A couple of weeks ago i had to deal with a piece of malware that had infected some workstations. The malware itself was pretty lame; It was spreading via flash usb drives by hidding the contents of the drive, creating a bunch of malicious executables camouflaged with folder icons and naming them after legitimate folders already existing on the drive. A common trick and one of the reasons you should always have “Show extensions” option activated on Windows systems.
Upon execution the malware is replicating itself to C:\Users\*Username*\AppData\Roaming folder as sys32.exe along with a copy of abab32.exe, while it adds a registry entry in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, to make sure it will be executed every time Windows boot. According to VirusTotal both files are suspicious: 28/47 detection rate for sys32.exe and 10/46 for aba32.exe. Sys32.exe definitely qualifies as malware (sneaks two executables into the system, adds entries to registry, camouflages itself as a folder and so on) and the fact that major antivirus and antimalware software like ESET-NOD32, Microsoft Essentials and MalwareBytes failed to detect it, is quite dissapointing. On the other hand, abab32.exe is not malware, despite being detected as one by 10 AV products. This particular executable is actually jgarzik’s CPU miner (minerd.exe), a legitimate Bitcoin miner that, in this case, was used for malicious purposes.
Long story short, i got rid of the malicious software by simply deleting the aforementioned executables, but out of curiosity i kept a couple of samples for further investigation. When i started digging, i wasn’t expecting to find that much.
While scrolling through the disassembled code and checking for anything interesting, first thought came to mind was “Great, you’re mining bitcoins. Shouldn’t you report back to someone about all this mining? How do you do that?” And i came across this function; A no-ip.org domain called imsos0rry.no-ip.org listening on port 8332 and a miner under the username “aprovos“ accompanied by a strangely familiar password: “yparxw22“. The password seems to be greeklish for “I exist 22”. So i guess a fellow Greek was (is?) trying to take his share of the pie in the ever-growing market of botnets. In a pretty pathetic way may i add.
Google’s index is always a good way to start a mini investigation. A simple query for the username of the miner leads to a couple of interesting results (photo on the left). Two forum profiles related to Bitcoin. One on Bitcointalk with zero posts and another one on Litecoin, this time with a single post under its belt. You have to be a registered member to view his profile. This post, as you can see, is posted in “Projects Development” subforum on 30/04/13 and was edited in a pretty suspicious way three days later. So, someone was developing something..
Checking on Bitcointalk was of no result due to 0 posts of the user. But i came across the moderator of the Greek section of the forum, Andreas (@aantonop), who is also co-host of Let’s Talk Bitcoin! podcast, and he was willing to help however he could. I was hoping to add some extra clues regarding aprovos’ account, but unfortunately Andreas doesn’t have full access to such kind of information and the administrator of the site declined to cooperate since the malware didn’t spread via BitcoinTalk forums. Nonetheless, hats off to Andreas.
Let’s get back to the greeklish password of the miner. Since it’s a pretty decent proof that the guy is actually Greek, which is also mentioned in the profile page of Litecoin, i tweaked the Google query a bit: “site:gr aprovos”. This way Google will come up with results originating from Greek domains only.
And i got pretty much everything about the guy, on plain sight for everyone to see. Give it a shot. Real name, cell phone number, an estimated address, email, Skype, occupation, a couple of ads he put on a Greek forum selling -amongst other things- a …USB drive:)
And since some of these Google results may conveniently disappear, no worries, i have everything backed up.
Keep also in mind that imsos0rry.no-ip.org was no longer valid by the time i got my hands on this piece of malware. As a precaution i registered the domain, just in case there are bots mining bitcoins under this particular username and the guy decides to get back into the stealing business. To paraphrase your choice of domain name, i’m so not sorry, you need to update your malware.
You may have noticed in the beginning of this post that the adjective i used while referring to it, is “lame”. Here’s why:
- In an era where the holy grail of internet underground economy is stealth malware (Zeus, Citadel, Spyeye, Carberp, etc) that can be as advanced as to bypass two-factor authentication and still get caught by AV vendors, you should never be that greedy. Occupying 50% of CPU cycles at all times (halfCPU function) is going to get some attention, even by people who use their computers just to login in their Facebook account. Your trick to put the miner on hold when task manager is running (findTaskMgr function) might buy you some time, but still, greed remains a sin, even for “l33t hack3rs”.
- Trying to trick AVG and Avast! antivirus (runProc function) by playing around with Windows Forms was probably one of the things that draw their attention and got you blacklisted. Again, when malware as sophisticated as to remove other malware already residing on the system for his own benefit still gets caught, does windows and taskbar tricks sound like a good way to go for evasion?
- Using 0.0.0.0 as version of sys32.exe is probably not a sign of a legitimate software.
- Do i need to mention that you should never, ever embed incriminating evidence that can lead back to you, in a piece of software you plan on using for malicious purposes?
Before this was posted, i exchanged lots of emails with Andreas, discussing amongst other things ways to discourage this kind of behaviour. As he mentioned -and i agree- this is definitely not acceptable and it’s in violation of US law, at least. I have no idea if this is punishable under Greek law and if so, i will be pessimistic and i’ll bet that it’s pretty low on their priority lists. I’m open to suggestions though. By the way, Andreas thought that this is a newsworthy post and interviewed me yesterday for Let’s Talk Bitcoin!. So this post will be edited to include the link of the podcast when it’s up, in some weeks time. Edit 28/7: It’s up on Soundcloud and iTunes.
Edit #2 28/7: Since you started editing your profiles and hoping that noone is going to notice, i am going to enrich this post. I stated above that i have already backed up everything. A small proof can be seen on the right. You do realize that by doing this, you are providing more clues to verify your identity, right? /Edit #2 over
To the l33t hack3r; You are the equivalent of a common, low level thief. If you are willing to profit from Bitcoin, do it the right way. Build yourself a mining farm or if you are that good, try hacking Bitcoin itself. More than 1 billion US dollars will be yours.
Edit #3 30/7: I was contacted via phone by the creator of the malware. He was apologetic and he said that he now realises the trouble he has caused. He stated that all this was just fooling around with friends and writing code for practice. He didn’t realise that this could get out of control as it did and that after two weeks time he tried to control the malware spreading, by seizing the domain and uploading samples to Virustotal.com.
As it is obvious from my blogpost, any similar effort was in vain. There is no actual straight up way of stopping the malware (like a safety function or something similar). The only way it will stop is when all its instances are deleted. And no one can know how many of them exist, not even its creator.
He was pretty clear regarding how sorry he was and he is now trying to figure out a way to control the damage his actions has brought to himself and his reputation. I suggested to him that a good way to start is a talk/interview with Andreas, a public apology of some sort.
I hope that all this will be a wake up call to him and not a reason to try improving his malware writing skills. Everyone deserves a second chance.