A newly discovered cryptomining worm is stepping up its targeting of Windows and Linux devices with a batch of new exploits and capabilities, a researcher said.
Research company Juniper started monitoring what it's calling the Sysrv botnet in December. One of the botnet's malware components was a worm that spread from one vulnerable device to another without requiring any user action. It did this by scanning the Internet for vulnerable devices and, when found, infecting them using a list of exploits that has increased over time.
The malware also included a cryptominer that uses infected devices to create the Monero digital currency. There was a separate binary file for each component.
[...]
"Based on the binaries we have seen and the time when we have seen them, we found that the threat actor is constantly updating its exploit arsenal," Juniper researcher Paul Kimayong said in a Thursday blog post.
Straight from the above blog post, the malware's exploits include:
Exploit Software CVE-2021-3129 Laravel CVE-2020-14882 Oracle Weblogic CVE-2019-3396 Widget Connector macro in Atlassian Confluence Server CVE-2019-10758 Mongo Express CVE-2019-0193 Apache Solr CVE-2017-9841 PHPUnit CVE-2017-12149 Jboss Application Server CVE-2017-11610 Supervisor (XML-RPC) Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE) Apache Hadoop Brute force Jenkins Jenkins Jupyter Notebook Command Execution (No CVE) Jupyter Notebook Server CVE-2019-7238 Sonatype Nexus Repository Manager Tomcat Manager Unauth Upload Command Execution (No CVE) Tomcat Manager WordPress Bruteforce WordPress
(Score: 2) by Rosco P. Coltrane on Sunday April 11 2021, @06:03AM (4 children)
The problem is, while your shitty hardware sticks it to the rogue miners, it also kind of freezes on you while the crypto-mining software attempts to max out your CPU.
Or are you banking on the malware having a nice benchmarking test before running that goes "Oh, this machine is kinda lame. Better not attempt any mining here to avoid detection!"?
(Score: 2) by Unixnut on Sunday April 11 2021, @11:43AM (2 children)
> Or are you banking on the malware having a nice benchmarking test before running that goes "Oh, this machine is kinda lame. Better not attempt any mining here to avoid detection!"?
I don't know, I'm not a malware developer, but it sounds like a decent idea. Each machine you infect increases the chances of being noticed and shut down, so if your goal is to make money, you want to keep your profile low.
This means not impacting the machines you infect. Even in nature, a parasite that kills its host is out competed by those that don't. So logically a malware dev wants their malware to infect and run on machines that can provide decent compute power without impacting the machine enough so that the admins/owners notice.
They also would want to concentrate on fewer more powerful machines, as it reduces the chance of people noticing machines becoming crippled and investigating.
So yes, doing a quick benchmark and deciding that the machine would take 6 months to generate 0.00001 of some crypto coin, all while cripping it to the point it gets rebuilt or someone notices and busts your botnet, is a risk not worth the effort, seems like not a bad idea.
(Score: 0) by Anonymous Coward on Tuesday April 13 2021, @02:31AM
(Score: 2) by TheRaven on Tuesday April 13 2021, @11:57AM
That's not really how it works. The 'mining' is probabilistic. If you're trying a lot fewer hashes per second than another machine, you may still find the right one early, you're just a lot less likely to. If you're not paying for power, it's always worth adding more compute, even if it's only a small amount.
It's also not clear to me that you'd be more likely to be noticed on slower machines. People with slow machines already expect things to be slow, people who buy fast machines are likely to notice if they're not getting what they paid for.
All of that said, normally this kind of malware cloaks itself so that it doesn't show up in process monitors and runs at the equivalent of idle priority, so it shouldn't actually slow things down except by maybe making thermal throttling kick in earlier.
sudo mod me up
(Score: 2) by istartedi on Sunday April 11 2021, @05:59PM
I was going for +Funny mods. I think it ought to be obvious that I don't want *any* malware on my machine, because if the malware decides that mining isn't worthwhile, it might have additional code that keylogs or something.
Appended to the end of comments you post. Max: 120 chars.