[clamav-users] crypto currency miner

Matthew Molyett mmolyett at sourcefire.com
Tue Jan 2 21:45:58 UTC 2018


L,

minerd is being detected as tool which has been encountered with malicious
usage. This specific tool has been observed being dropped and set up within
honey pots. As with other tools, it has legitimate usage, but makes sense
to flag because it is a valid indicator of compromise when located
unexpectedly.



On Tue, Jan 2, 2018 at 3:26 PM, Al Varnell <alvarnell at mac.com> wrote:

> On Tue, Jan 02, 2018 at 09:40 AM, lejeczek wrote:
> > I'd like to ask if your minder, if you mine crypto conins that is, often
> pop up in clamav?
> >
> > I have this one: https://github.com/sammy007/cpuminer-multi <
> https://github.com/sammy007/cpuminer-multi>
> >
> > and it gets flagged as:
> >
> > ./cpuminer-multi/minerd: Unix.Tool.Minerd-6404314-0 FOUND
> >
> > Would someone know something more about that code and why clamav sees it
> as .. right, as what exactly?
> >
> > many thanks, L.
>
> As others have said, clamAV correctly identifies it as a miner tool used
> on a unix system and you will need to either ignore it or add it to your
> local whitelist.
>
> FYI, the logical signature is:
> VIRUS NAME: Unix.Tool.Minerd-6404314-0
> TDB: Target:6
> LOGICAL EXPRESSION: (0&1&2&3&4)
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> SUBSIGNATURE:
> 55736167653a206d696e657264205b4f5054494f4e535d
> Usage: minerd [OPTIONS]
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> stratum+tcp://
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> User-Agent: cpuminer
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> booooo
>  * SUBSIG ID 4
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> blake
>
>
> -Al-
> --
> Al Varnell
> ClamXAV user
>
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



-- 

Matthew Molyett
Malware Researcher

mmolyett at cisco.com

Cisco.com - http://www.cisco.com



More information about the clamav-users mailing list