10/10/2013
08:35

After ZeroAccess and the Bitcoin mining here comes the Trojan.Win32.Agent.EDM with Litecoin mining


By analyzing the flow of infections actually circulating, the CRAM (Anti-Malware Research Centre) has identified a  new miner dedicated to Litecoin mining.
At SMAU of Padua held in April 2013 C.R.A.M. (Anti-Malware Research Center) presented a detailed repor [report available only in Italian] on two new infections that were hitting the Italian users (and not only) named FakeGDF and ZeroAccess.
Now, a new infection taking advantage of similar mining techniques used by ZeroAccess is spreading in Italy.

In addition to pc click-fraud and the download of additional infections like: fraudtool, Trojan clicker and ransomware (FakeGDF), ZeroAccess shows a special peculiarity: relying on an army of compromised computers, it uses their computing power for an activity known as: Bitcoin mining.

Bitcoin is an electronic money created back in 2009 from an anonymous figure only known with the name of Satoshi Nakamoto, this currency can’t be monopolized by any banks, instead, it is uniformly distributed through the network. Leveraging on the computing power of all infected computers, ZeroAccess makes them perform complex computational tasks; For each calculation performed successfully it receives a reward in Bitcoin that can be converted at a later time, in a different currency (USD, Euro, etc.).

The Trojan.Win32.Agent.EDM shares with ZeroAccess the structure of exploitation of compromised computers, unlike Bitcoin, the Trojan.Win32.Agent.EDM ensures for itself a constant earning using Litecoin mining.

From a technical point of view, Litecoin currency is identical to Bitcoin, the creation and the transfer of this electronic money is based on an open source cryptographic protocol known as scrypt.
The Trojan.Win32.Agent.EDM makes the most from the Litecoin currency since the mining can be executed in an efficient way on common end user computers. The algorithm used by Litecoin, as stated before, is based on scrypt , this approach promotes the use of miner on normal computer and between the most common GPU present today on the market, all this without slowing down the computer performance.

The activity performed by the Trojan.Win32.Agent.EDM can be split in different parts:

Phase #1
On the victim’s computer, the file initsrv.exe is put in auto execution, adding the executable file to the following path::
C:\Documents and settings\Users \Start Menu\Programs\Startup\initsrv.exe

In this way, the malicious file can be run each time the computer is started.

Phase #2
initsrv.exe is started from the dropper that has put it on the computer

Fase 2.1:

Immediately after execution, initsrv.exe, starts verifying in the following path: %SystemRoot%/system32/ the presence of three different files:
  • libcurl-4.dll
  • pthreadGC2.dll
  • minerd.exe
If not detected, initsrv.exe downloads the page
http://pastebin.com/raw.php?i=sw[XXXXXXXX]

from which are extracted the necessary URLs to download each file searched at the beginning of the infection process.

Pastebin, known web application for sharing fragments of text, is used by the Trojan.Win32.Agent.EDM to extract, through array, all the strings inside the downloaded page.
As shown in the image above, each line is made up by [file name]:: URL
If [name file].exe / .dll is not found inside the PATH %SystemRoot %/system32/, the Trojan.Win32.Agent.EDM starts the download of the required file through the associated URL.
If all three files searched are found, the variable check_passed, used for track the status of the search, is equal to True, this allows the program to move on to the next part of the malicious code. Below the flowchart of the first part of the malicious code
infection flow

Phase 2.2:

If phase 2.1 is completed successfully, the malware enters in phase 2.2.
initsrv.exe starts a sequence of checks in order to verify the presence of the file / process winvnc86.exe
  • Checks the presence in memory of the process winvnc86.exe, if found, it is killed.;
  • Checks the presence of the file winvnc86.exe in %SystemRoot %/system32/, if found, it is erased.
After the two audit, inisrv.exe downloads the page http://pastebin.com/raw.php?i=sw[XXXXXXXX] (the link is different from the one shown before), from the required web page it extracts a string of instructions, memorizing them in the sdata_ variable.

String value of commands, downloaded by inisrv.exe
 Legend commands downloaded:


Relying on a function FileCopy, initsrv.exe takes the minerd.exe file from %SystemRoot%/system32/ and creates a copy of the same in %SystemRoot %/system32/ naming it winvnc86.exe
The last set of instructions executes winvnc86.exe , passing as a parameter the variable sdata_ that stores the instructions for the miner.
Below the flowchart describing the execution of the second part of the infection:

infection flow

When the Trojan.Win32.Agent.EDM (initsrv.exe) terminates correctly its execution, has already been able to start the miner ( playing the user), making he / she believe that the process is a trusted application: winvnc86.exe

Despite the minerd.exe file, downloaded during the infection, is a legitimate one and the source code can be downloaded from sourceforge.net, this application is detected by Vir.IT eXplorer as Trojan.Win32.Agent.BHTO; This because analyzing different situation where winvnc86.exe (aka minderd.exe) was implied the presence of Trojan.Win32.Agent.EDM was every time confirmed.

At every PC restart, the Trojan.Win32.Agent2.BHTO is executed and the infection cycle takes place again:
  • initsrv.exe checks the presence of the files required to start the Litecoin mining;
    • If files doesn’t exists, download them;
  • Kill the process winvnc86.exe / erase the file winvnc86.exe;
  • Download parameters for the miner;
  • Copy and rename the file minerd.exe in winvnc86.exe;
  • Start winvnc86.exe with the parameters stored in the variable sdata_ in order to contact the mining pool server.
Mining pool server are accessible by anyone, create a new user is easy and straightforward, in the first stage, the criminal creates two couples of user name and password.
The first pair of user name and password are used to access the mining pool server and view the status of earnings, the second pair is given instead as a parameter to all miners distributed during infection.
The system of double credentials was introduced for safety reasons, as each running miner will send user name and password credential in clear and obviously can be intercepted easily.
Below, the complete infection flow when a user comes in contact with inisrv.exe
---------------------------------
CRAM (Centro Ricerche Anti-Malware) di TG Soft
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: