Miner-D is being bundled with the legitimate GraphicConverter app on torrent sites. A script is used to unzip an archive that contains programs used by the trojan, and also run the binary that will receive and send data.This
trojan uses the java program, Diablo Miner( Developed by Patrick McFarland),
which mines for bitcoins on Solaris, Linux, and Windows. I was not sure at first what the program was so I checked out the code and googled to also verify :).
Scripts from Diablo Miner
Example
of OS-X script
The miner.sh contains a loop that will
run the OSX script and the minerd(cpuminer) binary.
There is another script for non bitcoin
stuff that will dump data of safari history, screencaptures, mdfind search results involving truecrypt,
pthc, Vidalia.
funny string sent from the binary :)
00002c7a movl $0x00000000,0x0c(%esp)
00002c82 movl $0x00000009,0x08(%esp)
00002c8a movl $0x000074eb,0x04(%esp)
00002c92 movl %edi,(%esp)
00002c95 calll 0x00009193 ; symbol stub for: _send$UNIX2003
(gdb) x/s 0x000074eb
0x74eb: "FUCK OFF\n"
I also noticed the the trojan binds to a port, sending SSDP packets to discover devices on the network. Tim Strazzere on twitter had confirmed it was using use UPnP to open up a backdoor port on routers.
I also noticed the the trojan binds to a port, sending SSDP packets to discover devices on the network. Tim Strazzere on twitter had confirmed it was using use UPnP to open up a backdoor port on routers.
Why does the trojan search for pthc files?
Definition of pthc from Urban Dictionary:
Short for "preteen hardcore" or child porn. Used mostly on p2p programs such as Kazaa.
Thanks to lebek for sample ;).
No comments:
Post a Comment