RubyMiner Attacks Web Servers Worldwide

Do you know what RubyMiner is?

RubyMiner started its vicious attacks on January 9th, 2018. This malware infection was programmed to target Linux and Windows web servers to find multiple vulnerabilities, which can be used to do cryptocurrency mining on computers connecting to the compromised web server. Our researchers have found that this malware has attacked around 30% of the web servers globally. Thanks to its basic fault of using only 6 and 7 year-old vulnerabilities, though, its authors may not have made a fortune out of mining covertly. Still, visiting a compromised website can seriously slow your computer by using your CPU or sometimes even your GPU to do the computing such a miner needs. This can be rather annoying and disruptive since you cannot use your computer as you are used to. In certain cases such a miner can even cause hardware damage due to running the CPU or GPU at 100% for a long period of time. Unfortunately, you cannot do anything to remove RubyMiner from your computer since it is located on remote servers and operates remotely. What you can do, though, is defend your PC by installing a powerful, up-to-date anti-malware program.

In this case, we cannot talk about distribution methods in the sense that it is not you who download this threat to your machine. In fact, there is no malware on your computer at all that is related to this questionable mining effort. This is why it is not possible for you to delete RubyMiner, either. While in other cases you could infect your computer with such a miner by clicking on unsafe third-party advertisements on suspicious websites like torrent, freeware, gaming, and betting pages, or downloading free software from the wrong file-sharing website. These are the most common ways to infect your machine with malware like adware programs, browser hijackers, fake alerts Trojans, and miners as well. However, these criminals decided to target web servers instead of individual computers. Therefore, you can only safeguard your PC in such a case with a professional security program that could automatically block such a malicious activity as illegal mining.

As we have explained, this malware infection can attack any Linux or Windows web server and look for the following vulnerabilities:

  • CVE-2013-015
  • CVE-2013-4878
  • CVE-2012-1823
  • CVE-2012-2335
  • CVE-2012-2311
  • CVE-2012-2336
  • CVE-2005-267

These are indeed vulnerabilities that were disclosed and also patched around 2012. Is this a wise thing to use these to attack web servers in 2018? Well, certainly a logical question and the answer could lie in the fact that these attackers only managed to make $540 on the first day of the hit as per their related wallet address.

Once this malware infection finds any or several of these security holes on a web server, it installs an open-source Monero miner called XMRig. Then, the websites hosted on the compromised server can be used to mine cryptocurrency without the knowledge of the visitors. Of course, you may actually realize that something is off due to the huge CPU power usage such a miner may need.

Since there is no way for you to remove RubyMiner or XMRig, either, you can only do one thing right now: You need to download and install a reliable malware removal program, such as SpyHunter, to automatically defend your PC against any potential or malicious danger. Our researchers also advise you to stay away from suspicious websites and refrain from clicking on unreliable third-party advertisements since these are the main reasons why unsuspecting users infect their system in the first place. Mining cryptocurrencies is growing big since these virtual currencies seem to be on the rise more than ever before. Therefore, it is only logical that cyber crooks will do everything in their power to ride this wave. Protect your PC so that you do not lose CPU power to illegal mining.

In non-techie terms:

RubyMiner is a dangerous threat that has been used since the beginning of January this year to attack Linux and Windows web servers to find certain old vulnerabilities to exploit. This malware infection installs an open-source Monero miner, XMRig, which then can use the computers visiting compromised websites as a source for its mining. In this attack there is no malware on your PC since the web server is infected, which you happen to visit when viewing a website. Therefore, you cannot actually do anything to remove RubyMiner or XMRig locally. What you can do to defend your computer against similar attacks is to install a reputable anti-malware program as soon as possible.