منذ اطلاقها الشهر الماضي، توجهت انظار المحتالين والقراصنة الى العملة الرقمية zcash، لجني الارباح عن طريق اصابة حواسيب الضحايا ببرامج خبيثة لتحويل امكانيات هذه الحواسيب المصابة الى اجهزة تعدين لصالحهم.
وللتذكير فقد جذبت عملة zcash العديد من المعدنيين والمستثمرين بالاضافة الى القراصنة حيث وصل سعر العملة في الساعات الاولى لحوالي 30 الف دولار وهو سعر لم يسبق لعملة رقمية ان وصلت اليه.
On 28 October, the cryptocurrency world saw the emergence of a new player, the Zcash (ZEC) cryptocurrency. Its developers have described it rather figuratively: “If Bitcoin is like HTTP for money, Zcash is HTTPS.” They continue by noting that “unlike Bitcoin, Zcash transactions can be shielded to hide the sender, the recipient and value of all transactions.”
The cryptocurrency market has been looking for this level of anonymity for a while now, so ZEC has attracted considerable interest from investors, miners and cybercriminals alike. Several major cryptocurrency exchanges were quick to offer support for the new currency.
Zcash got off to a flying start; within the first few hours, 1 ZEC reached $30,000. It should be pointed out, however, that there were only a few dozen coins in existence at that time, so the actual turnover was very low.
In the following days, ZEC’s value steadily declined against Bitcoin. At the time of writing, it had leveled out temporarily at 0.07 – 0.01 ZEC/BTC (around $70). Despite this dramatic drop from the initial values (which was anticipated), Zcash mining remains among the most profitable compared to other cryptocurrencies.
ووفقا لمصادر امنية خاصة، فقد تم الكشف عن العديد من البرمجيات الخبيثة في عدد هائل من حواسيب المستخدمين، هذه البرامج كانت مثبتة بدون علم المستخدمين ولم تستطع برامج مكافحة الفيروسات ان تتعرف عليها لانها ببساطة لمن تكن برامج خبيثة في حد ذاتها . حيث ان هاته البرمجيات تكون مدمجة كاضافات مع برامج اخرى وبمجرد التثبيت يتم استعمال امكانيات عتاد الحاسوب المصاب.
Ranking of cryptocurrency mining profitability, as reported by the CoinWarz website
This has led to the revival of a particular type of cybercriminal activity – the creation of botnets for mining. A few years ago, botnets were created for bitcoin mining, but the business all but died out after it became only marginally profitable.
In November, we recorded several incidents where Zcash mining software was installed on users’ computers without permission. Because these software programs are not malicious in themselves, most anti-malware programs do not react to them, or detect them as potentially unwanted programs (PUP). Kaspersky Lab products detect them as not-a-virus:RiskTool.Win64.BitCoinMiner.
Cybercriminals use rather conventional ways to distribute mining software – they are installed under the guise of other legitimate programs, such as pirated software distributed via torrents. So far, we have not seen any cases of mass-mailings or vulnerabilities in websites being exploited to distribute mining software; however, provided mining remains as profitable as it is now, this is only a matter of time. The software can also be installed on computers that were infected earlier and became part of a for-rent botnet.
The most popular mining software to date is nheqminer from the mining pool Micemash. It has two known variations: one earns payments in bitcoins, the other in Zcash. Both are detected by Kaspersky Lab products, with the respective verdicts not-a-virus:RiskTool.Win64.BitCoinMiner.bez and not-a-virus:RiskTool.Win64.BitCoinMiner.bfa.
Ranking of cryptocurrency mining profitability, as reported by the CoinWarz website
This has led to the revival of a particular type of cybercriminal activity – the creation of botnets for mining. A few years ago, botnets were created for bitcoin mining, but the business all but died out after it became only marginally profitable.
In November, we recorded several incidents where Zcash mining software was installed on users’ computers without permission. Because these software programs are not malicious in themselves, most anti-malware programs do not react to them, or detect them as potentially unwanted programs (PUP). Kaspersky Lab products detect them as not-a-virus:RiskTool.Win64.BitCoinMiner.
Cybercriminals use rather conventional ways to distribute mining software – they are installed under the guise of other legitimate programs, such as pirated software distributed via torrents. So far, we have not seen any cases of mass-mailings or vulnerabilities in websites being exploited to distribute mining software; however, provided mining remains as profitable as it is now, this is only a matter of time. The software can also be installed on computers that were infected earlier and became part of a for-rent botnet.
The most popular mining software to date is nheqminer from the mining pool Micemash. It has two known variations: one earns payments in bitcoins, the other in Zcash. Both are detected by Kaspersky Lab products, with the respective verdicts not-a-virus:RiskTool.Win64.BitCoinMiner.bez and not-a-virus:RiskTool.Win64.BitCoinMiner.bfa.
الحواسيب المصابة تشكل شبكة تعدين لصالح مبرمجي هاته الاداة ترسل لهم الارباح اليومية الى محفظتهم الخاصة، ولكي لايتم اثارة الانتباه تمت برمجة الاداة لكي تستعمل جزء من امكانيات CPU و GPU للحاوسيب المصابة وبالتالي لاتتشنج الاجهزة.
All that cybercriminals need to do to start profiting from a mining program on infected computers is to launch it and provide details of their own bitcoin or Zcash wallets. After that, the “coin mining” profit created by the pool will be credited to the cybercriminals’ addresses, from where it can be withdrawn and exchanged for US dollars or other cryptocurrencies. This is what allows us to ‘snoop’ on some of the wallets used by cybercriminals. Here’s just one example:
All that cybercriminals need to do to start profiting from a mining program on infected computers is to launch it and provide details of their own bitcoin or Zcash wallets. After that, the “coin mining” profit created by the pool will be credited to the cybercriminals’ addresses, from where it can be withdrawn and exchanged for US dollars or other cryptocurrencies. This is what allows us to ‘snoop’ on some of the wallets used by cybercriminals. Here’s just one example:
Using a wallet’s address, we can find out how much money arrived and from which source (i.e. the mining pool) (https://explorer.zcha.in/accounts/t1eVeeBYfPPLgonvi1zk8e9SnrhZdoCBAeM)
وتجدر الاشارة انها ليست المرة الاولى التي يتم فيها استغلال حواسيب الغير في تعدين العملات الرقمية حيث سبق ان قامت شركة utorrent الغنية عن التعريف السنة الماضية بدمج اداة خاصة بتعدين البيتكوين ولكن لكي تجعل الامر اكثر قانونية قامت بوضع رسالة تنبيهية تطلب من المستخدمين بالموافقة على تثبيت برمجية خفيفة الحجم EpicScale تسمح باستغلال امكانيات الحاسوب لتعدين العملة الرقمية بيتكوين لصالح منظمة اجتماعية تدعمها utorrent، بالنسبة لمن لايعرف العملة الرقمية وهم كثر قاموا بالموافقة على ذلك، لكن بعد ان قامت العديد من المدونات بالتطرق لهذا الامر قامت utorrent بعمل تحديث وقامت بالغاء تلك الخاصية.
We see that the address was created on 31 October, just a couple of days after Zcash launched, and payments are still being made to it at the current time. You may be wondering what happened to the promised anonymity. Actually, there are two types of wallets in Zcash: completely private purses (z-address) and public wallets like that shown above (t-address). At the current time, the completely private wallets are not very popular (they are not supported by exchanges), and are only used to store around 1% of all existing Zcash coins.
We found approximately 1,000 unique users who have some version of the Zcash miner installed on their computers under a different name, which suggests these computers were infected without their owners’ knowledge. An average computer can mine about 20 hashes per second; a thousand infected computers can mine about 20,000 hashes a second. At current prices, that equals about $6,200 a month, or $75,000 a year in net profits.
Here are just a few real-life examples of the names used by these program and where they are installed on infected computers:
diskmngr.exe
mssys.exe
C:\system\taskmngr.exe
system.exe
nsdiag.exe
taskmngr.exe
svchost.exe
C:\Users\[username]\AppData\Roaming\MetaData\mdls\windlw\mDir_r\rhost.exe
qzwzfx.exe
C:\Users\[username]\AppData\Local\Temp\afolder\mscor.exe
C:\Program Files\Common Files\nheqminer64.exe
C:\Windows\Logs\Logsfiles64\conhost.exe
apupd.exe
As you can see, the names of many mining programs coincide with those of legitimate applications, but the installation location is different. For instance, the legitimate Windows Task Manager app (taskmgr.exe) should be located in the system folder C:\Windows\System32 and not in C:\system.
To ensure that the mining program is launched each time the operating system starts, the necessary records are added either to Task Scheduler or to the registry auto-run keys. Here are some examples of these records:
Task Scheduler\Microsoft\Windows Defender\Mine
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Miner
A couple of detected websites distributing mining programs:
http://execsuccessnow[.]com/wp-includes/m/nheqminer.exe
https://a.pomf[.]cat/qzwzfx.exe
Additional DLLs are required for the mining program to work. These DLLs, shown below, are installed along with the mining program.
cpu_tromp_AVX.dll
cpu_tromp_SSE2.dll
cudart64_80.dll
cuda_tromp.dll
logsetuplib.dll
msvcp120.dll
msvcr120.dll
So, what are the threats facing a user who is unaware that their computer is being used for cryptocurrency mining?
Firstly, these operations are power hungry: the computer uses up a lot more electricity, which, in some countries, could mean the user ends up with a hefty electricity bill.
Secondly, a mining program typically devours up to 90% of the system’s RAM, which dramatically slows down both the operating system and other applications running on the computer. Not exactly what you want from your computer.
To prevent the installation of mining programs, Kaspersky Lab users should check their security
products and make sure detection of unwanted software is enabled.