Indestructible miners
Thursday, April 5, 2018
If a computer is slowing down, it’s quite possible that a mining application is running on it. Here is the story of one mysterious system issue:
We have a laptop with Ubuntu Linux installed on it that’s running slowly, and that’s all we know.
We’ve tried monitoring the CPU and memory usage, and other system operational parameters, but that’s yielded no clues; we’ve run out of ideas. We’ve surfed the Web in various browsers, looked for suspicious applications and extensions, and cleared the browser cache… Everything seems to be working properly.
If we stick with the version that a mining application is involved, we must assume that it ran for a while in the system and then deleted itself. But that would be a very unlikely turn of events.
A while later the user complained about the same issue again! Most curious was the fact that whenever the laptop was left in my hands, all the "bad symptoms" inexplicably vanished. The machine's owner could only stare at me with perplexed surprise.
The description fails to mention an important detail: the laptop's owner was accessing the Internet from a different location.
At a certain point, another laptop was used to get on the Internet via the same Wi-Fi network that the device in question regularly connected to. And here it was discovered that the personal laptop’s Safari browser was devouring CPU capacity!
But what was the connection between the access point and the speed of the program's operation? Was it a browser bug or some auto-start service in that particular network?
The screenshot shows that a script with a weird name is being run repeatedly on a certain site and that several third party scripts from two browser extensions are also present.
Important! As a rule, modern malicious programs communicate with attackers' command and control servers. It is possible that the technical support employees you bring your computer to are using advanced system protection software, and the Trojan simply won't be able to go online. And keeps lurking in the shadows. If you suspect that a Trojan has gained a foothold in your computer, quickly gather all the relevant system information.
Click on the icon in the system tray, select Tools, and in the newly appeared menu, select Support → Report for technical support.
In the newly appeared window, click Generate report.
But let's get back to our investigation. The text doesn't specify where the performance issues occurred, i.e., whether it was while visiting one specific site, all sites, or something else. The publication we are commenting on clearly shows how much time can be wasted if all the relevant information is not collected immediately and insufficient data is used to look for a solution. This is a typical situation: technical support staff often spend time prying information out of victims.
All the browser extensions were disabled and later removed, but the problem didn't disappear; the script persisted in the site code. Further examination with a debugger showed that the script mined the Monero cryptocurrency using the CryptoNight algorithm. It would seem, well, that it was definitely a miner at work on the site.
We were about ready to send a message to the site's owners telling them that they were very bad people, but decided to double-check everything, just in case.
We then noticed that the same script appeared on other sites! We used other browsers with no extensions or plugins whatsoever. The outcome was the same—the same script with mining code emerged every now and then on some sites.
Because the examination was extremely tedious and we were long past needing to resolve the problem, we chose to reinstall the operating system.
Well, why reinstall the system if the mining code on the site would disappear as soon as the corresponding page is closed? The result is quite predictable:
Reinstalling MacOS accomplished absolutely nothing.
We won't recount everything the authors of the article had to say after that. We believe our readers can already guess what the real culprit was.
Malicious code in the router firmware facilitated an HTTP+TCP MITM attack by injecting mining code into webpages loaded from sites that weren't using HTTPS. That's why the problem was intermittent – if content was loaded over HTTP into a browser tab, the CPU was engaged in mining Monero for virus makers!
Reflashing the router solved the problem.
So it was the router that was infected. The malicious code intercepted traffic and injected the mining script into site code.
But how did the infection occur? There are three possibilities: a compromised password, a vulnerability, and a misconfiguration (allowing a remote attacker to tamper with the device's routines).
Here is an example of how a system can be compromised by exploiting a vulnerability in a certain process. Not one on a router, but we are talking about cryptocurrencies again.
Attackers scan the World Wide Web for computers running rTorrent and other applications based on it. They then leverage a vulnerability to install a malicious program that will mine Monero.
A user installs legitimate mining software and starts counting their future profits. But money doesn’t just like to be counted; it also likes to be protected. We’ve often mentioned that accountants' computers require additional protection. And as far as mining is concerned, system security must be just as tough! Criminals can take advantage of outdated software, deploy their code, and misappropriate funds.
Also note that rTorrent's developer doesn't recommend establishing RPC communication over TCP ports. It appears that XML-RPC is disabled by default, so users enable it to control the application via a more user-friendly front end.
Thus users themselves open the door to threat actors.
The most interesting thing to note:
The malware deployed by exploiting rTorrent vulnerabilities doesn’t just download a miner application (this software only consumes system resources). It also looks for "competitors" in the system. If any are detected, the malware attempts to delete them to make sure that all the system capacity is utilised by the miner it has deployed.
Who are these competitors, you’re wondering? Miners? Brace yourself:
As of now, the malware program is detected by only three anti-viruses out of 59 more or less common ones. Chances are that number will increase shortly.
The Anti-virus Times recommends
Update your software! If you use your computer to access certain funds or any other valuable assets, apply updates constantly. Set strong passwords. Disable all the services you don’t use. And if your router is listed as a supported device, check it with the Dr.Web scanner.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Неуёмный Обыватель
01:14:31 2018-07-29
vasvet
14:01:36 2018-06-25