Delving Deeply Into a Bitcoin Botnet

Bitcoin is a virtual decentralized currency that was created in 2009 by developer Satoshi Nakamoto, who described the currency in a paper. Recently Bitcoin has gotten lots of attention. In early 2013, the prices reached a high of US$265 per Bitcoin. The following chart shows the currency’s historical price:

bitcoin price chart


Because Bitcoin is a virtual currency and independent of any financial institution, many vendors accept Bitcoins as payments.

Bitcoins are generated through a process called mining. Every transaction is in the form of block that is broadcasted to all the nodes on the network. Nodes try to find a difficult proof of work that involves finding a value which when hashed with an algorithm such as SHA-256 gives output that contains a number of zero bits. Once a node finds such a hash, the user is rewarded with new Bitcoins.

Because mining requires enormous processing power, the concept of “pooled” mining allows lots of people to work together to find a hash value. They all work together by sharing their resources. Once a hash has been generated by any user, they all split the created Bitcoins.

The current jump in Bitcoin price suggests that cybercriminals are paying attention. With pooled mining, it is easier for botnet owners to install Bitcoin mining clients on various systems working together to generate Bitcoins for the botnet masters.

In our recent analysis of botnets, we found a couple of samples that were communicating to various online Bitcoin mining services over the Stratum protocol:



We also saw a couple of samples using JSON/RPC calls:



And communication with a control server:

cnc communication


It is clear that this bot is sending various information to the control server back and receiving commands from the server.

Our analysis found that this botnet uses ufasoft Bitcoin mining software. All the required files are embedded inside the resource section of the .exe, so unlike other botnets no extra download is required.

embeded in resource


The following screenshot shows malicious files getting unpacked in memory and running there.

virtual alloc


The botnet also dropped a couple of required files for Bitcoin mining under a temp/{random name} folder:

dropped files


After that the botnet launches the file responsible for Bitcoin mining:

file spawan.JPG


Note that the file has a fake description: “Malwarebytes Anti-malware.”

This bot can be installed on a victim’s system through various methods: drive-by downloads, download via botnet, etc. Once run, this bot registers with various online pooled mining services with the attacker-supplied user name and password, so the attacker gets Bitcoins credited to his or her own account:

mining authorize


We found one person selling an entire botnet kit on one of the underground forums for just a few dollars:

forums sale post


We also found that the sample we got is the same as shown in the preceding forum post.

Here are couple of screenshots showing the control panel of the bot.


bot panel4


Bitcoin settings:

bot panel3


Botnet summary:

bot panel1



bot panel2


Bitcoin has recently gotten lots of media coverage because of the price it has attained during the last few months. We believe that this upward price trend will continue. With this bot, attackers are seeking new sources of income. They are quick to obtain the latest code as soon as it’s available.

McAfee customers are protected against this threat by IPS signature ID:0x4880b300_BOT_Bitbot_Activity_Detected.

I would like to thank my colleague Vikas Taneja for his help with this analysis.


Reporters use Google, find breach, get branded as “hackers”

TerraCom's website offers free cell phones to low income customers; its call center company gave customers' personal data away.

Call it security through absurdity: a pair of telecom firms have branded reporters for Scripps News as "hackers" after they discovered the personal data of over 170,000 customers—including social security numbers and other identifying data that could be used for identity theft—sitting on a publicly accessible server. While the reporters claim to have discovered the data with a simple Google search, the firms' lawyer claims they used "automated" means to gain access to the company's confidential data and that in doing so the reporters violated the Computer Fraud and Abuse Act with their leet hacker skills.

The files were records of applicants for the Federal Communications Commission's (FCC) Lifeline subsidized cell phone program for low-income consumers. The applicants' information was collected for the telecom providers YourTel and TerraCom by Vcare, an India-based call center service contracted to verify applicants' eligibility. To qualify for the program, customers need to submit proof that they are enrolled in a federal or state assistance program such as Supplemental Security Income, food stamp programs, and the federally funded free school lunch program.

Vcare and the telecom providers are explicitly required to not retain this data under the regulations of the FCC program. However, the data was retained on Vcare's servers and posted to an open file-sharing area—and apparently indexed by Google's search engine in the process.

Read 3 remaining paragraphs | Comments

Why Email is a Key to Your Castle

Having control over an email account can be a lot of power, even though most people would probably say they do not care if someone else is reading their private emails. But it’s not always about reading those private emails. Of course there have been quite a few attacks where secrets were revealed by snooping through emails of hacked accounts. The reasons vary from jealous spouses searching for proof of an assumed affair or as serious as corporate espionage in which certain parties are seeking essential information about a critical deal. Other attackers may use the compromised account to send social engineering messages to all contacts stored in the email account posing as the person whose account has been hacked.

Nowadays an email account is much more than just sending and receiving emails. Many free service providers like Microsoft or Google have various additional services attached to email accounts. Having access to these accounts means having access to such things as private photos that were uploaded to the account. There have been a few cases where attackers broke into email accounts and found sensitive pictures, like naked photos, and then blackmailed the owner of the account. While most people are smart enough not to upload such pictures, with the integrated cloud storage that is available with many services now there may be all kinds of files stored in those accounts, such as password files, license files, tax records, passport scans, company documents, and more.

The power of an email can be even larger than this, as its scope is much greater. Many online services use the email address as a user name. Therefore, knowing the email address and the email account password can give the attacker access to many different accounts besides the email provider as many services offer to reset a forgotten password through email, even if the user does not use the same password on different services. Controlling the email account means controlling the password reset emails of other services and therefore giving access to many different services regardless of what password it uses.

Every time there is a data breach and email and passwords are publicly posted, other attackers will take this information and start new attacks with it. The first thing they usually try is to check whether the same password also accesses the email account.

Of course, not all services are of interest to attackers. Losing control of your social media account may not be enjoyable—especially if you are a news agency—but it will not really hurt most people. For companies this might be a different story, as it could lead to brand damage if something happens to their accounts. Last year there was the widely publicized situation of Mat Honan, a Wired reporter whose Apple devices were wiped when hackers gained access to his iCloud account. This can be troublesome, but as a user you can help to avoid it by registering for the additional security measures provided.

Some services are of interest to attackers. Companies can allow goods and services to be ordered for instance, charging the on-file credit card or sending an invoice to the account owner. Financial services, auctions, and payment services are definitely high on the list of services that hackers would check. There are many services that you probably do not want to lose control over. With companies adding more and more features it is even more important to protect your email account. For example, Google announced recently the integration of Google Wallet into Gmail. This allows you to send money from your email account in the same way you attach a picture to an email. You can attach money to an email as well. Or an attacker might do it for you.

To ensure that such attacks will not happen, Google was one of the first service providers to introduce two-factor authentication to the masses. Other services, including Apple have followed and have started to integrate two-factor authentication or out-of-band authentication in the form of a code being sent to a previously registered mobile phone or one time password (OTP) generator applications. This is a good solution to secure your account beyond passwords. It is definitely better than just forcing the user to fill out security questions that can easily be guessed with public information.

Not proactively enrolling in additional authentication measures, if they are available, also might leave you vulnerable to rare attacks for which a password is not even required as there is always a chance of a glitch, like the one in Apple’s password reset function in 2013. While Apple acted quickly and fixed the issue, users who had enrolled in two-step verification were protected the entire time. There have also been some cases where an attacker could use a cross-site request forgery (CSRF) attack to hijack an active session and reconfigure your email account. For example, a long time ago there was a simple attack where a website could add a forwarding filter to your Gmail account, resulting in all emails being forwarded to an additional address. Of course Google fixed this issue quickly and increased account security even further. For example, now the user is warned with a UI message if any new filters have been added. Those attacks are harder to prevent for the user, as logging out of the account whenever it is not used is often not really practical advice.

You should use a strong password for your main email account that is unique and also different than the passwords you use for other services. Also keep yourself aware of new security features introduced by your email account.

House Keys Under the Doormat? Nope, in Your Phone

One of my friends recently locked himself out of his apartment. I found this out when I called him because although he didn’t have his keys, he did have his smartphone. This was one of those times he wished he lived in one of those hotels with the Assa Abloy NFC-enabled locks.

It turns out he doesn’t need to go to a hotel to open his door with a phone. Kwikset will soon be selling Kevo, a new deadbolt that can be unlocked with a Bluetooth-enabled phone. You can replace your old door locks with one of these new models.


The Kwikset/Unikey Kevo deadbolt is controlled via a Bluetooth-enabled smartphone app.

The Kevo lock [see demo video] is based on technology from Unikey, a winning company on the ABC TV show Shark Tank. Unikey’s background is in developing biometrics-access controls. Those controls are the ones you see on TV or in movies when a character places a palm or finger on a pad to open a door. With these locks we can all have similar technology guarding our homes.

Security Concerns
Another thing that you would notice from those same shows and movies is that the bad guys are always trying to break these high-security locks and access controls. The difficulty facing the average computer crook when facing a government high-tech lock is that there are so few of these locks to test against. Contrast those to millions of Bluetooth locks that one can buy off the shelf. The bar is much lower with Bluetooth because if they damage one lock during testing, the criminals can easily buy another one and try again.

The biggest payoff for technical attackers against a lock like this is to duplicate your keys or introduce a new one of their own. With physical keys they would need to get possession of them to make copies; with digital keys they need to break encryption and/or bypass security on the device that holds the keys (smartphone or key fob).

The deadbolts come with a single key fob, similar to car keys with transponders in them, and more can be purchased. It’s not clear yet whether, as with transponder keys, one needs to go through a complex process to activate additional fobs. The security of the fobs makes the smartphone a relatively easier target to go after.

There is an iPhone app that lets you manage both your own door key plus those of other residents (e.g., friends, house sitters, etc.) and temporary keys. Android phones also support Bluetooth. So the choice to produce the iPhone app first may have to do with the relative ease of decompiling Android apps.

IPhones are not necessarily more secure, as a knowledgeable attacker can jailbreak a phone and gain access to a decrypted version of the Kevo key app. Using tools like disassemblers, they can then seek out the methods used to secure the keys within the app and potentially reverse-engineer the protection or discover a method of creating new keys. They may also be able to force the app to accept new keys, essentially adding a master key to every one of these Bluetooth-enabled locks. That is actually not as likely as the criminal’s finding a way to attack a single target’s locks.

Future of Physical Security?
Locks are not invincible, not even high-tech locks. The more such locks are installed, the greater the incentive for robbers to break in through technical means. Why steal one set of keys if they can attack a smartphone app and steal all the keys? Fortunately, as the crooks start to take notice of such devices, so will security researchers. Unlike the bad guys, security folks will test these locks and help them improve. I’m sure my smartphone-toting, key-forgetting friend will appreciate that.