Cryptomining malware now targeting older Windows servers

Fresh from reports that nearly 1,000 websites were found using JavaScript injections to hijack the computers of visitors as a means to mine for cryptocurrency, new research has uncovered malware targeting older Windows servers for exactly the same purpose.

The Monero-mining malware is believed to have been in the wild since May and is targeting servers running Windows Server 2003 via CVE-2017-7269, a known Buffer Overflow vulnerability in Microsoft Internet Information Services 6.0. A report in March noted that remarkably some 8 million web servers were vulnerable to being attacked.

IIS 6.0 is no longer supported as it last shipped with Windows Server 2003. But in an unprecedented move, Microsoft did actually issue a patch for the platform, addressing the vulnerability in May.

ESET spol. s r.o, who first discovered the malware, said in a blog post that over the course of three months, the hackers behind the campaign have created a botnet of several hundred infected servers and made over $63,000 worth of Monero.

The malware used to mine for Monero is described as a fork of a legitimate open-source Monero central processing unit miner. The people behind it made minor changes, including adding their wallet address, mining pool URL and a “few arguments to kill all previously running instances of itself.”

Addressing why hackers have started to focus on mining Monero, the researchers explained that the cyptocurrency has several features that make it more attractive than mining bitcoin, including “untraceable transactions and a proof of work algorithm called CryptoNight, which favors computer or server CPUs and GPUs [graphics processing units], in contrast to specialized mining hardware needed for bitcoin mining.”

Those who are running Windows Server 2003 with IIS 6.0 are urged to immediately update their servers with the available patch to avoid having their processing power hijacked for Monero mining.

“We see that minimal know-how together with very low operating costs and a low risk of getting caught – in this case, misusing legitimate open-source cryptocurrency mining software and targeting old systems likely to be left unpatched – can be sufficient for securing a relatively high outcome,” they concluded. “Sometimes it takes very little to gain a lot, and this is especially true in today’s world of cybersecurity, where even well-documented, long-known and warned about vulnerabilities are still very effective due to the lack of awareness of many users.”

Photo: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.