Cryptominers are making money with your money, how to fight them?
Cyberattacks never stop evolving, and malware authors moved from destroying systems to finding a new way of earning money, as it is the case with ransomware (which encrypts your sensitive files and asks for a ransom to get them back). With the emergence of cryptocurrencies like Bitcoin and Ethereum, a new type of attack is born: crypto miner malware.
What is Cryptocurrency mining?
Before we answer this question, we need to understand briefly how the blockchain works. In very short, blockchain is a concept that was originally developed for digital currencies (cryptocurrencies) in order to make transactions. The power of this technology resides in its decentralized model which allows for tracing every transaction that has been done. The transaction book is accessible by anyone at any time and anyone can contribute to add some transactions in this book. Today there are more than 1500 cryptocurrencies, the most known are Bitcoin and Ethereum. Transactions are linked by some blocks and are checked by crypto miners to ensure the book’s security. The security of the transaction is based on a hash computing which is done by all miners of the cryptocurrency community. A reward with the money of the cryptocurrency is given to the one who finds the good hash and can write a transaction in the book.
Malicious crypto miners
Because crypto mining requires a lot of resources to make the hashes computing, malware authors developed crypto miner malware to infect machines in order to use their computer resources. The army of infected computers help the malware authors to mine and get rewarded by using innocent people’s computers or even companies.
The goal behind developing a crypto miner malware is essentially to use the infected machine resources to contribute to mining a cryptocurrency. That’s why crypto miner malwares can be distinguished in two categories:
- Program based: As a malicious program that infects the machine and uses its resources to mine cryptocurrencies. It can also be seen as an exploitation of a benign program to use it to do the dirty work.
- Browser based: That’s the most used one because there is no need to infect the machine. The malicious code is injected in a website page, and each time a user visits the page it uses his resources to do the calculations. It can be used as well as a malicious browser extension or in ads.
How does SAFE Endpoint Security fight crypto miners?
SAFE Endpoint Security is able to fight against crypto miners in multiple ways. First, it is simple to block malicious network access using the policy system. SAFE Endpoint Security has a security module which is responsible for network monitoring. This module acts as a firewall and can filter network packets based on security policies. The filtering can be done on IP addresses, domain names, ports or protocols. Then, SAFE Endpoint Security has another security module which monitors metrics and detects whether a process is using abnormally the machine resources based on global statistics.
To perform a network control in the aim of detecting and blocking crypto miner malwares, we need to know the domain or the IP address of the crypto mining website providing hash information to the client. As an example, one of the most known crypto mining websites is coinhive. The only thing to do is to block the access to the domain coinhive.com and all subdomains. Any program trying to access an IP address related to a matching domain or subdomain will be blocked, whatever it’s a browser, an extension, a malicious software. Even through a VPN or tunneling software like TOR, everything will be blocked. Here is an example of a configuration that can be created to block coinhive. We create an object containing coinhive in the domain filter:
Now we create an app “Block coinhive” containing the necessary rule to block any access to coinhive domains:
If your browser tries to access the website, the following page will be displayed and the user will be notified that the access has been denied:
In order to make it easier for administrators, an application is already created in the default policies to block most common crypto mining websites. SAFE-Cyberdefense‘s team improves this application constantly to add newly discovered websites.
In addition to the network controller, and to ensure a defense in depth protection, the agent is constantly monitoring processes metrics to record their activity in real time. The collected data are centralized in the management console and can be requested at any time:
The collected data are also constantly checked in order to detect a suspicious behavior. If a process is having an abnormal CPU usage peak that exceeds a certain threshold, a metric notification can be sent to the administrator. Like all the features we provide, this monitoring is fully customizable to fit your needs and your production context.
Once a notification is received, and a suspicious activity confirmed, you can find the malicious website easily in the events’ data, and add it to the list of blocked websites:
Malicious behaviors can take different shapes. As we saw here, it’s not necessary to damage your system or touch your sensitive data to earn some money. Traditional solutions will only keep looking for malware files instead of malicious behaviors. That’s why they fail at detecting crypto miners which are not necessary malware based. But because it’s running in the browser, it doesn’t mean that it’s not harmful. Crypto miner based attacks show once again that they can be stealthy and abuse abnormally your hardware and slow down your computer. That’s why it’s important to provide a multi-layered security solution to fight any type of attack, even when they are not visible on the surface.