Delving Deeply Into a Bitcoin Botnet

Bitcoin is a virtual decentralized currency that was created in 2009 by developer Satoshi Nakamoto, who described the currency in a paper. Recently Bitcoin has gotten lots of attention. In early 2013, the prices reached a high of US$265 per Bitcoin. The following chart shows the currency’s historical price:

bitcoin price chart

 

Because Bitcoin is a virtual currency and independent of any financial institution, many vendors accept Bitcoins as payments.

Bitcoins are generated through a process called mining. Every transaction is in the form of block that is broadcasted to all the nodes on the network. Nodes try to find a difficult proof of work that involves finding a value which when hashed with an algorithm such as SHA-256 gives output that contains a number of zero bits. Once a node finds such a hash, the user is rewarded with new Bitcoins.

Because mining requires enormous processing power, the concept of “pooled” mining allows lots of people to work together to find a hash value. They all work together by sharing their resources. Once a hash has been generated by any user, they all split the created Bitcoins.

The current jump in Bitcoin price suggests that cybercriminals are paying attention. With pooled mining, it is easier for botnet owners to install Bitcoin mining clients on various systems working together to generate Bitcoins for the botnet masters.

In our recent analysis of botnets, we found a couple of samples that were communicating to various online Bitcoin mining services over the Stratum protocol:

stratum

 

We also saw a couple of samples using JSON/RPC calls:

stratum1

 

And communication with a control server:

cnc communication

 

It is clear that this bot is sending various information to the control server back and receiving commands from the server.

Our analysis found that this botnet uses ufasoft Bitcoin mining software. All the required files are embedded inside the resource section of the .exe, so unlike other botnets no extra download is required.

embeded in resource

 

The following screenshot shows malicious files getting unpacked in memory and running there.

virtual alloc

 

The botnet also dropped a couple of required files for Bitcoin mining under a temp/{random name} folder:

dropped files

 

After that the botnet launches the file responsible for Bitcoin mining:

file spawan.JPG

 

Note that the file has a fake description: “Malwarebytes Anti-malware.”

This bot can be installed on a victim’s system through various methods: drive-by downloads, download via botnet, etc. Once run, this bot registers with various online pooled mining services with the attacker-supplied user name and password, so the attacker gets Bitcoins credited to his or her own account:

mining authorize

 

We found one person selling an entire botnet kit on one of the underground forums for just a few dollars:

forums sale post

 

We also found that the sample we got is the same as shown in the preceding forum post.

Here are couple of screenshots showing the control panel of the bot.

Commands:

bot panel4

 

Bitcoin settings:

bot panel3

 

Botnet summary:

bot panel1

 

Statistics:

bot panel2

 

Bitcoin has recently gotten lots of media coverage because of the price it has attained during the last few months. We believe that this upward price trend will continue. With this bot, attackers are seeking new sources of income. They are quick to obtain the latest code as soon as it’s available.

McAfee customers are protected against this threat by IPS signature ID:0x4880b300_BOT_Bitbot_Activity_Detected.

I would like to thank my colleague Vikas Taneja for his help with this analysis.