This week Symantec disrupted a majority of the “ZeroAccess” botnet, which has affected about 1.9 million machines, more hosts than some legitimate Bitcoin mining pools.
This particular Bitcoin mining operation was only profitable through the use of stolen electricity. According to Symantec, ZeroAccess was using $561,000 worth of electricity each day on infected computers, to generate about $2,000 worth of Bitcoin.
Of course, as Symantec states, that doesn’t matter if you’re a criminal stealing others’ resources. The company makes a couple of assumptions for the value of Bitcoin: the average processing power of a bot, and how much extra electricity is consumed because of the mining process.
The fact is, mining with a botnet works and is becoming more prevalent in Bitcoin mining– prevention is key. Due to botnets, mining difficulty will keep increasing! This won’t affect Bitcoin as a currency, but mining won´t be as profitable for regular miners. This gives miners a strong incentive to support the fight against botnets.
Botnets thrive on signals with your computer’s Configurable Network Computing or CnC servers. The flow of communications into and out of your PC helps cyber-security applications detect a known bot. The lack of applications that can detect known bots is sad to say the least. That antivirus software simply can’t keep up with the number of threats.
Even if your PC antivirus check comes out clean, be observant. Microsoft provides a Malicious Software Removal Tool for free. Several versions of the tool are available from both Microsoft Update and Windows Update and are updated monthly; it runs in the background of your PC and sends reports to Microsoft whenever it detects and removes an infection, and you should run the utility if you notice a sudden change in your PC’s performance.
Start testing for signs of a potential bot
First, monitor network activity. Run netstat and look at all your inbound and outbound connections. Do all connections more or less make sense? Also run Wireshark from another safe computer on the local network, and check to see if there’s any unusual traffic to/from strange non-local IP addresses.
If you find evidence of a bot, back up your vital data. Put all Bitcoin applications on a secure encrypted USB drive and uninstall the program. Refrain from opening documents that could contain traces of the bot from the compromised computer (word docs, pds.) Wipe the hard disk clean, and re-install the operating system from a safe source with different passwords.