The rise in Bitcoin values seems to have caused an equal increase of Bitcoin spam as malware authors attempt to make money off the many new market participants. One site that was spammed to me three times in one day is bitcoin-alarm.net. I ignored it the first two times, but they must have really wanted me to look at it, so who am I not to oblidge.
The site promises a tool to notify you of market changes by SMS, without ever mentioning any nefarious behaviour. YouTube videos teach you what Bitcoin is, and how to install this free tool. They even provide a link so you can donate to the author, although it appears no one has chosen to do so. This I have to download.
The download BitcoinAlarm.exe (MD5: edfa12d4a454b0eb786bbe92050ab88a) had just 1 hit on VirusTotal when I first scanned it (from Kaspersky). Is it a false positive on a nice free tool? Lets dig deeper.
The download is an installer. A quick strings didn’t turn up anything interesting, so lets try binwalk:
I carved out this RAR archive to see what it contains:
dd if=BitcoinAlarm.exe.virus of=out.rar bs=1 skip=756224 mkdir ext unrar x out.rar ext/
There’s an SFX script run, lets see what it does:
A quick check of winupdate.exe with VirusTotal shows that it’s the valid (and non-malicious) AutoIt executable. AutoIt is a great little scripting language for Windows, it’s especially useful for automating GUI related tasks. So if winupdate.exe is AutoIt that would make 5943564.IFW an AutoIt script. It looks like it was obfuscated somewhat though:
Run it through
sed -e '/^;[0-9]/d'
to clean up the garbage and we end up with this script. It starts by checking if Avast is running and if so it sleeps for 20 seconds. I guess this is long enough for Avast to get bored and go look at something else:
Well, that’s certainly not a good sign. It’s a pretty solid chance that if software is checking for an antivirus engine that it’s up to no good. A scan of the rest of the file contains other interesting methods like “disable_uac”, “anti_hook”, “persistence”, “botkiller”, “downloader”, “disable_syste_restore”. It’s starting to look like Kaspersky was right, congrats on being the 1/49 to detect this.
I see a lot of calls to IniRead(), and they’re all reading 65901.PPZ. It looks like this is the configuration file. In contains:
 6662859=9455413  6224525=3244993  5598349=4588436  6296134=4064234  1109091=asvep
Matching these to the script we see find the sections are:
# 6404000 == disable_uac() # 2244034 == AdlibRegister("anti_hook", 500) # 3206254 == AdlibRegister("persistence", 500) # 5378250 == startup() # 1109021 == $sKey
This crypto key is used in Main to decrypt and run the file 20070.RQT:
The easiest way to decrypt this file was to simply let the script do the work. There’s a lot of code outside of functions though, so care has to be taken to remove everything non-crypto related. Remove the _RunPE() and replace it with
FileWrite($uniscriptdir & "DECRYPTED", $sArquive)
The decrypted file had 30/48 hits of VirusTotal when I scanned it (MD5: 224c73f8172123e5ddca2302425664a6). It’s called NetWiredRC and is a remote access trojan made for stealing login information, and likely in this case being used to steal Bitcoins. It connect to bitcoins.dd-dns.de on port 3360.
Some choice credential related strings from the decrypted malware:
%sThunderbirdprofiles.ini select * from moz_logins %s.purpleaccounts.xml SoftwareMicrosoftInternet ExplorerIntelliFormsStorage2
This free utility is nothing more than malware with very low detection rate being spammed to anyone that might have a Bitcoin sitting around. When I checked the domain with urlvoid it had zero ‘bad’ reports and was not blacklisted. I’ve since submitted the domain to multiple scanners and it’s now detected by Scumware.
On a recheck BitcoinAlarm.exe’s detection is up to 14 of 49 scanners, and the download link appears to return 404. bitcoins.dd-dns.de is no longer answering on port 3360.
Never before has it been so easy to leave cash accessible from the Internet, so expect more malware to make off with your Bitcoin wallet. Bitcoins that are not in use should be moved off into cold storage, or donated to the human fund at 136K8a5Mb8uDguFb7RnoXz7gzBSe2xaEED (ahem, worth a shot right?).