Topic: Wonder who this solominer is? 88.6.216.9 - page 27. (Read 60490 times)

Just seeing that 88.6.216.9 is on several blacklists
bl.spameatingmonkey.net
cblplus.anti-spam.org.cn
pbl.spamhaus.org
spam.dnsbl.sorbs.net
The whole botnet seems not farfetched.

Copy/Paste on request from: https://bitcointalksearch.org/topic/mystery-miner-observation-69340



Regarding the mystery miner being discussed in https://bitcointalk.org/index.php?topic=67634.200 ... (originally at 88.6.216.9 and now at 85.214.124.168):

A little while ago they mined four blocks in the space of 1 hour:

http://blockchain.info/block-height/171757
http://blockchain.info/block-height/171759
http://blockchain.info/block-height/171760
http://blockchain.info/block-height/171763

Interestingly, the timestamps on their two consecutive blocks 171759 (2012-03-18 19:31:32) and 171760 (2012-03-18 19:31:30) are out of order! This implies to me that either there are some shenanigans I don't understand the point of, or this is a botnet without good clock sync.

Can someone explain what the timestamp field is used for?

ps: someone who isn't limited to the newbie forum, please copy+paste this post to the myster miner thread.

Yes, if they are indeed working that way.

 The miners may be doing all the work as solo and relaying the finished work (only when found) as well to a central location.  That location may not actually be physically owned by the botnet, it may be just one machine (pwned) running the proper software to relay the finished block.  If something goes wrong with that machine, they get another ip.  If this IP moves from country to country it might help back up this theory. 

-1 for saying "golden nonces".

Requesting work from a pool with transactions or without transactions is the same amount of data for the clients.

This alone does not explain the drop in "luck"; however when combined with discarding the golden nonces on legitimate miners it does make a lot of sense. Why discard the golden nonces? To lower the overall difficulty

+1. When most people think "botnet", they seem to be considering only CPU power - but it is entirely possible that the compromised machines have GPUs - and if the user from IRC is to be believed, this is indeed the case, from looking at his hardware manifest.

I am figuring it is a botnet.  With botnets reaching past 1 million computers someone must have selected a group of computers with good GPU's in them.  Imagine good GPU's in 1% of machines, breaking them off as a seperate botnet.  Now run them at low levels, do not run them hard enough for fans to get aggressive or any slowdown.  10,000 machines could make 2TH ran slowly.  The internet connection usage would be kept to a minimum by only getting the bare minimum information (no transactions) and relaying back only when a block is found.  This could live under the radar on a machine for a long time if they did nothing else with the pwned machine.   And for $3000 a day, they would not have to resort to any other uses. 

Of course it could be 5000-50000 machines in play....  But this is what I think it is. 

Forgive my newbish ignorance, but depending on how they implemented it if a single entity actually reached 50% of the network with a cASIC would it not lead to basically the end of BTC? If you're a major miner you could look at developing your own ASIC, but the majority of the cost is already sunk for the 50% miner and they could simply churn out more wafers with the same mask. It might not be in the interest of the mystery miner to do a 51% attack, but it would be incredibly risky to sink hundreds of thousands or millions of dollars into a cASIC design when there's a very good possibility that the person who's already at 50% could disrupt the network before your hashing power comes online.

Miners would see network connections to somewhere else than their pool, and would earn less than expected. The majority of mining software is open-source, so you would have to be distributing an exe that is made with different source than you have published. And even if 25% of all Bitcoin miners were using such software, it would take half their work being diverted to equal the mystery miner's hashrate.

I think it is most likely that an independent party has spent the money to make an ASIC farm, and found it easier to implement without including transactions. Becoming 20% of the network is about where you would find maximum profitability - if you doubled the total network hashrate yourself, you would only be earning 50% as many bitcoins per Thash.

I just tried this and you must be joking, c_k: that sends emails! I don't want my inbox full of "topic reply: whatever"-messages. I want replies to show up behind the "Show new replies to your posts."-links. Any other way to achieve this than using "subscribe"-posts?

^{[goes to find out how to remove that notification crap]}

Could this be a vulnerability, or backdoor introduced by any popular mining software programmer,
which might be stealing and redirecting a % of hashing power ?
(my apologies to all good faith programmers for the accusations pulled out of my ass)

When mining, you are doing a brute force hashing of everything that will go into a block. The merkle tree you are hashing includes the address that a block will pay out to if it is found, along with a "coinbase", which is per-worker information added by the pool to make a miner's work unique. You are also hashing all the transactions to be included in the block. Mystery miner's blocks have zero transactions, they are different than a normal pool's blocks.

Because of the pool-specific and worker-specific data included in a block, you cannot simply pick out certain hashes like one that solves a block and send them somewhere else, they would still pay to the original wallet's address as that information is embedded in what is being hashed. If the miners were getting altered work, they could not send it back to the original pool as the shares would be invalid, they would not be hashes of what the pool was requesting.

In order to steal work, the attacker would have to pWN the pool. If you can get into deepbit and silently get 10% of their block finds to pay to your wallet, that's better than just stealing their wallet once. As about half the pools here have been compromised at some point, we see that getting in is possible, but rootkitting and altering pool software to make a continuous undetectable diversion of mining rewards would be more difficult.

A yet-undetected botnet seems difficult to believe, it would be on the scale of Zeus2. I have seen no bitcoin bot alerts since Sept 2011 and those were naive trojans. CPU mining my Core 2 Quad (probably faster than the average internet-connected computer) gets 11mhash/s; to get into the 2000ghash/s the miner is likely doing, they would need 200,000 such fulltime botty machines. A CPU+GPU bot would need fewer, but I have a feeling that systems with GPUs running mining-capable drivers that can hash faster than their CPU are in the minority, if we were to survey all Internet-connected machines worldwide.

I got a reply:
(translated to english) "We have seen a few bitcoin botnets... I'll check if any match the discription."

If it's a botnet then this could potentially mean trouble for it in long run  

Couldn't it just intercept golden nonces and discard them? That would cause bad luck, with the same/high hashrate.

If the malware also provides work effectively stealing a portion of the hash rate it would still have the impact I mentioned. If would appear to the pool that it is taking longer to solve to block.

Hmm, Granada. Lots of sun. All the mountains around are full of windmills. Maybe someones making good use of surpluses from wind/solar?

EDIT: tried to read the thread, but it's too long. Is there consenus it was/is sevensols?

You still wonder who this is? Ok, let me quote myself 

It's impossible unless this malware also provides all those miners with work too.

One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.
It would affect all pools and solo miners running infected Microsoft Windows
No increase in over all network hashrate or difficulty
A significant drop in reward vs expected reward as shown for example by Bitminter https://bitminter.com/stats/rewards
Zero transaction blocks as a way of minimizing the risk of detection
Infected machines not mining Bitcoins can be used for other illegal activities

One way to test this is for the larger pool operators to test if miners using GNU / Linux are statistically "luckier" than those using Microsoft Windows.