SCF Advanced Search



  • Total Posts: 39447
  • Total Topics: 13710
  • Online Today: 596
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)


Author Topic: Bitcoin Miners Use AutoIt-Complied Programs With Antianalysis Code  (Read 5114 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Bitcoin Miners Use AutoIt-Complied Programs With Antianalysis Code

Last year, my colleague Itai Liba blogged about the association between malware and AutoIt, a very convenient environment for malware and tools development. AutoIt allows both easy interface creation for rapid development and full Windows API access for whatever is not directly supported. We have seen an increase in the use of AutoIt scripts by malware authors and other bad guys to achieve their malicious ends.

Recently, we have seen AutoIt-compiled programs that drop malicious Bitcoin mining programs. The malware authors are using not only encrypted code but are also focusing on antianalysis code to bypass common analysis tools/systems used by security researchers. We have come across such multiple malicious tools on public forums that offer free premium accounts to online hosting services. Interestingly, if you run one of these malicious programs under VMware, the malware won’t run and throws up an error message that looks genuine.

Looking at the preceding message, most of us will think that the program has problem with its Internet connection or firewall and few may think to examine this further. But this malicious program can detect VMware, Sandboxie, and other spy programs, and deliberately displays this error to avoid analysis by researchers. Let’s find the cause of this error. Searching strings in the main program tells us that the program has been compiled using AutoIt.

Decompiling the program using Exe2Aut gives us the full original script code along with the embedded encrypted file 1.crypt. The decompiled code has about 2,000 lines; most of the code is from the AutoIt wrapper for WinHTTP functions called WinHTTP.au3. Here is snippet of exact code:

This code is not used at all. It’s here just to divert the attentions of researchers from looking into the main code. Here is the start-up code of this script:

The preceding code displays splash screen and finds required paths by detecting the operating system. The code then checks for the Sandboxie process SbieCtrl.exe and if that process is detected exits by displaying a similar error message as seen earlier. The script then calls the function _checkforspy(). The program doesn’t run any GUI offering free premium accounts and throws up a similar error message even if it runs on a clean system. Here is how the _checkforspy() code looks:

This function calls two more functions: one to check if the system is a virtual PC and the second to find analysis programs such as SysTracer, oSPY, API Monitor, etc. by looking at open program windows. Here is the itsvirtualpc() function:

The script checks for the presence of driver files VboxMouse.sys and vmmouse.sys to detect a virtual operating system and exits immediately by showing the “Connection failed” error. That’s the reason this program will not run under VMware. We can’t further analyze the malicious code. We could recompile the script by commenting out the antianalysis code with the help of AutoIt. Let’s now look at the _install() function of the same code:

The script drops GoogleSetup.exe in the Windows directory and installs the encrypted file 1.crypt by calling the _crypt_decryptfile function. The file 1.crypt is encrypted using the $CALG_AES_128 algorithm with the key fuck123. The script writes a registry key and runs GoogleSetup.exe. The dropped executable is again an AutoIt-compiled program that drops a CPU-miner program similar to this CPUminer. Here is the code that drops and runs the Bitcoin-mining code:

The dropped miner program keeps on sending POST requests to the mining service shown below:

Attackers have used AutoIt scripts for a long time, and it is gaining popularity due to its flexible and powerful nature. The output of the AutoIt script is a single executable, with no dependencies, that contains a script and attached binaries. Although AutoIt-compiled programs are easy to decompile with the help of antianalysis code and encrypted malicious code, they can evade manual as well as automated analysis.

Original article: Friday, August 2, 2013 at 1:37am by Umesh Wanve
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -


  • SCF Authority Member
  • ****
  • Posts: 842
  • KARMA: 20
  • Gender: Female
The process by which new Bitcoin is entered into circulation is called mining. It using sophisticated computers that solve extremely complex computational math problems. Therefore traders should have a vast knowledge of cryptocurrency and forex. FreshForex broker provides the best guidelines for the investors and it provides various offers for investing or exchanging digital currency.

Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising