One of them is Primecoin (sign: Ψ; code: XPM), a peer-to-peer open source cryptocurrency that implements a scientific computing proof-of-work system. Unlike Bitcoin or other virtual currencies, only Primecoin provides a proof of work that has intrinsic value. It generates a special form of prime number chains, known as ‘Cunningham chains & bi-twin chains’ and has a real world importance in mathematical research.
Worldwide famous RSA Encryption basically uses two prime numbers for generating a RSA key pair. If you are able to factorize the public key and find these prime numbers, you will then be able to find the private key. Thus, the whole Security of RSA encryption is based on the length of prime numbers. So, Primecoin plays a great role for crypto researchers to get large... and a very large number of Primes.
Like other cryptocurrency miners, Primecoin miners are also available and in simple terms, just put your computer to work to find prime numbers chain and make money.
After Bitcoin, the increasing public attention of other cryptocurrency did not go unnoticed by the Cyber criminals who have begun unleashing Primecoin mining malware.
Mehrdad Yazdizadeh, a security researcher from antivirus firm 'Panda Security' told The Hacker News that he has found few malicious Primecoin miners available on the Internet for Download from some Chinese websites and Torrents.
Primecoin miners are written in python and other scripting languages are using a variety of methods to infect the users' systems i.e. Brute-forcing, privilege escalation, modify SQL tables". He said.
Those infected systems can be used as a botnet network to perform further attacks. Another interesting feature of this malware is the ability to host SQL server through XP_cmdshell of MSSQL.
"On execution, the malware will inject the SQL server to cmd.exe, svchost.exe, explorer.exe and similar process to hide itself as rootkits" he added.
Further analyses showed that the malware creates a process that call “sqlservr.exe”, pointing to another file i.e. “primecoin.conf”, which contains the credential and the IP address of the malware's master to communicate.
"Even if a user will delete sqlservr.exe or the conf folder, it will recover itself again and again. Also, malware is capable to enable the windows Guest account automatically" he said.
He found thousands of login (mostly failed to login) activities in a infected machine via the windows event, seems that Malware is facilitating the attacker to brute force the system user accounts for privilege escalation.
More features he noticed are:
- Replicating itself through file systems
- Killing the antivirus and security programs