[Alert] Mining Worm WatchDogsMiner Infects Linux Servers

23/02/2019 16:05:49

The Sangfor Technologies security team has recently detected and identified a new mining worm, WatchDogsMiner, which has become widespread on many Linux servers both in and outside the public cloud. This mining worm causes crontab task errors, network connection errors, deletion of system files and CPU slowdown among other issues and has greatly impacted certain customers' business systems. Sangfor security experts were invited by several customers to perform remote troubleshooting and analysis, confirming that the Linux servers were vulnerable to infection from WatchDogsMiner and verifying that it is quite difficult to remove.

Sangfor reminds customers in Asia to be alert to potential infection from WatchDogsMiner and to safeguard their Linux systems from this mining worm.

Virus Name: WatchDogsMiner

Virus Type: Mining Worm

Impacted Scope: Public cloud users in Asia

Threat Level: High

Spread Method: Unauthorized Redis access and an SSH brute-force attack is launched across internal and external networks

Checking for Virus Infection

Checks of infected servers discovered that several common commands were deleted after infection.

The authorized key file was deleted and open login is no longer supported.

The built-in email application received related notifications, including notifications and commands about scheduled tasks.
A root scheduled task was found in the crontab task directory.
Some Sangfor Security Intelligence customers were alerted to security events like cryptocurrency mining, database scanning and SSH brute-force attacks, etc.
[1] WatchDogsMiner is a complicated virus with an SH script virus vector from pastebin.com/raw/sByq0rym.
[2] The SH script is mainly responsible for preparing the host environment and downloading and executing mining virus.
[3] The virus is an .elf file downloaded from thyrsi.com/t6/672/1550667479x1822611209.jpg.
[4] The virus is written in Go language and spreads by exploiting SSH and Redis vulnerabilities. The virus runs in the background and mines for Monero.
Mining Module Analysis
The virus is an .elf file written in Go language. It has a network communication module and encryption algorithm and also conducts Redis attacks, SSH brute-force attacks and mining.
The details are as follows:
It starts and executes vector script saved in pastebin.
It writes a mining module into /tmp/ksoftirqds and executes it.
Redis Attack Module

SSH Brute-Force Attack Module

Vector Function Analysis
It accesses certain links at defined interval, executes vector scripts and terminates other mining processes:
It modifies directory attributes for required operations, deletes crontab tasks and services and clears files related to the BillGates virus as well as killing its related processes:
It updates mining a Trojan:
It clears logs and other information:


WatchDogsMiner Removal:

1. Delete malicious dynamic link library /usr/local/lib/libioset.so.

2. Clear crontab errors and delete malicious tasks (if this step cannot be performed, please try step 4-a first.)

3. Terminate mining progress by executing kill command.

4. Check for and clear up virus files:

a. chattr -i /usr/sbin/watchdogs /etc/init.d/watchdogs /var/spool/cron/root /etc/cron.d/root

b. chkconfig watchdogs off

c. rm -f /usr/sbin/watchdogs /etc/init.d/watchdogs

5. Reinstall netstat and other system commands if deleted by the worm.

6. Install busybox and delete the read-only file by executing busybox rm commands, as the related commands are linked.

7. Reboot the device to put changes into effect.


WatchDogsMiner Prevention:

1. Set password authentication for Redis access, block Redis access from external network and run Redis server with low privileges (restart Redis to apply the changes).

2. Strengthen computer passwords and avoid using the same passwords for multiple computers.

3. Sangfor NGAF and EDR can prevent brute-force attacks. Turn on brute-force attack prevention on NGAF and enable Rule 11080051, 11080027 and 11080016. Turn on brute-force attack prevention on Sangfor EDR.

4. For Sangfor NGAF customers, update NGAF to version 8.0.5 and enable Sangfor Engine Zero.

Perform a security scan and virus removal on the whole network. We recommend Sangfor NGAF and EDR to detect, remove and protect your internal network.


Consultancy and Services

Contact us by any of the following means to gain consultancy and support services for free.


Consultancy and Support for victims of WatchDogsMiner:

1) Call us at +60 12711 7129 (7511)

2) Visit Sangfor Community (http://community.sangfor.com) and ask for a Virtual Agent.

Our Social Networks

Global Service Center: