind them and the arsenal of exploits they will use against you to install their malicious payload. Naked Security goes more into ZeroAccess in-depth here http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ and Sopho's article on ZeroAccess and mining http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf .
Now aside from the ones utilizing ZeroAccess we have tons of other black hats utilizing other bot types with a bitcoin mining payload alongside their keylogger's, form grabbers, ACH transaction browser MITM setups and whatever other plugins or payloads they decide to add. Many of the Bitcoin botnets we have found will utilize SSH, RDP and VNC scanners once they compromise the host which checks for a few basic account names and passwords while scanning for more victims.
A fellow colleague in info-sec runs a site in which he disassembles these botnet's and posts their details such as the gateway, command and control servers it is using, bitcoin mining information and the landing pages. If you browse the site @ exposedbotnets.com and go through a few posts you will come across details like the ones pasted below which he has gleamed from their insecure Botnet setups. I am only allowed to publically post about the ones I catch via my own Honeypot / HoneyClient at home and not the numerous ones we have found at work.
Not to mention that most of the botnet operators have gotten smart enough to proxy the traffic back to the mining pools Keep in mind i have removed any information regarding the botnet's landing pages or infection vectors simply some bitcoin info recently gleamed and yes i did star out **** a racial slur for one of these d-bags worker names.
Botnet Server: zeonyx
Some bitcoin mining infos:
http://Slinky:[email protected]:8332
http://Zeroexe7_Zero8:n*****[email protected]:8344
http://Zeroexe7_Indian:n*****[email protected]:8337
Botnet Server: gwassnet
I'm going to guess this is the same guy as the other gwass domain.
Also, bitcoin mining info: http://Hung:[email protected]:8332
Personally we have seen many using 50btc, bitclockers and the ones listed above.
Id love to know if anyone who has experience running a pool could help me think of ways to track down botnet related mining activity and find a way to stop it. And yes i know once the ASIC fairy comes and blesses us all with new rigs this wont be an issue, except many of the more sophisticated samples we are finding and unable to track back to the pool are utilizing gpu mining as well with some code that looks like it may have been borrowed from the bitminter client.
So as I said earlier if any pool operators have suggestions on tracking these rogue BTC botnets via other methods feel free to shoot me a PM.
Thanks,
detro
For those who are familiar with exploit kits feel free to skip this paragraph:
Exploit Kits serve numerous exploits to a user when visiting a site utilizing recent exploits which target Java , Adobe Flash, Reader, Firefox, Internet Explorer and Windows in General, you can read more about them here, https://krebsonsecurity.com/?s=exploit+kit&x=0&y=0 Simply scroll down for the latest news on Exploit Kits, the creators behind them and the arsenal of exploits they will use against you to install their malicious payload. Naked Security goes more into ZeroAccess in-depth here http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ and Sopho's article on ZeroAccess and mining http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf .
Now aside from the ones utilizing ZeroAccess we have tons of other black hats utilizing other bot types with a bitcoin mining payload alongside their keylogger's, form grabbers, ACH transaction browser MITM setups and whatever other plugins or payloads they decide to add. Many of the Bitcoin botnets we have found will utilize SSH, RDP and VNC scanners once they compromise the host which checks for a few basic account names and passwords while scanning for more victims.
A fellow colleague in info-sec runs a site in which he disassembles these botnet's and posts their details such as the gateway, command and control servers it is using, bitcoin mining information and the landing pages. If you browse the site @ exposedbotnets.com and go through a few posts you will come across details like the ones pasted below which he has gleamed from their insecure Botnet setups. I am only allowed to publically post about the ones I catch via my own Honeypot / HoneyClient at home and not the numerous ones we have found at work.
Not to mention that most of the botnet operators have gotten smart enough to proxy the traffic back to the mining pools Keep in mind i have removed any information regarding the botnet's landing pages or infection vectors simply some bitcoin info recently gleamed and yes i did star out **** a racial slur for one of these d-bags worker names.
Botnet Server: zeonyx
Some bitcoin mining infos:
http://Slinky:[email protected]:8332
http://Zeroexe7_Zero8:n*****[email protected]:8344
http://Zeroexe7_Indian:n*****[email protected]:8337
Botnet Server: gwassnet
I'm going to guess this is the same guy as the other gwass domain.
Also, bitcoin mining info: http://Hung:[email protected]:8332
Personally we have seen many using 50btc, bitclockers and the ones listed above.
Id love to know if anyone who has experience running a pool could help me think of ways to track down botnet related mining activity and find a way to stop it. And yes i know once the ASIC fairy comes and blesses us all with new rigs this wont be an issue, except many of the more sophisticated samples we are finding and unable to track back to the pool are utilizing gpu mining as well with some code that looks like it may have been borrowed from the bitminter client.
So as I said earlier if any pool operators have suggestions on tracking these rogue BTC botnets via other methods feel free to shoot me a PM.
Thanks,
detro
ACIS will hurt these botnet guys hardcore, they'll probably switch over to ppc once that happens.
Do you really think so? I saw a guy mining 40GH/s with a 10k net.
ACIS will hurt these botnet guys hardcore, they'll probably switch over to ppc once that happens.
"The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact."
Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.
Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.
Whoa! Over 9000 botnets! How many slaves in each botnet!?
http://www.youtube.com/watch?v=9cn7xfBpZ3M
"The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact."
Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.
Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.
Whoa! Over 9000 botnets! How many slaves in each botnet!?
on pools that let you list all the miners, look for all the people at 10-25mhash
I see them at BTCmine all the time. I've also seen them at one of the p2p pools.
http://btcmine.com/toplist/
How many shares per day will 1 Ghash/s get you ?
I'm averaging 21.5k with my 1.05 - 1.15 Ghash/s.
"The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact."
Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.
Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.
Whoa! Over 9000 botnets! How many slaves in each botnet!?
"The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact."
Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.
Yes, I have over 9000 botnets. And you can't catch me because I'm behind seven proxies.
on pools that let you list all the miners, look for all the people at 10-25mhash
Hio and good day BTCland.
How prevalent is this ? And what can we do to stop it.
Someone pointed this 'freaknik' out to me a few weeks ago. He likes to brag about his thievery. This was taken from the chat log at Peerbet.org.
http://threatpost.ca/en_us/blogs/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012
pEACe
How prevalent is this ? And what can we do to stop it.
Someone pointed this 'freaknik' out to me a few weeks ago. He likes to brag about his thievery. This was taken from the chat log at Peerbet.org.
http://threatpost.ca/en_us/blogs/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012
pEACe
Jump to: