Cryptomining Botnet Alters CPU Settings To Boost Mining Performance

Uptycs Threat Research Team has discovered malware that not only hijacks vulnerable *nix-based servers and uses them to mine cryptocurrency but actually modifies their CPU configurations in a bid to increase mining performance at the cost of performance in other applications. Tom's Hardware reports: Perpetrators use a Golang-based worm to exploit known vulnerabilities like CVE-2020-14882 (Oracle WebLogic) and CVE-2017-11610 (Supervisord) to gain access to Linux systems, reports The Record. Once they hijack a machine, they use model-specific registers (MSR) to disable the hardware prefetcher, a unit that fetches data and instructions from the memory into the L2 cache before they are needed.

Prefetching has been used for years and can boost performance in various tasks. However, disabling it can increase mining performance in XMRig, the mining software the perpetrators use, by 15%. But disabling the hardware prefetcher lowers performance in legitimate applications. In turn, server operators either have to buy additional machines to meet their performance requirements or increase power limits for existing hardware. In either case, they increase power consumption and spend additional money. The botnet has been reportedly used since at least December 2020 and targeted vulnerabilities in MySQL, Tomcat, Oracle WebLogic, and Jenkins.

CrimeCoin

[Anonymous Coward]

Crypto's primary purpose is crime.

CrimeCoin = USD

[Anonymous Coward]

The first function of the USD is racketeering: https://wtfhappenedin1971.com/ [wtfhappenedin1971.com]

Pyrite Pete's failed prediction

[Anonymous Coward]

On Monday April 26, 2021 @02:16AM UTC, Pyrite Pete [urbandictionary.com] had said:

Wait 1-2 months, and BTC will be twice its value. [slashdot.org]

That was back when bitcoin had already fallen, and down to about $47K at the time. It should've been back up to "twice its value" no later than June 26 2021 - nearly two months ago. It is now sitting at only about $47K.

Now that's what I call a prediction #FAIL!

Re:

[Anonymous Coward]

You could say the same about precious metal, gemstones and fiat money. And it has been that way for thousands of years.

Sophisticated performance analysis

[RockDoctor]

So, surreptitious crypto-miner software writers have enough incentive to perform some fairly sophisticated software performance analysis.

Or, have they ripped off some code from an OS miner which does this with the permission and instruction of the system's administrator? Without, of course, citing their sources or giving credit where credit is due.

I don't have a problem with explicit mining software - if someone figures they can make a profit off it, that's a big fat SHRUG from me. Mining malware, on the

Crypto is the worst of everything.

[AATheorist]

Why anyone would wish their money to be easier to steal is beyond me. The cult of crypto will blather on with their debate about.... nothing at all really.

Re:

[Z80a]

Getting money with crypto is "automatic".
Run program, get money.
You don't depend on having a healthy market to get a job or having to actually work or..

Dafuq?

[Anonymous Coward]

But disabling the hardware prefetcher lowers performance in legitimate applications.

So your server's been pwned, and your main concern is "potentially reduced performance"... ooookay.

In turn, server operators either have to buy additional machines to meet their performance requirements or increase power limits for existing hardware.

... or... you know... NUKE THE COMPROMISED BOX. YOU GODDAMN FUCKING MORONS.

Re:

[DeanonymizedCoward]

In turn, server operators either have to buy additional machines to meet their performance requirements or increase power limits for existing hardware.

... or... you know... NUKE THE COMPROMISED BOX. YOU GODDAMN FUCKING MORONS.

Hey now, that's commie talk! In America, the custom is not to fix a problem, but to paper over it with $100 bills until no one can see it anymore.

Re: Dafuq?

[coolsnowmen]

Exactly, came here to say this

Additional machines?

[thegarbz]

I suspect server operators would need to buy additional machines because their CPU cores are pegged at 100% mining crypto, not because the hardware prefetcher is disabled and causing applications to have a minor performance drop.