Today we are going to talk to those of you who use Bitcoin digital currency to pay for a variety of goods and services - along with a warning about yet another source of Bitcoin miners - the sharing services. You may think that if you avoid cracks and keygens while browsing the web you will be safe. Well, we would recommend that you reconsider that position. Recently we found that on the uloz.to file sharing service someone uploaded a lot of fake files containing Bitcoin miners!
Bitcoin Mining service
First a little background for the uninitiated: Bitcoins can be obtained by trading real currency, goods, or services with people who have them or alternatively, through mining. The mining process involves running software that performs complex math problems for which you're rewarded a share of the income. There are a finite amount of Bitcoins to be had, and mining for them can be compared to extracting gold or diamonds from the earth. The more you get, the fewer there are to be had, so it becomes increasingly harder and more expensive. Here's a descriptive article about mining.
Bitcoin mining services such as bitminter.com use shared computer resources of their users to mine new Bitcoins. In order to participate, the mining users have to create an account and then register their computers (workers) with the service. Then they simply run the Bitcoin miner program provided with their credentials on as many computers as they have. In the end, if they had enough computation power and time they might end up with a few Bitcoins.
It can be expected that some people will not be satisfied just using their own machines so they will try to use the computing power of unsuspecting victims. And that's exactly what the authors of this malware are doing: They use hardware that does not belong them to generate more money.
It's not a Bitcoin problem; it's a people problem
We must stress that there's nothing wrong with Bitcoin or its mining services. The problem is that some greedy people are misusing them.
Some of them can be seen on the following image. The word "cestina" means that the file should contain Czech localization of the referenced program. All of them contain a hidden feature, and sometimes the name is a complete fabrication. For example, The-Night-of-the-Rabbit-cestina.exe contains a crack for Call of Duty 4. Notice too, that all these files have an elevated popularity; no doubt a result of tampering. Some downloaders already suspect something fishy about these files.
If you run the downloaded installer, new files will be created in "c:\windows\inf\" directory. The first dropped file is ntvdm.inf which contains configuration information for the Bitcoin miner. The second file is named ntvdm.vbe and contains the miner's start-up script encoded with Microsoft Script Encoder. Furthermore, there is a randomly-named directory created with miners binaries. Attackers use opensource cgminer which is available on GitHub.
Fortunately it was quite easy to decode the start-up script. With a little modification for better readability we got this result:
If objFSO.FIleexists(windowsdIr&"\system32\OpenCL.dll") Then
if Not oBjFSO.FilEExIsts(hOmedir&"\regbcm")THEn sEt objXmLhTTP=CreateObject("MSXML2.XMLHTTP"):
path=winDowsdir&"\inf\"&execNAmE&"\"&exeCName&".exe -o "&url&" -u "&login&" -p "&passworD:
Notice the first condition which checks whether the OpenCLlibrary is present on the system. This library is used for massively parallel computing by the miner (remember that mining Bitcoins is a very difficult computational problem and therefore requires parallelism). If the library is not found the miner will not start.
The following condition tests if the directory "%USERPROFILE%\regbcm" exists. If not the script contacts h**p://msdrv64.com/register_slave.php creates the conditional file which is probably working as a global mutex. This process seems to function as the infection counter since there is no downloaded data.
As the last step, the configuration information is read from "c:\windows\inf\ntvdm.inf" and miner is started. An interesting feature of this script is that it finally flashes a message box with path to "%USERPROFILE%".
Removing the malware
If you have AVAST installed on your computer, it will automatically detect the malicious miner as VBS:FlufferMiner-A and delete it.
To manually remove all residues of this application just terminate "C:\Windows\System32\WScript.exe" andany executable running from "C:\Windows\Inf\" or a program having its parent "C:\Windows\Inf\ntvdm.vbe". Then delete the entire directory mentioned in the first line of configuration file ntvdm.inf. Files "C:\Windows\Inf\ntvdm.vbe" and "C:\Windows\Inf\ntvdm.inf" delete as well.