This thread is an overview on how to detect, identify and remove a botnet infection. This is merely one example of such an infection. Honestly the main reason I was able to detect it (before it was added to malware definition databases), is because of it's aggressive processor use. Bitcoin miners are extremely intense processes, to 98% CPU usage stood out like a sore thumb.
This will be a 5-step & thread process on how I went about checking around and figuring out how this bitcoin miner was operating. There are various ways to go about the same methods, but I am sharing mine, in hopes it helps someone remove similar trash in the future. I will make a post in this thread for each process, to help describe the methods used, and hopefully do so in a clear manner.
- Suspect and Detect
- Network Traffic
- PID to Process Explorer mapping
- Service, Payload and Command and Control targeting
- Potential Removal
The attached picture should make more sense as you read each progressive step.