The research team made the discovery when they were tracking a malicious program called Mal/Miner-C, which infects machines and hijacks systems to generate Monero, which is a cryptocurrency similar to Bitcoin, but whose units are more easily mined.
Bitcoin used to be the target of choice for hackers who would infect computers around the world and use their processing power to solve the complex mathematical equations used to generate additional units of the currency.
Unfortunately, as Bitcoin’s network grew and became increasingly complex, mining became correspondingly more difficult, which made utilizing personal computers for currency generation unprofitable. In response, the hackers began casting about for an alternative currency that was easier to mine. Their new top choice is Monero.
The attack begins when hackers scan for FTP servers that are internet accessible. Armed with a list, they try to log in using default or weak credentials, or perhaps with anonymous accounts. Once they gain access, they verify that they’ve got write access, and if so, make a copy of the software on every directory on the machine.
The one thing the current version of Mal/Miner-C doesn’t have is a means to automatically run. In order to run, it has to disguise itself as a mundane program in the hopes of fooling a user to manually run it.
So, how big is the problem?
Sophos counted more than 1.7 million Mal/Miner-C detections over the last six months, coming from more than three thousand different systems. Most of the impacted systems had multiple running instances of the software, residing in different directories.
Using an internet scanning engine called Censys, they found more than seven thousand public FTP servers on the net and were able to determine that 5,137 of them had been infected with Mal/Miner-C. While not a common problem, if you have a public FTP server that has seemed sluggish or slow, this could be the reason.