Monero Mining Malware: Here Is What You Need To Know

Monero (XMR) is ‘coin’ in Esperanto. It is one of the many cryptocurrencies that are currently in the market. It’s unique from other cryptocurrencies in that it is not founded on the blockchain. Instead transacting using Monero network means that you enjoy 100% un-traceability in the way of sending, receiving, and on information about the amount transacted.

The crypto is a result of the mistrust that arose from the blockchain network where miners would mine only to discover that the coins, namely bitcoins by then, had already been pre-mined. This had been made possible by the transparency feature of blockchain that allows all transactions to be viewed by the public.

If you are new to cryptocurrency, visit for more on how Monero works.

How did Monero undertake to correct the transparency problem?

To counter the publicity issue that was already causing a stir in the industry, Monero came up with carefully thought out strategies that were meant to be foolproof as to the identity and details of transactions conducted.

  • Monero introduced ring signatures and private addresses in the place of actual identification on the system.
  • The users’ private keys are mixed together with other public keys on the system using the ring signatures to make a transaction unlinkable to any particular user.
  • The shuffling was also done with the addresses that are randomly generated with every transaction such that no fixed address can be tied to its user and activity.

By so doing, Monero appropriately sorted the security issue. However, with every technology, the downside rears its ugly face eventually and so has been the case with Monero.

Monero mining malware

Malware is a short form for ‘malicious software’. A malware is a general term used to suggest an intrusive software injected into an existing computer program deliberately with malicious intent against the knowledge and requirement of the program user.

Monero has fallen prey to malware. It became susceptible owing to its capability of being mined using the CPU. The Read/Write web server was accessed and enabled. The criminals infected unpatched servers with the malware which in turn infects the computer and borrows its CPU power to mine Monero. This operation set on from as early as May 2017 and in only three months, the attackers had made $63,000 in Monero coins.

The very feature that makes Monero lucrative for non-traceability, the CrptoNight algorithm, is the same one that makes it very favorable for use by CPU and GPU servers. These servers are no longer in use for bitcoin mining because of the large amounts of power required to run them vis a vis the growing number of miners and transactors. More advanced hardware for mining bitcoins was opted for to cope with the growing populace leaving the CPU/GPU for mining the smaller coins.

Being that, the clever attackers did not tamper with the original code base but rather added a hardcoded command line to the existing one. The additional command line:-

  • Included the hackers’ wallet address and
  • The hackers’ mining pool URL.

This additional alteration once executed to the end, instead of ending and launching onto the next transaction, receives an extra command of “else” meaning the execution is not over before including the new commands. Because this was not initially provided for in the code base, the consequences were that it led to a buffer overflow emanating from the double re-allocation as already mentioned.

This overflow allows for the execution of the arbitrary code beginning with ‘IF” request. This transformation moves bytes between source and target without the former limitations. The target buffer is big enough as it is now no longer bound by bytes but by characters.

The overflow is then exploited by the attackers to pass through the security check done by running a logic code that flows several times over the vulnerable code causing its abuse. By abusing it, two goals are achieved:-

  1. The payload is moved to the heap without corrupting the input thereby raising no integrity issues and
  2. Variables that had been allocated in the codebase are overwritten, and arbitrary code can now be run.

On completion of the run, the original shellcode decodes itself to recover the original form and continues to the next transaction.

Exploitation of this vulnerability is ongoing to date though now more sporadic in frequency than earlier. This is detected by scanning done from one IP address hosted on Amazon cloud server which the attackers continue to use to carry out their attacks.

Action Taken

In July 2015, Microsoft ended its initial regular update support for Windows server 2003. With this came a host of exposures of other vulnerabilities that could no longer be ignored. In June 2017, Microsoft took up the challenge and released a path for these vulnerabilities to avoid getting en mass destruction from attacks. This has gone a long way to creating some form of protection.

However, updating windows 2003 is not always easy. You will encounter Error number OX80072EFF as you endeavor to do so. This can, however, be corrected by upgrading Internet Explorer to version 8 which is the highest version supportable by Windows 2003 server. Using another computer as you cannot browse this website on Explorer 6, download the Upgrade file and copy onto the Windows 2003 server. This is applicable for all x86-based and x64-based versions of Windows server 2003.

Final word

Monero mining malware is just one of the ways attackers have manipulated the system to syphon hundreds of thousands of cash from unsuspecting users. Virtually every coin has been under some form of attack. Users need to continuously keep abreast with any vulnerability news that may be highlighted from time to time through various media sources. You then need to equip yourself with the latest and improved security features. Keep on adding protective measures every now and again. It’s only ignorance that attackers thrive on, plus the fact that it costs them very little. All they need is some technical know-how, to gain so much. It is also a very low-risk venture for the attacker making it very lucrative. Malware is a delicate issue and will be around as long as the original software is around, so we better all brace ourselves to counter it with knowledge.

  1. The article is very easy to understand, I also read many other articles and I found your article has helped a lot of information for me, thank you for sharing.