My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Krebs fan creates new Trojan

August 21, 2017

Miner Trojans, which use computer resources to mine cryptocurrencies, have been around since 2011. In recent years, interest in such malicious programs has not waned among criminals, as is evidenced by the emergence of new programs of this type.

Miners Trojans are appearing regularly and Doctor Web’s virus analysts have noted a curious trend: the creators of these programs are now targeting the Linux platform. Of late, smart devices run on Linux have become very popular, and the owners of such devices are not changing the default settings, most notably the administrator login and password. This is why hacking into such devices is not a major problem for cybercriminals.

Linux.BtcMine.26 is yet another Miner Trojan for Linux devices. Its distribution scheme is similar to the infection mechanism of Linux.Mirai: cybercriminals connect to an attacked device using the Telnet protocol, after selecting the login and password, and then save the loader program on the device. Then, using a console command, they launch the loader from the terminal and Linux.BtcMine.26 is downloaded to the device.

An analysis of the miner loader has revealed a peculiar feature of this app: in its source code, is mentioned several times. This website is owned by well-known cybersecurity expert Bryan Krebs. Apparently, the author of the Trojan is his secret admirer.

screenshot Linux.BtcMine.26 #drweb

The Trojan is designed to mine Monero (XMR), a cryptocurrency created in 2014. Currently Linux.BtcMine.26 builds are known to exist for the x86-64 and ARM hardware architectures. The following characteristic signs can reveal a miner is present: a decrease in device speed and an increase in heat emissions during device operation. The most reliable way to prevent devices from getting infected by such Trojans is to promptly change the default login and password. Complex passwords that cannot be compromised by a dictionary search are recommended. It is also recommended to place restrictions on any changes from being made to a device’s settings remotely when external connections are made to it.

The Linux.BtcMine.26 signature has been added to the Dr.Web for Linux anti-virus database so this Trojan does not pose a threat to our users.

More about the Trojan

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments