Pages:
Author

Topic: Wonder who this solominer is? 88.6.216.9 - page 27. (Read 60498 times)

donator
Activity: 448
Merit: 250
Just seeing that 88.6.216.9 is on several blacklists
bl.spameatingmonkey.net
cblplus.anti-spam.org.cn
pbl.spamhaus.org
spam.dnsbl.sorbs.net
The whole botnet seems not farfetched.
hero member
Activity: 686
Merit: 500
Bitbuy
Copy/Paste on request from: https://bitcointalksearch.org/topic/mystery-miner-observation-69340



Regarding the mystery miner being discussed in https://bitcointalk.org/index.php?topic=67634.200 ... (originally at 88.6.216.9 and now at 85.214.124.168):

A little while ago they mined four blocks in the space of 1 hour:

http://blockchain.info/block-height/171757
http://blockchain.info/block-height/171759
http://blockchain.info/block-height/171760
http://blockchain.info/block-height/171763

Interestingly, the timestamps on their two consecutive blocks 171759 (2012-03-18 19:31:32) and 171760 (2012-03-18 19:31:30) are out of order! This implies to me that either there are some shenanigans I don't understand the point of, or this is a botnet without good clock sync.

Can someone explain what the timestamp field is used for?

ps: someone who isn't limited to the newbie forum, please copy+paste this post to the myster miner thread.
legendary
Activity: 1386
Merit: 1004
I am figuring it is a botnet.  With botnets reaching past 1 million computers someone must have selected a group of computers with good GPU's in them.  Imagine good GPU's in 1% of machines, breaking them off as a seperate botnet.  Now run them at low levels, do not run them hard enough for fans to get aggressive or any slowdown.  10,000 machines could make 2TH ran slowly.  The internet connection usage would be kept to a minimum by only getting the bare minimum information (no transactions) and relaying back only when a block is found.  This could live under the radar on a machine for a long time if they did nothing else with the pwned machine.   And for $3000 a day, they would not have to resort to any other uses. 

Of course it could be 5000-50000 machines in play....  But this is what I think it is. 
Requesting work from a pool with transactions or without transactions is the same amount of data for the clients.

Yes, if they are indeed working that way.

 The miners may be doing all the work as solo and relaying the finished work (only when found) as well to a central location.  That location may not actually be physically owned by the botnet, it may be just one machine (pwned) running the proper software to relay the finished block.  If something goes wrong with that machine, they get another ip.  If this IP moves from country to country it might help back up this theory. 
legendary
Activity: 1512
Merit: 1036
I am figuring it is a botnet.  With botnets reaching past 1 million computers someone must have selected a group of computers with good GPU's in them.  Imagine good GPU's in 1% of machines, breaking them off as a seperate botnet.  Now run them at low levels, do not run them hard enough for fans to get aggressive or any slowdown.  10,000 machines could make 2TH ran slowly.  The internet connection usage would be kept to a minimum by only getting the bare minimum information (no transactions) and relaying back only when a block is found.  This could live under the radar on a machine for a long time if they did nothing else with the pwned machine.   And for $3000 a day, they would not have to resort to any other uses. 

Of course it could be 5000-50000 machines in play....  But this is what I think it is. 
+1. When most people think "botnet", they seem to be considering only CPU power - but it is entirely possible that the compromised machines have GPUs - and if the user from IRC is to be believed, this is indeed the case, from looking at his hardware manifest.

This alone does not explain the drop in "luck"; however when combined with discarding the golden nonces on legitimate miners it does make a lot of sense. Why discard the golden nonces? To lower the overall difficulty
-1 for saying "golden nonces". Tongue
hero member
Activity: 1596
Merit: 502
I am figuring it is a botnet.  With botnets reaching past 1 million computers someone must have selected a group of computers with good GPU's in them.  Imagine good GPU's in 1% of machines, breaking them off as a seperate botnet.  Now run them at low levels, do not run them hard enough for fans to get aggressive or any slowdown.  10,000 machines could make 2TH ran slowly.  The internet connection usage would be kept to a minimum by only getting the bare minimum information (no transactions) and relaying back only when a block is found.  This could live under the radar on a machine for a long time if they did nothing else with the pwned machine.   And for $3000 a day, they would not have to resort to any other uses. 

Of course it could be 5000-50000 machines in play....  But this is what I think it is. 
Requesting work from a pool with transactions or without transactions is the same amount of data for the clients.
legendary
Activity: 2282
Merit: 1050
Monero Core Team
I am figuring it is a botnet.  With botnets reaching past 1 million computers someone must have selected a group of computers with good GPU's in them.  Imagine good GPU's in 1% of machines, breaking them off as a seperate botnet.  Now run them at low levels, do not run them hard enough for fans to get aggressive or any slowdown.  10,000 machines could make 2TH ran slowly.  The internet connection usage would be kept to a minimum by only getting the bare minimum information (no transactions) and relaying back only when a block is found.  This could live under the radar on a machine for a long time if they did nothing else with the pwned machine.   And for $3000 a day, they would not have to resort to any other uses. 

Of course it could be 5000-50000 machines in play....  But this is what I think it is. 
+1. When most people think "botnet", they seem to be considering only CPU power - but it is entirely possible that the compromised machines have GPUs - and if the user from IRC is to be believed, this is indeed the case, from looking at his hardware manifest.

This alone does not explain the drop in "luck"; however when combined with discarding the golden nonces on legitimate miners it does make a lot of sense. Why discard the golden nonces? To lower the overall difficulty
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
I am figuring it is a botnet.  With botnets reaching past 1 million computers someone must have selected a group of computers with good GPU's in them.  Imagine good GPU's in 1% of machines, breaking them off as a seperate botnet.  Now run them at low levels, do not run them hard enough for fans to get aggressive or any slowdown.  10,000 machines could make 2TH ran slowly.  The internet connection usage would be kept to a minimum by only getting the bare minimum information (no transactions) and relaying back only when a block is found.  This could live under the radar on a machine for a long time if they did nothing else with the pwned machine.   And for $3000 a day, they would not have to resort to any other uses. 

Of course it could be 5000-50000 machines in play....  But this is what I think it is. 
+1. When most people think "botnet", they seem to be considering only CPU power - but it is entirely possible that the compromised machines have GPUs - and if the user from IRC is to be believed, this is indeed the case, from looking at his hardware manifest.
legendary
Activity: 1386
Merit: 1004
I am figuring it is a botnet.  With botnets reaching past 1 million computers someone must have selected a group of computers with good GPU's in them.  Imagine good GPU's in 1% of machines, breaking them off as a seperate botnet.  Now run them at low levels, do not run them hard enough for fans to get aggressive or any slowdown.  10,000 machines could make 2TH ran slowly.  The internet connection usage would be kept to a minimum by only getting the bare minimum information (no transactions) and relaying back only when a block is found.  This could live under the radar on a machine for a long time if they did nothing else with the pwned machine.   And for $3000 a day, they would not have to resort to any other uses. 

Of course it could be 5000-50000 machines in play....  But this is what I think it is. 
legendary
Activity: 1274
Merit: 1004
I think it is most likely that an independent party has spent the money to make an ASIC farm, and found it easier to implement without including transactions. Becoming 20% of the network is about where you would find maximum profitability - if you doubled the total network hashrate yourself, you would only be earning 50% as many bitcoins per Thash.
Forgive my newbish ignorance, but depending on how they implemented it if a single entity actually reached 50% of the network with a cASIC would it not lead to basically the end of BTC? If you're a major miner you could look at developing your own ASIC, but the majority of the cost is already sunk for the 50% miner and they could simply churn out more wafers with the same mask. It might not be in the interest of the mystery miner to do a 51% attack, but it would be incredibly risky to sink hundreds of thousands or millions of dollars into a cASIC design when there's a very good possibility that the person who's already at 50% could disrupt the network before your hashing power comes online.
legendary
Activity: 1512
Merit: 1036
Could this be a vulnerability, or backdoor introduced by any popular mining software programmer,
which might be stealing and redirecting a % of hashing power ?
(my apologies to all good faith programmers for the accusations pulled out of my ass)

Miners would see network connections to somewhere else than their pool, and would earn less than expected. The majority of mining software is open-source, so you would have to be distributing an exe that is made with different source than you have published. And even if 25% of all Bitcoin miners were using such software, it would take half their work being diverted to equal the mystery miner's hashrate.

I think it is most likely that an independent party has spent the money to make an ASIC farm, and found it easier to implement without including transactions. Becoming 20% of the network is about where you would find maximum profitability - if you doubled the total network hashrate yourself, you would only be earning 50% as many bitcoins per Thash.
donator
Activity: 2772
Merit: 1019
watching

Goat, just click 'notify' instead of posting in the thread to 'watch' it

I just tried this and you must be joking, c_k: that sends emails! I don't want my inbox full of "topic reply: whatever"-messages. I want replies to show up behind the "Show new replies to your posts."-links. Any other way to achieve this than using "subscribe"-posts?

[goes to find out how to remove that notification crap]
legendary
Activity: 1099
Merit: 1000
Could this be a vulnerability, or backdoor introduced by any popular mining software programmer,
which might be stealing and redirecting a % of hashing power ?
(my apologies to all good faith programmers for the accusations pulled out of my ass)
legendary
Activity: 1512
Merit: 1036
One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.
It's impossible unless this malware also provides all those miners with work too.

If the malware also provides work effectively stealing a portion of the hash rate it would still have the impact I mentioned.
Couldn't it just intercept golden nonces and discard them? That would cause bad luck, with the same/high hashrate.

When mining, you are doing a brute force hashing of everything that will go into a block. The merkle tree you are hashing includes the address that a block will pay out to if it is found, along with a "coinbase", which is per-worker information added by the pool to make a miner's work unique. You are also hashing all the transactions to be included in the block. Mystery miner's blocks have zero transactions, they are different than a normal pool's blocks.

Because of the pool-specific and worker-specific data included in a block, you cannot simply pick out certain hashes like one that solves a block and send them somewhere else, they would still pay to the original wallet's address as that information is embedded in what is being hashed. If the miners were getting altered work, they could not send it back to the original pool as the shares would be invalid, they would not be hashes of what the pool was requesting.

In order to steal work, the attacker would have to pWN the pool. If you can get into deepbit and silently get 10% of their block finds to pay to your wallet, that's better than just stealing their wallet once. As about half the pools here have been compromised at some point, we see that getting in is possible, but rootkitting and altering pool software to make a continuous undetectable diversion of mining rewards would be more difficult.

If it's a botnet then this could potentially mean trouble for it in long run  Grin
A yet-undetected botnet seems difficult to believe, it would be on the scale of Zeus2. I have seen no bitcoin bot alerts since Sept 2011 and those were naive trojans. CPU mining my Core 2 Quad (probably faster than the average internet-connected computer) gets 11mhash/s; to get into the 2000ghash/s the miner is likely doing, they would need 200,000 such fulltime botty machines. A CPU+GPU bot would need fewer, but I have a feeling that systems with GPUs running mining-capable drivers that can hash faster than their CPU are in the minority, if we were to survey all Internet-connected machines worldwide.
hero member
Activity: 910
Merit: 1000
Items flashing here available at btctrinkets.com
I've been watching this thread for a while and today came up with a way to possibly confirm if this new miner indeed is a botnet, I e-mailed an active researcher in a major company dealing in antiviral/security-software, I have no way of knowing if the mail will ever be even read or responded to. However should I get a reply I will be reporting in.
I got a reply:
(translated to english) "We have seen a few bitcoin botnets... I'll check if any match the discription."

If it's a botnet then this could potentially mean trouble for it in long run  Grin

rjk
sr. member
Activity: 448
Merit: 250
1ngldh
One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.
It's impossible unless this malware also provides all those miners with work too.

If the malware also provides work effectively stealing a portion of the hash rate it would still have the impact I mentioned.
Couldn't it just intercept golden nonces and discard them? That would cause bad luck, with the same/high hashrate.
legendary
Activity: 2282
Merit: 1050
Monero Core Team
One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.
It's impossible unless this malware also provides all those miners with work too.

If the malware also provides work effectively stealing a portion of the hash rate it would still have the impact I mentioned. If would appear to the pool that it is taking longer to solve to block.
donator
Activity: 2772
Merit: 1019
I bet this company here is testing one of their fpga/asic products: http://www.sevensols.com/

It's located in Granada, Spain. That's where the ip is from.

Hmm, Granada. Lots of sun. All the mountains around are full of windmills. Maybe someones making good use of surpluses from wind/solar?

EDIT: tried to read the thread, but it's too long. Is there consenus it was/is sevensols?
full member
Activity: 199
Merit: 100
You still wonder who this is? Ok, let me quote myself  Smiley

I bet this company here is testing one of their fpga/asic products: http://www.sevensols.com/

It's located in Granada, Spain. That's where the ip is from.
donator
Activity: 532
Merit: 501
We have cookies
One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.
It's impossible unless this malware also provides all those miners with work too.
legendary
Activity: 2282
Merit: 1050
Monero Core Team
This is what Im looking at:
http://bitcoin.sipa.be/speed-lin-2k.png

And obviously not the 8 hour avg green line, but the 3 day estimate. Though variability is high enough to  make firm conclusions impossible,  its not quite what youd expect if 1.3 TH joined the network out of the blue. There is no spike up, its flat or down best I can tell.

DrHaribo did have another hypothesis; rather than stealing blocks he suggested it might be possible for an attacker with a botnet to intercept a % of winning blocks of other pools to keep difficulty down. That would show up in stats eventually, but made me wonder why we arent using HTTPS on our miners to prevent such sabotage in the first place.

One possibility is Microsoft Windows malware that targets existing Bitcoin miners and steals a portion of their winning blocks. The impact would be.
It would affect all pools and solo miners running infected Microsoft Windows
No increase in over all network hashrate or difficulty
A significant drop in reward vs expected reward as shown for example by Bitminter https://bitminter.com/stats/rewards
Zero transaction blocks as a way of minimizing the risk of detection
Infected machines not mining Bitcoins can be used for other illegal activities

One way to test this is for the larger pool operators to test if miners using GNU / Linux are statistically "luckier" than those using Microsoft Windows.
Pages:
Jump to: