GMA News Online
SciTech

Bitcoin virtual money malware spreading via Twitter

September 6, 2011 2:31pm
Now, even virtual currency is no longer safe from malware.

A computer security firm warned malicious links are now spreading over micro-blogging site Twitter, leading to malware that can mine for Bitcoins, a virtual currency used in peer-to-peer sharing.

In a blog post, Trend Micro said the spammed malicious shortened URLs on Twitter appear to contain a JPG image file from a Facebook domain.

“Clicking the links redirect to a shortened Twitter URL (http://t.co). Most of these Twitter users are from Indonesia. To lure users to click on the URL, cybercriminals incorporated Facebook.com into the link where the malicious file is hosted. Upon clicking the said link, the unwitting user is led to (a link on facebook.com) ... Since September 2 2011, approximately 600 tweets of the same link have been posted," Trend Micro fraud analyst Paul Pajares said.

Pajares pointed out the JPG image file is not a picture file but an executable file that Trend Micro detects as WORM_KOLAB.SMQX.

He noted searching for the picture file using Twitter’s search function reveals an updated list of users who tweeted the same malicious link.

Trend Micro said that when users post a tweet, it is followed by a malicious link with the text “hahaha!!!" It is also used in the retweet and reply feature of Twitter.

Investigation showed the malicious file creates a directory “aaa" with the following files:

  • 3kal.cmd: a batch file that contains the command for executing mamatije2.exe
  • hsbca.exe: a normal file (Hidden Start v3.2)
  • mamatije2.exe: detected as HKTL_BITCOINMINE that connects to a malicious link with the username mrdd_ludacha and password mama1.

Pajares noted the login credentials do not work, and display a bad request (HTTP 400).

He said the malware will also connect to other malicious sites, which contains the following malicious files that use the names of famous personalities:

  • http://robertpattinson.{BLOCKED}ion.org/pictures/Calc-3-9-2011.jpeg (HKTL_BITCOINMINE)
  • http://{BLOCKED}alokab.go.id/images/news/JohnLennon-Imagine.exe (WORM_KOLAB.SMQX)

Bitcoin miner botnet with ddos capabilities found

Meanwhile, Trend Micro also noted a new Bitcoin miner botnet that can turn infected computers into a giant network that can launch distributed denial-of-service (DDoS) attacks against at least 2,000 targets.

It said the malware, identified as BKDR_BTMINE.DDOS, is a component of BKDR_BTMINE.MNR and can update its list of targets remotely.

“The DDoS component may be used to attack competing Bitcoin miners and limit their processing power. The malware also tries to communicate with a long list of IP addresses. A list of more than 2,000 IP addresses is hardcoded in the malware and is constantly updated upon execution," threat response engineer Karl Dominguez said in a blog post.

Dominguez said Bitcoins are worth more than $8 each, but their values are constantly rising.

He said that since Bitcoins use P2P sharing, the charges incurred are much lower compared to transferring money through banks or clearing houses.

Bitcoin transactions are anonymous and they can be used anywhere, without limits, he added.

“Bitcoin usage is gaining popularity in web transactions because of these advantages it also raises some security issues. To stay safe, encrypt all wallets as soon as they leave your system. Use a strong, unique password for wallet encryption," Dominguez said. — TJD, GMA News
Go to comments



We welcome healthy discussions and friendly debate! Please click Flag to alert us of a comment that may be abusive or threatening. Read our full comment policy here.
Comments Powered by Disqus