Bitcoin Mining Malware Encountered Across Several SingleHop Servers

Journalist:
Gordon Hall
April 26, 2014
Bitcoin Malware

Bitcoin Mining Malware

Computer security is becoming a staple of headlines around the world. Snowden’s disclosures have dramatically increased the public’s awareness of such issues. The damage from such sprawling breaches as Heartbleed will likely take years to repair. The subject is naturally of particular interest to Bitcoiners, whose fortunes are only as secure as their devices.

[divider]CCN[/divider]

[dropcap size=small]C[/dropcap]hicago-based hosting company, SingleHop, provide dedicated or cloud servers and managed hosting services. In 2011, they were named as America’s 25th fastest growing company.

SingleHop today reached out to several clients with notification that Bitcoin mining malware was discovered across a number of servers. The function of the malicious software was to redirect server cycles into Bitcoin mining. This would have led to degraded performance which likely alerted clients to the possibility of compromise. A report by MalwareBytes indicates that such mining can slow a CPU by up to 50%. According to a prior conversation with Venzen, many hosting companies disallow the installation of even legitimate Bitcoin mining software for this reason. The increased resource utilization would surely have been noticed by SingleHop system administrators sooner rather than later.

Once detected, SingleHop took prompt action to scan all their servers and clean those found to be infected.

A Rising Trend

In their advisory email, SingleHop describe this as a growing problem around the web, referencing similar attacks experienced by Iowa State University and Amazon Web Services.

Infosec experts at professional services firm Ernst & Young are of the opinion that Bitcoin’s dramatic price appreciation is spurring further such attack. Speaking in late 2013, EY’s assistant director of fraud investigation and dispute services, Mattew Rees, was quoted as saying:

“I would strongly expect there to be more of this kind of thing happening in the future simply because Bitcoin is so much in the news now.

Bitcoin is a very interesting technology that may well open up whole new avenues of trading, of people being able to use micro-payments. But that’s not what’s in the press at the moment, it’s that these things have rocketed in value from virtually nothing a year ago to US $1,000 a piece now. So there’s advantage being taken of that noise.”

How Servers Were Compromised

SingleHop describe immunization actions taken after affected services were cleaned as follows:

“SingleHop engineers have implemented basic security measures to prevent re-infection by the malware on your server, including resetting the server(s) root and/or administrator password In the coming days, your account manager will reach out to you with additional information that becomes available during our investigation, and to discuss additional steps that you can take to secure your servers and data.”

Speculation on my part: the above is suggestive of a Heartbleed attack in which the login details of administrators were captured and used to access servers to covertly install the malware. In other words, it’s hard to blame SingleHop for falling to an exploit which the NSA were more interested in exploiting than reporting or fixing.

Extent of the Compromise

My source for this story remarks that all SingleHop users seemed to be affected, but this has not yet been confirmed. CCN is currently awaiting further comment from SingleHop.

In a less consequential version of this Bitcoin mining malware story, it was reported nearly three weeks ago by The Register that “Dimwit hackers use security camera DVRs as SUPER-SLOW Bitcoin-mining rig[s].” This is another instance of incredibly slow hackers, or incomplete information from SingleHop.  CPU cycles spent on Bitcoin mining are all but wasted given a CPU’s low hashrate when compared with an ASIC, which the majority of the network is compromised of.

These stories of CPU cycles on computers and mobile phones being used for Bitcoin mining only serve to distract the general media from actual events in the Bitcoin world.  Please comment below if your SingleHop server has been reset due to this malware.

Last modified (UTC): April 26, 2014 08:16

Tags: heartbleed
Gordon Hall

Former swing trader of equities and daytrader of futures, out to make it in this crazy crypto world. I'll be doing some chart-reading aka fortune-telling, plus some interviews with crypto developers and miners. And maybe even some cartoons. If you like the cut of my gib, visit my website (goldrhino.tk) and pick up a Ⓑ keychain or Ⓑ leather mousepad.