Bitcoin Mining with Trojan.Badminer


Bitcoins have been in the news in recent months and there has been much discussion on them, as part of public discourse. In terms of how bitcoins are being targeted by malware, we’ve seen past attempts by Trojan.Cointbitminer to “mine” bitcoins on compromised computers, using up precious CPU cycles in the process. We’ve even seen other malware groups take a more direct and perhaps easier route by stealing bitcoins instead.

Now we are seeing another new Trojan on the bitcoin mining trail, which we are calling Trojan.Badminer. Instead of packing a pick axe and shovel like previous bitcoin mining Trojans, this makes use of heavy machinery to do its job. That way the flow of bitcoins can be mined much faster than before.

When it comes to mining, Badminer contains functionality to deal with all eventualities. It detects the type of computer that it is running on and then activates the appropriate “machinery” to dig through the hashes to reach the hidden treasures. If it determines the computer has a high-spec graphics card with a fast enough graphics processing unit (GPU), it uses the appropriate packages to leverage the immense processing power of the GPU to literally move through the mountains of hashes to reach the valuable bitcoins. Conversely if a low-spec computer is found, then it will wheel out the basic bitcoin mining tools, which will result in much slower throughput. To perform the mining functions, the Trojan contains both the RPC miner and Phoenix miner programs. The latter can take advantage of the extra power of the GPU for bitcoin mining.

The difference in throughput can be compared with traditional tunnel-based mining, versus blowing a hole in the side of a mountain and picking up the minerals after.

What are GPGPUs?
GPGPU stands for General Purpose computing on Graphics Processing Units. The capabilities of modern GPUs are highly optimized for certain types of mathematical calculations (floating point math) and are designed for parallel processing. Their performance on specialized tasks can hugely outperform conventional, general-purpose CPUs . This makes the idea of GPGPU extremely attractive for the purpose of bitcoin mining,  brute force hash attacks against password databases, and folding (the processing of simulating protein folding, a project initiated by Stanford University known as Folding@home).

Mining performance: GPGPU vs CPU
Just how much faster is GPGPU bitcoin mining versus bitcoin mining with a general CPU? A measure of bitcoin mining throughput is known as Mhashes per second: the number of millions of cryptographic hashes that can be processed in a second.  For example, it has been reported that an Intel i7 990-equipped rig is capable of a throughput of 33.3 Mhash/s, while a lower-end system based on the Atom N270 (found in many netbooks) are capable of a measly 1.19 Mhash/s.  The following diagram compares the Mhash/s throughput of some popular graphic cards and single CPU rigs.

As you can see, there is a huge contrast between the CPU mining figures and the performance of GPGPU mining. Low-end CPUs can process around 1 Mhash/s whereas high end graphic cards are measured in several hundreds of Mhash/s.

Show me the money
Since bitcoins are a virtual currency, they are only accepted by a limited number of outlets. To realize its true purchasing power you need to sell them in exchange for a hard currency. The exchange rate fluctuates but the current US dollar-to-bitcoin rate at the time of writing is $11.44 per bitcoin. Previously, bitcoins were changing hands at a rate of around $20 each, but have nearly halved to its current level.

To work out a possible return on investment for the mining effort, you also need to consider the difficulty factor. This value gives an idea of how difficult it currently is to solve the hashing problem and find the bitcoins. At the time of writing the difficulty factor is 1690906.20472.

Based on these numbers we can arrive at an earnings potential for some of the graphics cards that we have previously detailed. An AMD Radeon 6750 card is reportedly capable of 167.5 Mhash/s whereas a higher-end card like the AMD Radeon 6990 is capable of 758.82 Mhash/s.

In an ideal situation, we could expect to uncover 13.71 bitcoins with the high-end graphics card example, which in turn would be worth $156.84 per month. Not a huge amount of money in isolation, but when combined with hundreds or thousands of other compromised computers, all generating a few bitcoins each, the numbers begin to add up.

Implications
In a previous blog by Peter Coogan, it was surmised that renting a botnet to perform bitcoin mining was not an economically viable idea. The price of renting the botnet versus the CPU-based throughput of the bitcoin mining software did not justify this. With the advent of Trojan.Badminer and common usage of fast graphics cards, it may well begin to make economic sense to rent botnets in order to carry out distributed bitcoin mining and run the process on an industrial scale.