Operation and Maintenance Bible: A Guide to Emergency Response to Mining Trojans

Table of contents

Introduction to Mining Trojans

Mining process

Mining Trojan Emergency Response

1. Quarantine the infected host

2. Determine the mining process

3. Mining Trojan removal

1. Block the connection of the mining pool address

2. Clear mining timing tasks, startup items, etc.

3. Disable suspicious users

4. Locate the location of the mining Trojan file and delete it

5. Full-scale antivirus and reinforcement

---

Introduction to Mining Trojans

Mining:

Every other time point, the Bitcoin system will generate a random code on the system node, and all computers in the Internet can search for this code, and whoever finds this code will generate a block. The issuance of Bitcoin is based on rewards. Every time a block is generated, the node will receive corresponding rewards, so that everyone has the motivation to invest funds to maintain the normal operation of the entire transaction network. This process of finding codes to get rewards is mining. However, trillions of hash operations are required to calculate the eligible value. This process requires a lot of computing power, so some hackers will control other people's computers to help them mine by invading the server.

Mining Trojan:

The attacker implants the mining program into the victim's computer through various means, and uses the computing power of the computer to mine without the victim's knowledge, so as to obtain benefits . This type of mining that is illegally implanted into the user's computer The program is a mining Trojan horse. Mining Trojans are generally scripts that automatically scan, attack, and deploy mining processes. Attackers first place mining scripts on remote hosts, and gain control of the hosts through common or newly released automated exploit scripts that can be commanded and executed Finally, log in to the host, use wget or curl to directly download the remote mining process deployment script, and execute the script to deploy, hide, persist and clear traces of the mining process. In order to be able to reside in the server for a long time, mining Trojan horses will adopt a variety of security countermeasures, such as modifying task plans, modifying firewall configuration, modifying system dynamic link libraries, etc. The use of these technical means may cause server business interruption in severe cases.

Calculate (hash rate):

A measure of the processing power of the Bitcoin network. That is, the speed at which the computer (CPU) calculates the output of the hash function. The Bitcoin network must perform intensive mathematical and cryptography-related operations for security purposes. For example, when the network reaches a hashrate of 10Th/s, it means it can perform 10 trillion calculations per second.
In the process of obtaining Bitcoin through mining, we need to find its corresponding solution m, and for any 64-bit hash value, to find its solution m, there is no fixed algorithm, only by computer random Hash collisions, and how many hash collisions a mining machine can do per second is the representative of its "computing power". The unit is written as hash/s, which is the so-called workload proof mechanism POW (Proof Of Work).

Mining process

1. Gain control of the host through known vulnerabilities;
2. Download the remote mining script;
3. Delete other mining processes that may exist in this machine;
4. Generate signature files to avoid repeated infection;
5. Determine the type and number of bits of the host system, hide and run the mining process;
6. GPU mining if there is a GPU;
7. The residence and persistence of the mining process;
8. Some scripts with worm functions will also use the current host as a springboard to scan the LAN by using known vulnerabilities and weak passwords to control more hosts;
9. Clear traces.
    

Mining Trojan Emergency Response

How to judge that you have encountered a mining Trojan horse attack:

1. Computers implanted with mining Trojan horses will experience soaring CPU usage, system freezes, and some services cannot operate normally.
2. Check the server performance through the server performance monitoring device to judge the abnormality.
3. The mining Trojan horse will establish a connection with the mining pool address, which can be judged by checking the alarm of the security monitoring device.

1. Quarantine the infected host

It is necessary to make a preliminary judgment on the mining Trojan horse event, understand the current situation, system architecture, infection time, etc., and determine the infection area; it is also necessary to provide temporary disposal suggestions in a timely manner, and isolate the server/host that has been mined offline. The mining server/host should be well protected. The mining Trojan horse will establish a connection with the address of the mining pool, and you can use security monitoring equipment to check the mining range.

2. Determine the mining process

After the basic isolation of the infected server/host is completed, it is necessary to confirm which processes the mining Trojan is running in order to perform subsequent removal work.

The process name of the mining program is generally expressed in two forms:

1. Programs are named with irregular numbers or letters;
2. Masquerading as a common process name, it is difficult to tell from the name alone. Therefore, when viewing processes, whether it is a seemingly normal process name or an irregular process name, as long as the process has a high CPU usage rate, it must be checked one by one.

3. Mining Trojan removal

1. Block the connection of the mining pool address

The mining program has an external connection behavior, and the security device is used to block the address of the mining pool, and the communication between the mining Trojan horse and the mining pool is blocked at the network layer.

2. Clear mining timing tasks, startup items, etc.

Clear mining trojans, clear suspicious scheduled tasks, clear suspicious startup items, etc.

3. Disable suspicious users

Users created by mining Trojan horse programs may be used as a springboard for attacks or other attack operations. When confirmed as abnormal users, they
need to be disabled or deleted in time.

4. Locate the location of the mining Trojan file and delete it

Windows system:
Use the netstat -ano system command to locate the PID of the mining Trojan horse connection, and then use the tasklist command to locate the process name of the mining Trojan horse, and finally check the process through the task manager to find the location of the mining Trojan horse file and clear it.
Linux system:
Use the netstat -anpt command to view the mining Trojan process, port and corresponding PID, use the ls -alh /proc/PID command to view the executable program corresponding to the mining Trojan, and finally use the kill -9 PID command to end the process. Use the rm -rf filename command to delete the file.

5. Full-scale antivirus and reinforcement

After implementing the above operations, it is still necessary to continue to observe whether there are signs of repetition, whether there are still processes or task plans that have not been cleaned up.
Use anti-virus software to completely kill the virus, and do security reinforcement for the system and applications.