on the trojan horse of mining

Posted by lipsius at 2020-03-05

Shandong new trend information

Professional focus excellence safety

Statement: original article of tide security team, reprint please state the source! The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!

I. overview

Mining is now widely known, many servers in the invasion, most will be implanted mining Trojan. The mining Trojan horse report in the first half of 2019 shows that 60000 samples of Trojan horses are newly added every day, and mining Trojan horses have become the backbone of the black production of virus Trojan horses. So why is the mining Trojan so popular? What interests have been driving a large number of hackers to break the law and take risks to invade other people's servers and implant mining Trojans.

2、 Proceeds from mining

At present, almost all Internet trade needs to rely on financial institutions as a trusted third party to process electronic payment information. Such transaction mode is limited by the "credit based mode" and can not achieve completely irreversible transactions. The father of bitcoin, Nakamoto, has proposed an electronic payment system. Based on the cryptography principle, any agreed parties can directly pay without the participation of a third-party intermediary. The so-called bitcoin is actually a string of digital signatures. Each owner signs a random hash digital signature through the public key of the previous transaction and the next owner.

Bitcoin is a string. The so-called bitcoin transaction is also an address transfer to another address, and the transaction record of bitcoin is also public. How many bitcoins each address has is public, which can be queried through address. Only the BTC address can be used to query the bitcoin information of related accounts.

When two accounts conduct transactions, the payer needs to provide the digital signature generated by the last transaction hash, addresses of both parties of the current transaction, public key of the payer and private key of the payer. The whole transaction process is as follows:

After confirming the authenticity of the transaction, the transaction data needs to be written into the block, at this time, the whole transaction is closed. The process of writing blocks is what miners do. According to bitcoin protocol, the size of a block is about 1MB, and each transaction is about 500 bytes. A block can store more than 2000 records. Miners are responsible for packing these transactions into a block, and calculating the hash value of this block, that is, accounting. Nakamoto initially designed a block every 10 minutes. In order to increase the difficulty of calculation, proof of work was introduced. Add a random number (nonce) in the block to make the random hash value of the given block appear as many zeros as required. We try to find this random number again and again until we find it, so we build a workload proof mechanism.

In fact, the mining process is to calculate a mathematical problem, sha256 (sha256 (last hash value, transaction record set, random number)), through continuous transformation of random number, find the hash value that meets the target after massive calculation. Hash value is composed of numbers and upper and lower case letters. Each bit has 62 possibilities (10 numbers, 26 uppercase letters and 26 lowercase letters). Then the probability of the first bit appearing 0 is about one in 62. If the first two bits are 0, 62 square times need to be tried. If the first 19 bits of the following block are 0, it is equivalent to 62 19th power calculation, which should be hundreds of millions of operations.

After finding the satisfied hash value, adding the record to the blockchain means that the mining is successful and the benefit of the whole block will be obtained. Because of the need for strong computing power, many miners are now joining the mine pool, mining together by contributing their computing power, and sharing according to their own contributions after gaining profits. This can also explain that most of the machines implanted in the mining Trojan will have a sudden increase in CPU usage and power consumption. When the mining trojan is analyzed, relevant information about the mining pool will be found.

The bitcoin protocol provides that miners who dig into new blocks will be rewarded with 50 bitcoins at first (in 2008) and then halved every four years, currently (in 2019) 12.5 bitcoins. Since bitcoin can be divided into eight decimal places, by 2140, miners will not receive any rewards, and the number of bitcoin will stop increasing, about 21 million. At this time, the miner's income is entirely dependent on the transaction fee.

The latest bitcoin price is about 8000 US dollars, equivalent to more than 50000 yuan. The price is quite objective, which is why people are still enthusiastic about mining.

3、 The spreading way of mining Trojan

Now many mining Trojans are not as stupid as before. They can directly see malicious programs through top, netstat and other commands. Now they will use some hidden means to hide the mining process to survive longer. The way of infection is also varied.

1. Vulnerability exploitation

Windows system vulnerability, server component plug-in vulnerability, middleware vulnerability and web vulnerability; redis, SSH, 3389, MSSQL, IPC $and other weak password vulnerabilities. Use the system vulnerability or weak password to quickly obtain the relevant server permissions and implant the mining Trojan horse.

2. Use of NSA weapons

Some of the cyber weapons used by formula hackers have been made public, including tools that can remotely exploit about 70% of the world's Windows systems. Including eternal blue, Eternal Champion, eternal romance, eternal collaboration, emerald fiber, quirky hamster, Eskimo roll, elegant scholar, eclipse wing and respect review. NSA weapons of hackers carry out batch vulnerability scanning attacks to obtain more chickens and plant mining Trojans to contribute computing power.

3. Mining without documents

By embedding PE file loading in PowerShell, mining attack in the form of "no file" can be carried out. The new execution mode of mining Trojan has no file landing and runs directly in the powershell.exe process. This injection of "white process" execution mode may make it difficult to detect and clear malicious code.

4. Using web page to hang horse

The website has embedded mining JavaScript script in its webpage. Once the user enters such website, JS script will execute automatically and download several viruses automatically. Part of the system has a high-risk flash security vulnerability, which is also used by attackers to make the computer automatically run mining code.

5. Violent mining virus

360 has found a mining hijacking program, winstarnssmminer, which can spread rapidly. What's special about this malicious program is that uninstalling it will crash the victim's computer. Winstarnssmminer first starts the svchost.exe process and populates it with code, then sets the properties of the process to criticalprocess. As the computer regards it as a critical process, once the process is forced to end, the computer will have a blue screen.

6. Eat black

Because the bitcoin address is very long, in order to facilitate the use, many people will choose to save it locally, and many mining Trojans will have the function of hijacking the clipboard. When monitoring the bitcoin transaction of the victim host, they will replace the collection wallet with their own wallet address, thus stealing the victim's assets.

7, rub nets

Before that, the public WiFi of Starbucks was revealed to be used by hackers for mining. Hackers mainly intruded into WiFi providers and embedded mining codes on the WiFi connection page, causing users to execute mining procedures when connecting to WiFi.

4、 Prevention suggestions: 1. Standardize the online behavior and do not download unknown software and tools; 2. Install system patches in time to repair system application vulnerabilities, middleware vulnerabilities, components, plug-ins and other related vulnerabilities; 3. Strengthen password strategy, increase password complexity and make regular modifications, and open related login failure processing functions.




Gu n








Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.

For more Tide security teams, please pay attention to team official website: or long by two-dimensional code, pay attention to official account number: