Author

Topic: Monero Stealth miner. (Read 5410 times)

legendary
Activity: 2156
Merit: 1131
June 20, 2014, 05:16:59 AM
#13

Any estimate of the number of infected computers ?
legendary
Activity: 1610
Merit: 1008
Forget-about-it
June 04, 2014, 10:38:31 PM
#12
offtopic, sorry about your monero miner, thats crazy i wonder where this shit comes from.  side note:  my norton picked up virus silly.223 or some dll shit in my bitcoin blockchain chainstate .sst serialized files the other day when i was syncing a node from 2 weeks behind.  I tried to re-index but it woudnt.  luckily my wallet on the machine didnt have coins.  i spent all day re-downloading the blockchain which sucks. ill see tomorrow what it turned into as its still 18 weeks behind..  
anyone experience something like this?
sr. member
Activity: 252
Merit: 250
June 04, 2014, 09:27:41 PM
#11
I didnt comment on it at the time but the moneropool.com admin was complaining a couple of days ago about lots of getwork http attempted connections which they had trouble blocking as they came from so many different IPs. Made me think someone was trying to deploy a botnet...
legendary
Activity: 1946
Merit: 1100
Leading Crypto Sports Betting & Casino Platform
June 04, 2014, 07:15:02 PM
#10
When in doubt, blame Darkcoin.exe

LOL, you and I have had our altercations, and I know this has been your modus operandi since the beginning, but this actually made me laugh  Grin Grin

Buy any darkcoins yet or still "over my dead body" mode ?  Cheesy
sr. member
Activity: 280
Merit: 250
June 04, 2014, 07:08:17 PM
#9
This will sound like Windows/Mac hate (and let's admit it is a bit), but more and more viruses will target Windows to mine coins and/or steal Wallets.

So never have wallet on Windows - if you have it have been probably already stolen (hopefully you encrypted it) or it's going to be. Even if you have newest version of firewall and antivirus it won't fix essential bugs and/or security holes in your OS.

The fact that it is windows is fairly moot, I mean windows has always been a target given its market share in home users and office spaces, if apple or *nix pulled off the same trick back in the eighties and gobbled up users into the nineties, virus/trojans would be *nix based.

They didn't bother too encrypt the strings in the DLL and there isn't anything else in there other than the URL to download and the command lines to start minerd. Thats not to say that the miner doesn't carry something since it looks like they built it from sources with mingw64 and it executes as a normal minerd from the command line, also the version number reflects this based on the last commit on Github for cpuminer-multi and its build date, but original exploit/script could have had addition payloads, but at least I don't keep any wallets on this or any always connected machines.
legendary
Activity: 1260
Merit: 1000
June 04, 2014, 07:06:57 PM
#8
This will sound like Windows/Mac hate (and let's admit it is a bit), but more and more viruses will target Windows to mine coins and/or steal Wallets.

So never have wallet on Windows - if you have it have been probably already stolen (hopefully you encrypted it) or it's going to be. Even if you have newest version of firewall and antivirus it won't fix essential bugs and/or security holes in your OS.

lol?  So you're saying Bitcoin is dead on arrival and can't be used by the public since the public uses Windows PCs?
sr. member
Activity: 350
Merit: 250
June 04, 2014, 06:42:59 PM
#7
This will sound like Windows/Mac hate (and let's admit it is a bit), but more and more viruses will target Windows to mine coins and/or steal Wallets.

So never have wallet on Windows - if you have it have been probably already stolen (hopefully you encrypted it) or it's going to be. Even if you have newest version of firewall and antivirus it won't fix essential bugs and/or security holes in your OS.
sr. member
Activity: 280
Merit: 250
June 04, 2014, 06:36:26 PM
#6
Any idea where you got it from?
Trying to figure that one out, A buddy of mine also has it aswell and never had the primecoin version on their machine. Most of the sites we have in common are pools for various cryptocoins so I guess theres some bad actors out there.

That would be the logical assumption and would have to agree with you there. Visit any chinese pools lately or some lesser known sites? Kind of why I've limited the pools I'm willing to signup now to a handful. If they are willing to infiltrate malware on your machine.. what do you think they'll do with your id/passwords.. hopefully you use diff ones for each pool you sign up to Tongue
That comment seems oddly racist Cheesy but oddly enough no, I do have a short list but untill I have some solid proof I don't want to start spreading FUD about pools.
I use keypass with long random strings for passwords and never repeat so not really an issue
member
Activity: 111
Merit: 10
June 04, 2014, 05:57:27 PM
#5
Any idea where you got it from?
Trying to figure that one out, A buddy of mine also has it aswell and never had the primecoin version on their machine. Most of the sites we have in common are pools for various cryptocoins so I guess theres some bad actors out there.

That would be the logical assumption and would have to agree with you there. Visit any chinese pools lately or some lesser known sites? Kind of why I've limited the pools I'm willing to signup now to a handful. If they are willing to infiltrate malware on your machine.. what do you think they'll do with your id/passwords.. hopefully you use diff ones for each pool you sign up to Tongue
legendary
Activity: 1260
Merit: 1000
June 04, 2014, 05:51:42 PM
#4
When in doubt, blame Darkcoin.exe
sr. member
Activity: 280
Merit: 250
June 04, 2014, 05:46:31 PM
#3
Any idea where you got it from?
Trying to figure that one out, A buddy of mine also has it aswell and never had the primecoin version on their machine. Most of the sites we have in common are pools for various cryptocoins so I guess theres some bad actors out there.
legendary
Activity: 1022
Merit: 1000
June 04, 2014, 05:23:35 PM
#2
Any idea where you got it from?
sr. member
Activity: 280
Merit: 250
June 04, 2014, 03:43:41 PM
#1
Previously I had found a stealth miner on my machine mining Primecoin (https://bitcointalksearch.org/topic/found-a-trojan-miner-not-caught-by-any-av-ive-thrown-at-it-607930) but,
Despite having re-installed Windows and being careful to avoid running any browser outside of a sandbox and not installing java, Today I noticed it had returned sometime in the past 2 days and its a new version.

)Now its downloading minerd from this location https://dl.dropboxusercontent.com/s/6yug7j4d6hl83o5/wmpnetwk.bin
)Its mining Monero on mine.Moneropool.com using this address 4B6L2v81ehU6JFFxMH9AADhUPqe3zjZE8TUcQFzTSUwY5iESpPVwi9AhQ8HjRhPtqn9sPdDHm3qy4cb JD2bxppr6G7GN8fW
I'm not the only one affected since if you check the address on the pool you can see its still mining with a high hash rate for Monero.

wmpnetwk.dll (51,200) https://www.virustotal.com/en/file/e2e6b6938879142c4e35542b5fe8d3eeec7bf9e682f915213fda009097c3878e/analysis/1401909211/
Jump to: