Miners and Antivirus
I personally came across the topic of miners after a statement by German Klimenko that a huge number of Moscow servers are affected by miners. Before that, miners were for me personally only one type of malware. Since then, the past is not so much, but the number of people who want to make money on other people's computers is growing, and I think it's time to talk about this phenomenon.
Who cares how many miners are created per day, how they are distributed, and (most importantly) how antiviruses relate to them - I ask for a cut!
Let's start with the last topic announced - about the relationship of antiviruses and miners. To answer this question, you need to understand that there is a malicious program in terms of antivirus.
Malicious program is a program that is installed on a computer without the knowledge of the user or performs unauthorized actions on the user's computer. The definition is not ideal, but very close to the truth.
Two quotes from the article :
Definitely malicious behavior that makes miners the legitimate prey of antiviruses (and other protection systems, because they are not single antiviruses).
But can an antivirus catch a miner?
Not certainly in that way. The above quote refers to a behavioral analyzer (or a variation of it - cloud antivirus). These antivirus components really track behavior. And if the malware was purely mining, then it would be impossible to really decide whether it was malware or not. Therefore, I propose to see what miners are.
Roughly speaking, there are two varieties. The first implements mining with a self-written component. And here everything is clear - the signatures of the anti-virus databases will not even let the miner start up, no matter how he gets into the machine. The article says that “cybercriminals infect servers on the network by exploiting a vulnerability like EternalBlue”. Similarly, Wanna Cry spread. But at the same time, it could not always start. So one of the antiviruses caught it with a heuristic, the other in the presence of an enabled cloud - with its components.
An example of a similar miner:
The second option is to use a regular miner.
Example
In this case, to launch a legitimate miner, you must first deliver it to the machine, start it and preferably hide the presence of the process in the system / tray icon. So there are malicious components that can again be detected either by signatures or by behavior.
In general - there will be a signature - the miner will not work. There will be no signature, the miner will be detected by the increased load of the machines and the signature will appear.
How many miners are being created? We take a random date on updates.drweb.com
On the chosen date Android turned out to be the attention of virus writers, let's take an example from the news
An example of a miner for Linux can be found here .
How are miners distributed?
By all means of spreading malware. A couple of examples
Through a hacked site
Network scan :
How common are miners?
In total, miners will amount to about 0.3 of all caught in a month. Not every month, but periodically, miners get into the top of the most common malware.
Total:
I hope it was interesting, if there are questions, I will try to answer.
Update Are there any miners who are not greedy and do not take all the resources for themselves. And if so, is it possible to detect them? Yes, there are such miners, however, their appearance is accompanied by the appearance of brakes, albeit small, but brakes. Logs when starting programs, at an unexpected moment. Therefore, if the computer began to glitch more than normal:
And I recommend that you keep track of what
Update2 is trying to get online . Are there any miners whose processes are not visible? It’s not enough, but there is ... The miner selects an existing system service in netsvcs, replaces the service file, restores the time attributes and starts the service ... But there is no perfection in the world - it was detected by the processor load
There is hardly any other way than a behavioral analyzer of protection measures changes. Plus of course the control of everything that is launched new
Who cares how many miners are created per day, how they are distributed, and (most importantly) how antiviruses relate to them - I ask for a cut!
Let's start with the last topic announced - about the relationship of antiviruses and miners. To answer this question, you need to understand that there is a malicious program in terms of antivirus.
Malicious program is a program that is installed on a computer without the knowledge of the user or performs unauthorized actions on the user's computer. The definition is not ideal, but very close to the truth.
Two quotes from the article :
The problem for the victim is that her computer infected with the crypto miner works much slower than usual ...
... advanced malware stops working when “heavy” applications like games are launched on the PC ...
Definitely malicious behavior that makes miners the legitimate prey of antiviruses (and other protection systems, because they are not single antiviruses).
But can an antivirus catch a miner?
There are a lot of miners, and the difficulty of detecting them is that mining itself is a standard process. These are not attempts to erase or modify files, change the contents of the boot sector of a hard disk, etc. No, mining in the usual case will not be determined by the antivirus. Therefore, antivirus developers have to look for new ways to determine the presence of such programs on victims' computers.
Not certainly in that way. The above quote refers to a behavioral analyzer (or a variation of it - cloud antivirus). These antivirus components really track behavior. And if the malware was purely mining, then it would be impossible to really decide whether it was malware or not. Therefore, I propose to see what miners are.
Roughly speaking, there are two varieties. The first implements mining with a self-written component. And here everything is clear - the signatures of the anti-virus databases will not even let the miner start up, no matter how he gets into the machine. The article says that “cybercriminals infect servers on the network by exploiting a vulnerability like EternalBlue”. Similarly, Wanna Cry spread. But at the same time, it could not always start. So one of the antiviruses caught it with a heuristic, the other in the presence of an enabled cloud - with its components.
An example of a similar miner:
The miner Trojan.BtcMine.1259 is downloaded to the computer by the Trojan.DownLoader24.64313 downloader, which, in turn, is distributed using the DoublePulsar backdoor. Immediately after the start, Trojan.BtcMine.1259 checks to see if a copy of it is running on the infected computer. Then it determines the number of processor cores, and if it is greater than or equal to the number of threads specified in the Trojan’s configuration, it decrypts and loads into the memory the library stored in its body. This library is a modified version of the open source remote administration system known as Gh0st RAT (detected by Dr.Web Anti-virus under the name BackDoor.Farfli.96). Then Trojan.BtcMine.1259 saves its copy to disk and launches it as a system service.
The second option is to use a regular miner.
Example
Trojan.BtcMine.1, uses two legitimate mining programs, with the help of which it uses the computing resources of the victim’s computer to “mine” virtual coins. Being launched on the system by an unsuspecting user, Trojan.BtcMine.1 saves itself in a temporary folder under the name udpconmain.exe. Then it registers the path to the executable file in the registry key responsible for the startup of applications. Then the malware downloads from the Internet and places in the temporary folder under the name miner.exe a second “miner” in order to load the computer as much as possible with calculations. After that, the Trojan programs are connected to one of the payment system pools and begin to make settlements, earning a corresponding reward for attackers. In the illustration, you can see the processor load created by the miner program,
In this case, to launch a legitimate miner, you must first deliver it to the machine, start it and preferably hide the presence of the process in the system / tray icon. So there are malicious components that can again be detected either by signatures or by behavior.
In general - there will be a signature - the miner will not work. There will be no signature, the miner will be detected by the increased load of the machines and the signature will appear.
How many miners are being created? We take a random date on updates.drweb.com
Trojan.BtcMine.1065 (2) Trojan.BtcMine.1084 Trojan.BtcMine.1177 Trojan.BtcMine.1247 Trojan.BtcMine.1336 Trojan.BtcMine.1421 (3) Trojan.BtcMine.1440 Trojan.BtcMine.1447 (2) Trojan .BtcMine.1448 (10) Trojan.BtcMine.1449 Trojan.BtcMine.1500 Trojan.BtcMine.1501 Trojan.BtcMine.1502 (2) Trojan.BtcMine.1503 Trojan.BtcMine.1506 Trojan.BtcMine.1507 Trojan.BtcMine.1508
Tool.BtcMine.1000 Tool.BtcMine.1001 Tool.BtcMine.1002 Tool.BtcMine.1003 (2) Tool.BtcMine.1004 Tool.BtcMine.1005 Tool.BtcMine.1006 Tool.BtcMine.1007 Tool.BtcMine.1008 (2 ) Tool.BtcMine.1009 (2) Tool.BtcMine.1010 (2) Tool.BtcMine.1011 (4) Tool.BtcMine.1012 Tool.BtcMine.1013 Tool.BtcMine.1014 Tool.BtcMine.1015 Tool.BtcMine.1016 (2) Tool.BtcMine.1021 (2) Tool.BtcMine.1022 Tool.BtcMine.1023 (2) Tool.BtcMine.1024 Tool.BtcMine.1025 Tool.BtcMine.1026 Tool.BtcMine.1027 (3) Tool.BtcMine .1028 (2) Tool.BtcMine.1029 (2) Tool.BtcMine.1030 (2) Tool.BtcMine.230 Tool.BtcMine.278 Tool.BtcMine.288 (7) Tool.BtcMine.390 (2) Tool.BtcMine .433 Tool.BtcMine.483 (2) Tool.BtcMine.573 (3) Tool.BtcMine.800 Tool.BtcMine.810 (11) Tool.BtcMine.916 (2) Tool.BtcMine.917 Tool.BtcMine.943 Tool .BtcMine.944 (7) Tool.BtcMine.948 (2) Tool.BtcMine.958 (3) Tool.BtcMine.968 Tool.BtcMine.970 (4) Tool.BtcMine.973 (4) Tool.BtcMine.974 Tool.BtcMine.975 Tool.BtcMine.976 Tool.BtcMine.977 (4) Tool.BtcMine.978 (6) Tool.BtcMine.979 Tool.BtcMine.980 Tool.BtcMine.981 (3) Tool.BtcMine.982 Tool.BtcMine.983 Tool.BtcMine.984 Tool.BtcMine.985 Tool.BtcMine.986 Tool.BtcMine.987 (2) Tool.BtcMine.988 Tool.BtcMine.989 Tool.BtcMine. 990 Tool.BtcMine.991 (4) Tool.BtcMine.992 Tool.BtcMine.993 Tool.BtcMine.994 Tool.BtcMine.995 Tool.BtcMine.996 (2) Tool.BtcMine.997 Tool.BtcMine.998 Tool.BtcMine .999 Tool.Linux.BtcMine.163 Tool.Linux.BtcMine.164 Tool.Linux.BtcMine.165 Tool.Linux.BtcMine.166 Tool.Linux.BtcMine.167 Tool.Linux.BtcMine.168 Tool.Linux.BtcMine. 169 Tool.Linux.BtcMine.170 Tool.Linux.BtcMine.171 Tool.Linux.BtcMine.172 Tool.Linux.BtcMine.173 Tool.Linux.BtcMine.174 Tool.Linux.BtcMine.175 Tool.Linux.BtcMine.176 Tool.Linux.BtcMine.178 Tool.Linux.BtcMine.179 Tool.Linux.BtcMine.180 Tool.Linux.BtcMine.181 Tool.Linux.BtcMine.182 Tool.Linux.BtcMine.183 Tool.Linux.BtcMine.184 Tool.Linux.BtcMine.186 Tool.Linux.BtcMine.187 Tool.Linux.BtcMine.188 Tool.Linux.BtcMine.189 Tool.Linux.BtcMine.190 Tool.Linux.BtcMine.191 Tool.Linux.BtcMine.193 Tool.Linux.BtcMine.194 Tool.Linux.BtcMine.195 Tool.Linux.BtcMine.196 Tool .Linux.BtcMine.197 Tool.Linux.BtcMine.198 Tool.Linux.BtcMine.199 Tool.Linux.BtcMine.201 Tool.Linux.BtcMine.202 Tool.Linux.BtcMine.203 Tool.Linux.BtcMine.204 Tool. Linux.BtcMine.205 Tool.Linux.BtcMine.206 Tool.Linux.BtcMine.207 Tool.Linux.BtcMine.208 Tool.Linux.BtcMine.209 Tool.Linux.BtcMine.210 Tool.Linux.BtcMine.211 Tool.Linux .BtcMine.212 Tool.Linux.BtcMine.213 Tool.Linux.BtcMine.214 Tool.Linux.BtcMine.215 Tool.Linux.BtcMine.216 Tool.Linux.BtcMine.219 Tool.Linux.BtcMine.220 Tool.Linux. BtcMine.221 Tool.Linux.BtcMine.222 Tool.Linux.BtcMine.223 Tool.Linux.BtcMine.224 Tool.Linux.BtcMine.225 Tool.Linux.BtcMine.226 Tool.Linux.BtcMine.227 Tool.Linux.BtcMine.228 Tool.Linux.BtcMine.229 Tool.Mac .BtcMine.35 Tool.Mac.BtcMine.36 Tool.Mac.BtcMine.37 Tool.Mac.BtcMine.38 Tool.Mac.BtcMine.39 Tool.Mac.BtcMine.40 Tool.Mac.BtcMine.41 Tool.Mac. BtcMine.42 Tool.Mac.BtcMine.43 Tool.Mac.BtcMine.44 Tool.Mac.BtcMine.45 Tool.Mac.BtcMine.46 Tool.Mac.BtcMine.47 Tool.Mac.BtcMine.48 Tool.Mac.BtcMine .50 Tool.Mac.BtcMine.51 Tool.Mac.BtcMine.52 Tool.Mac.BtcMine.53 Tool.Mac.BtcMine.54 Tool.Mac.BtcMine.55 Tool.Mac.BtcMine.56 Tool.Mac.BtcMine. 57BtcMine.40 Tool.Mac.BtcMine.41 Tool.Mac.BtcMine.42 Tool.Mac.BtcMine.43 Tool.Mac.BtcMine.44 Tool.Mac.BtcMine.45 Tool.Mac.BtcMine.46 Tool.Mac.BtcMine .47 Tool.Mac.BtcMine.48 Tool.Mac.BtcMine.50 Tool.Mac.BtcMine.51 Tool.Mac.BtcMine.52 Tool.Mac.BtcMine.53 Tool.Mac.BtcMine.54 Tool.Mac.BtcMine. 55 Tool.Mac.BtcMine.56 Tool.Mac.BtcMine.57BtcMine.40 Tool.Mac.BtcMine.41 Tool.Mac.BtcMine.42 Tool.Mac.BtcMine.43 Tool.Mac.BtcMine.44 Tool.Mac.BtcMine.45 Tool.Mac.BtcMine.46 Tool.Mac.BtcMine .47 Tool.Mac.BtcMine.48 Tool.Mac.BtcMine.50 Tool.Mac.BtcMine.51 Tool.Mac.BtcMine.52 Tool.Mac.BtcMine.53 Tool.Mac.BtcMine.54 Tool.Mac.BtcMine. 55 Tool.Mac.BtcMine.56 Tool.Mac.BtcMine.57
On the chosen date Android turned out to be the attention of virus writers, let's take an example from the news
Android miners Android.CoinMine.1.origin and Android.CoinMine.2.origin, designed for mining virtual currencies Litecoin, Dogecoin and Casinocoin, were distributed by cybercriminals in popular applications modified by them and activated during those times when the mobile device was not usedits owner. Since these malicious programs actively used the hardware resources of infected smartphones and tablets, this could cause them to overheat, accelerate battery drain and even result in financial losses for users due to the Trojans' excessive consumption of Internet traffic. And in April 2014, new versions of these Trojans appeared, which were discovered in the Google Play catalog and were intended for mining Bitcoin cryptocurrency. These malicious applications lurked in harmless “live wallpapers” and also began their illegal activities if the infected mobile device was not used for a certain time.
An example of a miner for Linux can be found here .
How are miners distributed?
By all means of spreading malware. A couple of examples
Through a hacked site
Attackers placed on the VTsIOM server web pages from which visitors were offered to download a malicious program disguised as various “useful” files.
Both the Russian-language (wciom.ru) and the English-language (wciom.com) versions of the VTsIOM official website were hacked. Cybercriminals created a special section on the compromised server, which hosted web pages with headlines that are very popular according to search engine statistics: for example, “new-teams-khl-2015-2016”, “download-book-metro-2035-in- format-fb2 "," catalogs-avon-12-2015-view-online-free-russia-flipping "," traffic jams-on-the-track-m4-don-today-online "," download-adblock ", etc. When trying to open such a link in a browser window, the user was shown a fake web page of the popular file storage service “Yandex.Disk” or a web page with the title WCIOM.RU, on which a potential victim was offered to download the archive allegedly with some “useful” content, for example,
Network scan :
Trojan.BtcMine.737 lists the computers available in the network environment and tries to connect to them, sorting usernames and passwords using the special list at its disposal. In addition, the malware is trying to find the password for the local Windows user account. If this succeeds, Trojan.BtcMine.737, with the necessary equipment, launches an open WiFi access point on the infected computer. If the malware managed to access one of the computers on the local network, an attempt is made to save and run a copy of the Trojan on it either using the Windows Management Instrumentation (WMI) or using the task scheduler
How common are miners?
In total, miners will amount to about 0.3 of all caught in a month. Not every month, but periodically, miners get into the top of the most common malware.
Total:
- Miners are the legitimate target of antiviruses, and if there are signatures and rules, they can be deleted and deleted.
- Any malware is found and removed by the antivirus only if there are rules / signatures. Since miners like to create botnets, they are guaranteed to fall into the hands of analysts
- Antivirus is not a panacea or a golden bullet. Therefore, do not neglect other methods of protection, the same restriction of rights
I hope it was interesting, if there are questions, I will try to answer.
Update Are there any miners who are not greedy and do not take all the resources for themselves. And if so, is it possible to detect them? Yes, there are such miners, however, their appearance is accompanied by the appearance of brakes, albeit small, but brakes. Logs when starting programs, at an unexpected moment. Therefore, if the computer began to glitch more than normal:
- Update your antivirus and check your system. It seems ridiculous, but a huge number of people have outdated bases
- If the databases are fresh - download another antivirus and check it
- Check for unknown processes by system services. As a rule, the miner does not make it difficult to disguise himself and the services / processes are visible. Example
And I recommend that you keep track of what
Update2 is trying to get online . Are there any miners whose processes are not visible? It’s not enough, but there is ... The miner selects an existing system service in netsvcs, replaces the service file, restores the time attributes and starts the service ... But there is no perfection in the world - it was detected by the processor load
There is hardly any other way than a behavioral analyzer of protection measures changes. Plus of course the control of everything that is launched new