back to article Miner vs miner: Attack script seeks out and destroys competing currency crafters

Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers. The miner in question was first noticed by SANS Internet Storm Center handler Xavier Mertens. Mertens spotted the PowerShell script on March 4, and noting that it kills any other CPU-greedy processes it spots on target …

  1. bombastic bob Silver badge
    Joke

    In the movie 'Hackers'

    there was this one scene where 'Zero Cool' was having a turf war on a TV network control computer against "some other hacker". It turned out to be his future girlfriend. How cute, they met while duking it out on someone else's "puter". Heh.

    The future realm of online dating - two potential lovers, trying to take over some innocent victim's computer for bitcoin mining. Awwww... [and they were all filled with 'awe'],

  2. Neil Barnes Silver badge

    damn...

    both those links were 'go to and never come back' pages. Not very friendly to hijack the back button...

    1. andyp-random-number

      Re: damn...

      ...isn't that annoying. If there is a case for changing a browser, making the back button work every time would be my number 1 target.

      ...just like the back button on Android. ie, close the app and go back to where you were. When a browser opens a new tab, close it and return to previous tab

  3. Anonymous South African Coward Silver badge

    It seems as if it is the taste of things to come.

    Especially with crypto-malware - you get infected with one variant that encrypts your stuff, then demand payment. Then another cryptolocker comes along, kicks the original crypto off, and encrypts everything again, and demand payment...

    Backups will be key.

    That, and eternal vigilance, a tenpack of Rennies and a fridge/cupboard full of [insert your fave energy drink/stay-awake drink here].

    1. Doctor Syntax Silver badge

      "It seems as if it is the taste of things to come."

      OTOH it seems like the sort of script for the user to run periodically. It would just need to be kept up to date.

    2. Voidstorm
      FAIL

      Meanwhile...

      ... the real hack has been to the fridge, which is now DDosing Google (or whatever) while being totally unfixable (by you the owner) into the bargain.

      Fun times, eh? /s

  4. edge_e

    This is all getting a bit manic if you ask me. Where's Eugene fit into this?

    1. Prst. V.Jeltz Silver badge

      Well , this blogger seems to have kept track of what Eugene is doing these days

      https://gregashman.wordpress.com/2016/06/21/eugenes-lair/

  5. israel_hands

    Thanks for clearing that up

    Pre-infection, the attack script checks whether a target machine is 32-bit or 64-bit and downloads files known to VirusTotal as hpdriver.exe or hpw64 (they're pretending to be HP drivers of some kind).

    It's this kind of insightful analysis that keeps me coming back to this place.

    1. Anonymous Coward
      Anonymous Coward

      Re: Thanks for clearing that up

      On the other hand, sometimes I forward el-reg articles to my boss - and he may well need that sort of "insight" as not a techie and certainly does not look at file systems.

  6. FozzyBear Silver badge

    downloads files known to VirusTotal as hpdriver.exe or hpw64 (they're pretending to be HP drivers of some kind)

    HP print drivers attempt that too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019