Cryptojacking is not a new phenomenon. The mining process is expensive, and the equipment costs a lot of money. That’s why criminals always try to find new ways for cryptocurrency mining with the help of capacities of millions of devices – computers, laptops and even smartphones. Such businesses are operated not only by those who want to enrich themselves exclusively by cryptocurrency mining, but also by large projects such as torrent trackers, popular websites with torrents, websites with video content for adults, websites with online films watching. You be infected with such a miner in several ways.
At the same time, there is very little qualitative information on how to detect cryptojacker, liquidate it forever and not become infected with a new one. Because cryptocurrency mining is profitable for everyone. But only hackers get real profit on this, while users pay with their spoiled equipment and nerves due to the long software and websites downloads in the Internet.
We tried to make our own investigation on: what is cryptojacking? How can you become infected by hackers’ software? How to neutralize the cryptojackers? How to protect from such hackers?
You will find in our investigation:
Mining with the help of ASIC started in 2013. It eventually has become so popular that the users’ earnings were decreasing in geometric progression. At the same time the requirements for equipment’s capacity have been growing. In the same year, the Tidbit service was launched, which also offered the owners of websites to earn on the mining through the users’ browsers. The service soon scammed, as a result browser cryptojacking almost has died.
Coinhive has promoted the idea of allowing users to use the capacity of their devices for cryptocurrency mining instead of watching advertisements. In this case the owner of the website receives money; the user receives safe websites with high-quality content without advertising. This is win-win situation. But gogetter website owners quickly realized that it is possible to make good profit with high traffic, and it is not necessary to inform users about the mining, in spite of Coinhive recommendations.
The first much-publicized crime has occurred from the side of the torrent tracker The Pirate Bay with a traffic of more than 290 million users in six months. The administration managed to earn $ 47,000 per month! Resource users have quickly discovered the script Coinhive and forced the tracker to quit this business. After that the scripts were found on paid Showtime and the LiveHelpNow widget, and then on other resources and browser extensions.
Since the Monero transactions are anonymous, and you cannot track the participants of such transactions, this currency mining by the means of browsers is gaining unprecedented popularity. In order to make users’ browsers start Monero mining, for website owner it is enough to build-in several code lines of script into the website code.
The user just opens any page of the website, in which there is a code, and his/her browser starts to a cryptocurrency mining for the benefit of such a resource. At the same time, you do not need to download or install any files, the mining starts without any excessive noise. The only thing – mining can create the additional load on the processor, in such a way it can be detected.
Coinhive is the most famous project, but it is not the only one. Such projects as Crypto Loot and JSEcoin were launched in beta version. Let’s not forget about craftsmen who can develop a similar script on the laps, and it will mine also.
Despite the fact that many large-scaled resources have already been caught in criminal and removed the script lines from the code, many projects are carrying out the browser-based cryptojacking activity till today.
You can be infected by cryptojacker on the websites with free online watching of movies and serials, on the websites with adult video-content, on domains written with bugs, torrent trackers and on websites with browser-based games. Most likely these are projects having huge traffic, as a huge traffic can give a good profit to the owners of the resources.
Unfair website developers can also build-in infections of miner code into the website.
First of all, you should use the proven resources for Internet surfing. Of course it will not give an absolute guarantee against cryptojacking, but it is an effective preventive measure.
If the situation with closed suspicious tabs does not change, try to close the browser and look at the software operation on your PC, if the work speed has increased, that means that miner did his job on your PC.
You can use one or two.
We recommend you to use only the proven extensions, as the script can be built-in the not reliable extensions.
Also we recommend to install Anti-WebMiner utility on your PC. It will block the downloading of script into the file “hosts”.
This type of cryptojacking is the most dangerous. You can easily be infected by such a miner, at the same time it is difficult to detect it, and it is almost impossible to liquidate it without the system reinstallation. In this case, the program quickly wears out your devices, significantly reducing the duration of their work. But, if you follow the precautionary measures and take advantage of all our recommendations, you have a great chance for success in this case.
The most famous case of such hacking was detected on popular torrent tracker μTorrent, which developers installed the hidden EpicScale miner onto the PCs of their users.
PC infection occurs with the help of botnets – a computer network with running bots on autonomous software, which install a program that is engaged in mining, without the knowledge or consent of the user.
Botnets by their nature are not viruses, but they can consist of viruses (trojans, worms), brandmauers and programs for remote computer control. At the same time, an implanted botnet independently selects a cryptocurrency that will be mined, based on the characteristics of your equipment, so that the process goes without being noticed by the user as much as it is possible. In the creation of mining networks (botnets) are involved both professionals as well as schoolchildren, who sell their developments for several cents on dark forums, while having some interest rate from currency mining by the network.
You cannot notice such a botnet, because it goes in conjunction with pictures, text documents, cracks, patches, videos, torrents. It installs quietly by itself, disguises itself as windows and other systems. It is even not displayed anywhere. If the PC is heavily loaded, the miner disables, because it doesn’t want to raise a red flag.
We understand it is very generalized information, in reality, the work of botnets is much more difficult, because cryptojackers update constantly, trying to be as inconspicuous as possible and unremoved.
Most often, the victims of such criminals are compulsive gamblers, because they have in their arsenal powerful equipment. Many of them install cracked games, getting such “gifts”. But this is not the only way to catch cryptojacker.
You can get infected through any running files (downloaded from websites or email), remote access without permission, a video file added to the Word document from an untrusted source (vulnerability of the program), through the spam email, any installed cracked programs.
How can you find the cryptojacker on your PC? For this, there is a whole algorithm of work. We don’t give you any guarantees that this will solve the problem, but it can help.
You don’t need to just delete the suspicious files manually or by antivirus. This is only a surface measure that will not give a result at all. The cryptojacker is programmed in such a way that it restores all the deleted files and continues working.
The first step is to download the monitoring program AIDA64. The program shows the load of the processor of the video card, and RAM. We turn off absolutely everything what is possible, if the load remains, it is necessary to search for the cause of this.
After that we download AnVir Task Manager, it highlights all the undefined processes in red color, helps to see the hidden processes and gives full information about them with the ability to find it on the network and check it on the VirusTotal website.
Further, ProcessExplorer will help you detect what exactly loads your video card. Even if you have found something, do not stop the process, otherwise the virus will restore everything back. Here are required more serious measures. If you have found a suspicious process, you should check it on VirusTotal. The threat is detected, we begin to liquidate it.
By the way, the FolderSizes utility will help you to find out the folders with a large amount of data. It is worth checking these folders, if we speak about the detection of a cryptojacker on the computer.
After that we download the following utilities and check the PC in safety mode:
- Web CureIt! (only from the official website!)
- COMODO Cleaning Essentials
- Junkware RemovalTool
- Adw Cleaner
If this entire set of tools hasn’t coped with the virus, you should download AVZ (you can find how to use it on the professional forums).
If some of the utilities cannot work in safety mode, then it’s better to check with RKill all the processes in the usual mode in order to stop all the obstacles facing antiviruses.
Success? Now we clean the registry from traces of the cryptojacker. For this we use CCleaner and Auslogics BoostSpeed.
If all the taken measures have not helped, the only way to save from the virus is to reinstall the system.
Installed, then deleted programs create a lot of junk files, due to the remaining modules and records, so the virus does not need to make any efforts to hide and disguise itself. At the same time, the registry cleaners do not always manage to completely remove all unnecessary junk.
As a preventive measure against cryptojackers, you can use only portable programs, leaving a minimal set of programs and drivers on your PC. As a preventive measure, you can install 360 Total Security, which is constantly behave itself as a “paranoiac” and does not trust to anything. If you want, you can turn it off anytime.
The growing productivity of mobile phones also allows hackers to mine using your devices. And you can catch the cryptojacker both browser-based as well as built-in.
You can get infected from a smartphone through websites with adult content, hacked applications, spam in sms and by e-mail.
We recommend you to build-in cryptojackers blocking extensions in your browser, for example, uBlock, and install an antivirus on your smartphone.
However, the mobile mining is easily detected due to the heavy load on the battery. Unfortunately, or fortunately, the productivity of smartphones has gone far ahead, which cannot be said about the battery life.
Cryptojacking through Wi-Fi
The morning of December 2 became revealing for Starbucks in Buenos Aires. One of the visitors has noticed that his laptop began to overheat uncharacteristically, when he was drinking coffee in this cafe. The visitor has looked at the code of one of the html-pages and found a suspicious script. It turned out that the management of the cafe decided to make extra money on guests connecting to their free Wi-Fi, by using a cryptojacker. This news quickly spread around the world mass media, and the owners of Starbucks had to confess and eliminate this problem. At the same time the technology with the symbolic name CoffeeMiner has become dramatically popular.
How does it work?
There is nothing complicated in the implementation of such a hack. In the network there are many detailed and working schemes, links to programs, virtual machines and scripts, video instructions, how to intercept traffic and mine through the visitors’ devices.
How can you be infected?
In fact, a victim of a cryptojacker can become absolutely any user who connects to any free Wi-Fi in cafes, restaurants, shopping centers, airports, public transport, shops, libraries, and etc. You should not even trust to password-protected networks in some public places, because a hacker in the same way can also receive a password by ordering something.
Wi-Fi cryptojacking prevention
Measures to prevent and protect against such criminals are similar to measures against the browser cryptojacking. The difference is that the code can be even built-in secure resource pages. First of all, it is not recommended to connect to public networks. In the case there is such a need to connect to public networks, then you should install extensions that block the script to your browser: Anti-WebMiner, NoScript (Firefox), ScriptBlock, ScriptSafe (Chrome), uBlock (Chrome), NoCoin, MinerBlock. You can use uBlock for the browser and antivirus on your smartphone.