News

Bitcoin and Trojan Analysis Report

2013-09-09


1.           Introduction of Bitcoin


    1.1 Overview

   Bitcoin is a type of electronic money generated by open-source P2P software, which is also a type of network virtual money. Bitcoin is not issued by anyspecific monetary institution but is generated through large amount of calculations with a specific algorithm. Usage of bitcoins is confirmed through a distributed database composed of numerous nodes within the entire P2P network, and all transactions are also recorded at the same time. P2P featuring decentration together with algorithms can ensure that the currency values of bitcoins cannot be manipulated artificially by producing large lotsof bitcoins.


1.2 Obtaining Bitcoins

   Bitcoins can be obtained through mining or transactions. To obtain bitcoins, the latest version of bitcoin client must be installed on a computer. And then bitcoinscan be obtained through gifting from friends, mining as miners or purchase as businessmen. The relatively feasible and low-cost way is mining as miners.

   Being a miner is just using your own computer to generate bitcoins. The difficulty of mining bitcoinsis indirect proportion to the amount of bitcoins mined, and the difficulty grows astimegoes. Currently the coefficient of difficulty for mining has reached upto 21335329.114, that is, only 0.02 bitcoins can be mined by using a common computer with an i5 CPU. However, most people are now using GPU for mining.


1.3 Transactions and Values of Bitcoins

   Transactions of bitcoins are generally realized in bitcoin trading platforms. The two biggest platforms are mtgox and GBL, and there are still tens of trading platforms with different scales.

   The following figure displays the turnover of bitcoins for nearly a month and its current value(from mtgox): 

‍ 

Figure1: Turnover of Bitcoins for Nearly a Month and Current Value of Bitcoin

   We can see that the exchange rate is 76.94899 USD dollars to 1 bitcoin, that is to say, one bitcoinis worth 76.94899 USD dollars; however the price of goldis 39.9709 USD dollars/g. Thus, the value of bitcoins is greater than that of gold.

 

2. Illegal Approaches to Obtaining Bitcoins

   With continuous popularity in bitcoins whose price can even be greater than gold, hackers are starting to show interest in this big "cake". It is said that bitcoins have high anonymity, and if some bitcoins are stolen, it is quite difficult to find the reasons. So bitcoins have been main targets of hackers. The bit coin agency Bit instant was reportedly attacked in March2013 by hackers who hijacked this company's DNS service and logged in the bitcoin trading company Virwox. In the end, bitcoins worth 12480 USD dollars were stolen.

   According to the cloud security center data from Baidu internationalization team 984 bitcoin related virus files were captured in June and 10364 computer were infected. Once attacked, the bitcoins of users will be stolen by hackers or the users' own computers will mine for hackers, thus earning money for others and decreasing the speed of their computers.

   Viruses related to bitcoins can currently be divided into the following two groups: The first group of viruses can steal bitcoins directly from the users' computers. The other group of viruses can create bot nets to use zombies for mining orinitiate APT attacks on big bitcoin trading websites. The following figure displays the distribution of the two groups of viruses monitored by the Baidu internationalization team:

 

Figure2: Schematic Diagram of Distribution of Bitcoin Viruses

Figure 3:General Locationof Bitcoin Wallet


   The main targets of these trojans are bitcoin wallets (wallet.dat) of individuals. Once computers are attacked, the trojans will search the wallet.dat file on the computers automatically and send it to the attackers, and then use FTP to upload it toservers. The bitcoins of attacked users will be transferred to the places specified by attackers. Baidu internationalization team reminds everybody who loves bitcoins to keep your bitcoin wallets properly, backup wallet.datregularly and scan your computers regularly using Baidu Antivirus.

   The flow chart of stealing bitcoins by trojans is as follows:

Figure4: Schematic Diagram of Stealing Bitcoins by Trojans


2.1.2 Theft by Phishing

   The virus family Trojan.Win32.Proxy Change can modify PAC (Proxy Auto-Config). As a result, a user will be redirected to a phishing website when visiting a bitcoin transaction website (such as mtgox.com) and the bitcoins of users will then be stolen. This type of trojans has high concealment and phishing websites are so real that users can hardly distinguish.

style="font-size: 9pt;">

   PAC is auto-proxy configuration file. It is a JavaScript file in essence and can be configured for automatic proxy. This configuration file is set in AutoConfigURL under the keyHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings. The key value is the location of scripts, as shown in the following figure:

Figure 5: Setting Key of Automatic Proxy

 

   The following is the contents of PAC files set by a virus:

Figure 6:Contents of PACFiles Set by a Virus


   Viruses use connectors to avoid name detection. After organization, the contents of configuration files become very clear:

Figure 7:Contents ofDecrypted PAC Script Files

 

   From the scripts, we can see that the trojan attacks not only the bitcoin transaction market but also other transaction platforms such as Brazilian online banks. After being attacked by this trojan, a user will be redirected to a phishing website when visiting mtgox.com ormtgox.com.br (the most widely used bitcoin foreign exchange transaction website). Infact, mtgox.com.br does not exist.

Figure8: Attacked Computers Redirected to a Phishing Website When Visiting mtgox

Figure 9:Unattacked ComputersVisiting mtgox

 

   So if you are attacked, you will visit a phishing website when trying to visit mtgox which is very real. When you enter your account and password, they will be captured by the author of the website and used to steal the bitcoins in your account.


 2.2 Bitcoin Mining Trojan

   Using other persons' computers to mine to generate bitcoins is also most commonly used by hackers to obtain bitcoins. This kind of  viruses accounts for 76.92% of all bitcoin trojans. These trojans usually use different kinds of 0day, such as pdf and java vulner abilities, or pretend as tempting names to seduce users for downloading. As the downloaded file is a bitcoin mining program with no harm,but the mining account within it is set by hackers. Therefore, it can hardly be hijacked by general antivirus software.

   The following is aprocess where a bitcoin mining trojan runs:

   1) First release Winlogons.exe and Csrss.exe under the %APPDATA%\Roamingdirectory (XPis%APPDATA%)

Figure 10:ReleasedFiles after Running Samples


   2) Run Winlogons.exewhich callsCsrss.exe to run. Csrss.exe is the bitcoin mining software inreality.

Figure11:Winlogons.exe CallsCsrss.exe to Run


   3)Mining begins after running.

Figure12: Screenshot of RunningCsrss.exe Mining Program


   After running the mining program, many CPU resources will be occupied, causing the CPU utilization torise perpendicularly.

Figure 13: CPUUtilization after Running Mining Program

 

   According to Bitcoin Mining Calculator, the current mining difficulty coefficient is 21335329.114.If we assume the Hash Rate of the computer of the current common useris 30Mhash/s, then the income is as follows:

Figure14: Income Calculation Chart Using CPU for Mining

 

   However the Hash Rate of high-end GPU reaches up to 1200Mhash/s, the corresponding mining income is much higher.

Figure15: Income Calculation Chart of Using GPU for Mining


   Currently, hackers even bind bitcoin mining programs to bot such as ZBot to form botnets formining.

Figure16: Botnet Mining Schematic Diagram

 

Number of Infected  Computers

 
 

Bitcoin

 
 

USD  Dollar

 
 

1,000

 
 

20

 
 

1,680

 
 

10,000

 
 

200

 
 

16,800

 
 

100,000

 
 

2,000

 
 

168,000

 

Table1: Relationship between Bitcoins and Infected Computers (per Month)

 

2.3 Attacks on Transaction Websites

   Hacker attacks are initiated on big bitcoin transaction websites. Hackers usually invade the websites of bitcoin agencies or transaction markets to steal bitcoins. Another means used by hackers is to attack bitcoin transaction websites (generallyusing DDos attacks)to make websites crash or slow the access speed of websites.Then a panic is caused among netizens who will undersell bitcoins, thus lowering the value of bitcoins. Hackers will buy these bitcoins at acertain low point and stop attacking. Bitcoins will be sold by hackers when the price of bitcoins returns to a normal level to obtain huge profits from the price gap.


3. Security Recommendations

   We recommend you to install Baidu Antivirus Professional(http://antivirus.baidu.com), update the virus gene pool timely, and enable such functions as active defense, browser protection and self-protection.

   We recommend you to use timely PC Faster (http://www.pcfaster.com)to update system patches to prevent the transmission of bitcoin trojans through 0 day.

   We recommend you to use Baidu BrowerSpark (http://en.browser.baidu.com/) to effectively distinguish phishing websites.

 

4. References

[1]http://bitcoin.org/en/

[2]https://en.bitcoin.it/wiki/MoneyPak

[3]https://en.bitcoin.it/wiki/Difficulty

[4]http://www.alloscomp.com/bitcoin/calculator

[5]https://mtgox.com/