Analysis by: RonJay Kristoffer Caragay
 Modified by: Anthony Joe Melgarejo

ALIASES:

Trojan.Badminer (Symantec); not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.a (Kaspersky); Linux/BitCoinMiner.D (ESET-NOD32); Application.Linux.BitCoinMiner.A (BitDefender); ELF:BitCoinMiner-G [Tool] (Avast)

 PLATFORM:

Linux/UNIX

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 379,680 bytes
File Type: ELF
Initial Samples Received Date: 20 Jan 2014
Payload: Generates cryptocurrencies

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

NOTES:

This malware is a CPU miner used to generate cryptocurrencies such as bitcoin, Litecoin, etc.

It accepts the following parameters/options:

-a, --algo=ALGO    specify the algorithm to use
            scrypt scrypt(1024, 1, 1) (default)
            sha256d SHA-256d
-o, --url=URL         URL of mining server (default: http://127.0.0.1:9332/)
-O, --userpass=U:P    username:password pair for mining server
-u, --user=USERNAME   username for mining server
-p, --pass=PASSWORD   password for mining server
--cert=FILE       certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
-t, --threads=N       number of miner threads (default: number of processors)
-r, --retries=N       number of times to retry if a network call fails (default: retry indefinitely)
-R, --retry-pause=N   time to pause between retries, in seconds (default: 30)
-T, --timeout=N       network timeout, in seconds (default: 270)
-s, --scantime=N      upper bound on time spent scanning current work when long polling is unavailable, in seconds (default: 5)
--no-longpoll     disable X-Long-Polling support
--no-stratum      disable X-Stratum support
-q, --quiet          disable per-thread hashmeter output
-D, --debug          enable debug output
-P, --protocol-dump   verbose dump of protocol-level activities
-S, --syslog          use system log for output messages
-B, --background      run the miner in the background
--benchmark       run in offline benchmark mode
-c, --config=FILE     load a JSON-format configuration file
-V, --version         display version information and exit

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 10.552.03
FIRST VSAPI PATTERN DATE: 20 Jan 2014
VSAPI OPR PATTERN File: 10.553.00
VSAPI OPR PATTERN Date: 20 Jan 2014

Scan your computer with your Trend Micro product to delete files detected as ELF_BITMINE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.