Two local IT experts stop a potentially dangerous Bitcoin-mining virus in its tracks.
William Vermaak and Morne Wilken detected suspicious activity on one of their customer's servers last week. They immediately analyzed the source of the virus and uninfected the server. The only trace left of the code by the originator was the Bitcoin wallet that the Bitcoins were supposed to be deposited into. It is very difficult to trace a Bitcoin wallet (as we all know) and a police warrant is necessary to get any information from the Bitcoin companies are hosting the wallet.
The virus was gone undetected by all available virus packages, so the white hats submitted samples to ESET the next day and got a response. The virus lab in Denmark confirmed that the virus was wild and that detection for the threat had been added to the latest ESET updates.
The virus actually infected 0.04 % of Windows computers in SA and 0,5 % computers in Russia.
This Bitcoin-mining virus downloaded a Bitcoin CPU miner on the victims computer and then mined Bitcoins for the virus originator. These types of viruses are really evasive, since the virus makes itself resilient and configures various system schedules to start again if it is stopped. The virus installs itself on the system as a system service and infiltrates the System Registry to change some keys to make itself run again if it's shut down. Shortcuts on the infected machine desktop are modified to run the virus and only after that run the original program to mask its presence. To ensure resilience the virus then copies itself into other files of the system, including microsoft.exe. With the growing Bitcoin price, we can be sure such attacks will become more common.
hiveblocks