January 13, 2014

Russian anti-virus company Doctor Web is informing users about the malignant program Trojan.BtcMine.221 which is designed to mine litecoins. The Trojan spreads in the guise of various applications and browser extensions—for example, one of them supposedly helps users find lower priced goods online.

This malware is distributed from several sites belonging to criminals. The program's developers claim that the extension, whose title is Shopping Suggestion, automatically acquires information about the goods users are viewing in their browsers and searches the Internet for the same goods at lower prices. Also, this Trojan is often disguised as other applications, such as the VLC-player or software for anonymous surfing on the Internet. It bears mentioning that the malware has been spreading over the Internet for at least a year. In fact Trojan.BtcMine.221 mines litecoins (an alternative to bitcoins), for which it utilizes hardware resources of the computer without the user's knowledge. It should be noted that the digital signatures were obtained by the developers for legitimate applications with similar names, but the signatures are utilised for the Trojan too.

According to statistics compiled by Doctor Web's analysts, in December the botnet created using Trojan.BtcMine.221 included 311,477 bots. The largest number of hosts infected by Trojan.BtcMine.221 (56,576) are located in the United States. Brazil ranks second with 31,567 bots, and Turkey ranks third with 25,077 compromised machines. Russia, with 22,374 registered installations, is in fourth place. The distribution of infected computers by country is shown on the illustration below.

An average of 203,406 bots go online every day. As many as 49,149 newly infected machines connected to the network in just three days in December 2013, while the number of Trojans removed during the same period reached only 6,028.

The Trojan.BtcMine.221 botnet consists of several subnets, which differ according to the Trojan miner version operating on the compromised computers. Some of them use CPU resources for mining, while others utilise GPUs. One of the subnets includes about 65,000 active bots. The average daily income for the criminals involved is 1,454.53 U.S. dollars. The Average processing power of that subnet (hash rate) is 167,647 KH/s; the daily fluctuations of this indicator can be traced on the graph presented below:

If you suspect that such a Trojan has penetrated your system, it is recommended that you perform a full scan of your computer with Dr.Web scanner or the free curing utility Dr.Web CureIt!.