- Jan 24, 2011
- 9,378
PhotoMiner is a worm that propagates with the help of vulnerable FTP servers, infects public Web pages, spreads to Windows computers and sets up a mining process for the Monero crypto-currency.
Security firm GuardiCore discovered the worm this past January when it also published a quick summary of its abilities. In the meantime, the company found that the worm was created in early December 2015, and received several updates after its January write-up.
There are currently two different versions of PhotoMiner spreading over the Internet, but the company says that both function in the same way, with tiny differences.
PhotoMiner features a multi-stage infection mechanism
The infection mechanism is a bit complex. The first stage requires the malware coder to find an infected FTP server to unleash his worm. This is easy since there are over 20.3 million servers with open FTP ports connected to the Internet, and GhostShell has shown Softpedia how easy is to hack them.
After PhotoWorm reaches an FTP server, it will scan for public HTML folders, usually used for hosting Web pages. The worm alters the source code of these pages in order to deliver another copy of itself.
PhotoMiner achieves this by embedding an iframe tag inside each page, with the source attribute set to "Photo.scr", hence the malware's name of Photo-Miner.
At this point, the iframe prompts the user with a popup, asking if he wants to run the file. Running the file infects him with the PhotoMiner worm.
Read more: PhotoMiner Worm Spreads via Vulnerable FTP Servers, Mines for Crypto-Currency
Security firm GuardiCore discovered the worm this past January when it also published a quick summary of its abilities. In the meantime, the company found that the worm was created in early December 2015, and received several updates after its January write-up.
There are currently two different versions of PhotoMiner spreading over the Internet, but the company says that both function in the same way, with tiny differences.
PhotoMiner features a multi-stage infection mechanism
The infection mechanism is a bit complex. The first stage requires the malware coder to find an infected FTP server to unleash his worm. This is easy since there are over 20.3 million servers with open FTP ports connected to the Internet, and GhostShell has shown Softpedia how easy is to hack them.
After PhotoWorm reaches an FTP server, it will scan for public HTML folders, usually used for hosting Web pages. The worm alters the source code of these pages in order to deliver another copy of itself.
PhotoMiner achieves this by embedding an iframe tag inside each page, with the source attribute set to "Photo.scr", hence the malware's name of Photo-Miner.
At this point, the iframe prompts the user with a popup, asking if he wants to run the file. Running the file infects him with the PhotoMiner worm.
Read more: PhotoMiner Worm Spreads via Vulnerable FTP Servers, Mines for Crypto-Currency
