• Announcements

    • Marcos

      Filecoder.Crysis updated to decode .dharma files   03/01/2017

      We are happy to announce you that we have updated the Filecoder.Crysis decoder to support decryption of files with the .wallet and .onion extensions. The decoder is downloadable from https://download.eset.com/com/eset/tools/decryptors/crysis/latest/esetcrysisdecryptor.exe.
posdz

Coin-Hive flag as malicious

Recommended Posts

Hello,

I'm sending this post to ask why Coin-Hive API is been flagged by ESET-NOD32 as HTML/ScrInject.B?

This API Library is clean and what only does is mining monero coins. My user interface is now been detected as a common virus. Please fix this issue as soon as possible.

Virus Analisys
https://www.virustotal.com/#/file/5b19d1b743dfc2528e8c9ddaed385445b90427640a096e7f91df8379efe19019/detection

I recommend that you reconsider the malicious intend or i will force the visitors to flood your customer support blaming your company for this mistake which clearly is your problem.

Share this post


Link to post
Share on other sites
1 hour ago, posdz said:

Hello,

Thanks apparently it's fixed.

The alert came from TF
https://torrentfreak.com/cryptocurrency-miner-targeted-by-anti-virus-and-adblock-tools-170926/

(Your response was seconds away for me to take action and send an email to all my users to start a thread here)

I'm sure your users will be more annoyed with a script running that eats up 30% of your cpu and makes your browser performance terrible.

Seems half the internet is using this API nowadays , even CBS Showtime.

Plus it also seems kinda ironic that sites that are offering stolen intellectual property are not so happy when someone is stealing their revenue :lol: . You agree with one form of theft but not another ?? . Or is one form of theft more ethical than another ??

TomFace likes this

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

Actually, Eset should throw an alert and let the user decide if he wants his CPU maxed out. Personally, I want nothing to do with any web site doing coin mining.

Share this post


Link to post
Share on other sites

I completely agree. Coin miners are bad if they are run on user's computer without his or her knowledge.

Share this post


Link to post
Share on other sites

Sadly none of these sites ask for consent, nor do they advertise they use it either. Not a good thing when you are testing new software (browser , os , a/v) and you have performance problems and then have to sit and work out what is causing the issue.

 

Share this post


Link to post
Share on other sites

Unless I am missing something, all you have to do is land on a web page to have this coin miner run. Therefore, I want it blocked/alerted to outright. To hell with Code Hive:

Quote

The websites of US telly giant CBS's Showtime contained JavaScript that secretly commandeered viewers' web browsers over the weekend to mine cryptocurrency.

The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.

The scripts were written by Code Hive, a legit outfit that provides JavaScript to website owners: webmasters add the code to their pages so that they can earn slivers of cash from each visitor as an alternative to serving adverts to generate revenue. Over time, money mined by the Code-Hive-hosted scripts adds up and is transferred from Coin Hive to the site's administrators. One Monero coin, 1 XMR, is worth about $92 right now.

However, it's extremely unlikely that a large corporation like CBS would smuggle such a piece of mining code onto its dot-coms – especially since it charges subscribers to watch the hit TV shows online – suggesting someone hacked the websites' source code to insert the mining JavaScript and make a quick buck.

The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers' pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime's systems.

https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/

Edited by itman

Share this post


Link to post
Share on other sites

I submitted this to ESET a few weeks ago and it never got added to any of the detection methods. Probably quite hard to categorise this as it could also be used for "Legitimate" reasons.

Just block the script yourself and you are protected from it on any site ;)

Share this post


Link to post
Share on other sites

Appear Eset detects the script as a PUA ......... clever. Good enough for me.

Eset_CoinHive.thumb.png.fa8f970dea837a8345cf9dd25397d1c3.png

Share this post


Link to post
Share on other sites
2 minutes ago, itman said:

Appear Eset detects the script as a PUA ......... clever. Good enough for me.

Eset_CoinHive.thumb.png.fa8f970dea837a8345cf9dd25397d1c3.png

Yes that's the Javascript i submitted but when it's used(coded) in other websites it does not point back to the actual website of con-hive. Plus it's use and quick adoption also seems to have attracted more versions of the same thing, some mine bitcoins and some mine monero coins and others will obviously follow like ethereum. Since the code is open source , its freely editable for any type of mining.

Manually blocking the script on sites is the only way to go.

Share this post


Link to post
Share on other sites

Yeah, I just found that out. But ........... Fanboy to the rescue! Appears their tracking/privacy lists already include the script. Here is a test web site to check if your blocking solution is working correctly: https://cnhv.co/6bk

59caa60214a8a_EsetFanboy.thumb.png.c9f3e6550856468bc9cee63dc86bc060.png  

Edited by itman

Share this post


Link to post
Share on other sites

This coin mining crap is especially bad for anyone using IE:

Quote

There is one exception here, in that in some cases, loading the JavaScript mining code once is enough, no matter whether the user decides to change site afterward, the mining will continue. This particular abuse technique affects Internet Explorer (i.e. the zombie script) and was identified and reported (but not fixed yet) by Manuel Caballero.

Ref.: https://blog.malwarebytes.com/threat-analysis/2017/09/drive-by-mining-and-ads-the-wild-wild-west/

Appears disabling ActiveX is the only solution to the "zombie script" issue. I always have had it disabled as a rule.

Share this post


Link to post
Share on other sites

Not safe at all and especially attractive as coin based currency is anonymous. Just the matter of time before someone reworks the code and it can be run on webservers (if it's not already done). Not just in the browser of unsuspecting users visiting websites.

Share this post


Link to post
Share on other sites
22 hours ago, cyberhash said:

Just the matter of time before someone reworks the code and it can be run on webservers (if it's not already done). Not just in the browser of unsuspecting users visiting websites.

Already been done. Interesting read on this here: https://blog.sucuri.net/2017/09/hacked-websites-mine-crypocurrencies.html
 

Quote

It appears as if this is not a new infection, but since the attackers already control the “security.fblaster[.]com” server, they can easily modify the malicious script without having to change anything on sites that they had infected previously.

Once the hackers learned about CoinHive, they registered for the service (it only asks for a valid email address) and ported their JavaScript Miner to work off of their own domain – effectively re-using the scripts they already injected to compromised sites.

Since the cryptocurrency miner only produces meaningful results on sites with lots of visitors (or on a large number of less popular sites), they began to inject the miner to new sites just a few days ago. At this point the security.fblaster[.]com infection is not massive (although there are other similar attacks as you’ll read below) as we don’t see it on many other sites so probably the attackers are still testing this approach.

Conclusion

One thing is clear – the release of JavaScript coin miners for websites was not unnoticed by the bad guys. They immediately began to looking for the ways to abuse it, and we expect to see mass infections switching their attention to crypto-miners instead of traditional types of malicious payloads, and not just on WordPress and Magento.

 

Edited by itman

Share this post


Link to post
Share on other sites
On ‎9‎/‎26‎/‎2017 at 11:23 AM, posdz said:

Previous post...


I recommend that you reconsider the malicious intend or i will force the visitors to flood your customer support blaming your company for this mistake which clearly is your problem.

2nd post....

Hello,

Thanks apparently it's fixed.

The alert came from TF
https://torrentfreak.com/cryptocurrency-miner-targeted-by-anti-virus-and-adblock-tools-170926/

(Your response was seconds away for me to take action and send an email to all my users to start a thread here)

Nothing like a good malicious threat/tantrum to try and get your way child.:angry:

The sign of a upright and forthcoming person....NOT:ph34r:

By the way, false positives need to be reported here: https://support.eset.com/kb141/

***********************************************************

Just saw this....

https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+eset%2Fblog+(ESET+Blog%3A+We+Live+Security)

Edited by TomFace
jadinolf likes this

Share this post


Link to post
Share on other sites

FYI - Coin Hive also added a new domain, coinhive.com, in addition to coin-hive.com. So those who block via URL list will want to add that one.

Also you might want to refer to this periodically for miner domain updates: https://github.com/hoshsadiq/adblock-nocoin-list . Also on that web page is instructions on how to add their miner list to Adblock Plus if you are using that solution. This way you won't have to keep manually updating domains.

Share this post


Link to post
Share on other sites

Without consent. Coin miner is malware.
I hope that security software must detect such adware and Javascript more aggressive way.

 

Share this post


Link to post
Share on other sites
1 hour ago, sky7 said:

Without consent. Coin miner is malware.

Appears Coin Hive is preparing a "preemptive strike" against getting it banded outright in the adblockers by doing just that:
 

Quote

While Coinhive is taking steps to prevent the abuse of its technology on unsuspecting users, some researchers aren't confident it will prevent cybercriminals from exploiting the newfound revenue stream.

“Coinhive has already received lots of feedback and their blog reports that they're working on a way to implement a user required "opt-in" before being allowed to mine,” Moffitt said. “This would ideally prevent abuse, but who's to say hackers can't spoof that down the road. “

Ref.: https://www.scmagazine.com/legit-cryptocurrency-miners-increasingly-used-to-steal-user-cpu-cycles/article/696510/

To that I say, "nice try."

Edited by itman

Share this post


Link to post
Share on other sites

Sadly there will be loads of people sitting with the older version that does not require any user consent. The cat is already out of the bag -_-

Share this post


Link to post
Share on other sites

Eset won't flag any web server coin miners unless the scripts on the pages they host are known to be malicious. This is because they are in the same classification as adware. Eset in their blog posting on coin miners did recommend you use a good adblocker. As previously noted, you can add for example the coin miner list at GitHub to Adblock Plus's TP lists. Ditto is you're using Adguard, etc.. 

Share this post


Link to post
Share on other sites

I feel that without a doubt this is not adware, and at the very best is a PUA and should be detected as such. If ESET can't detect it, i guess that's an issue.. but if it WONT, that's another story. 

I get the impression from:
https://www.welivesecurity.com/2017/09/14/cryptocurrency-web-mining-union-profit/

Quote

Even if it can be considered as an alternative to traditional ads, this behavior is unwanted when there is no user consent. The New Jersey Division of Consumer Affairs considered that mining bitcoins on a user’s machine without consent is equivalent to gaining access to the computer. 

that the web mining is considered malicious.

 

 

22 hours ago, itman said:

Eset won't flag any web server coin miners unless the scripts on the pages they host are known to be malicious. This is because they are in the same classification as adware. Eset in their blog posting on coin miners did recommend you use a good adblocker. As previously noted, you can add for example the coin miner list at GitHub to Adblock Plus's TP lists. Ditto is you're using Adguard, etc.. 

If the above linked post is the Blog posting you're referring to they mention using an adblocker, but only it seems if you do not have eset installed?

Quote

Finally, users can protect themselves against this kind of threat by having a well-configured ad blocker or script blocker add-on installed in their browser(s). ESET users may protect themselves from these malicious scripts, detected as JS/CoinMiner.A potentially unsafe application, by enabling detection of Potentially UnSafe Apps. See https://support.eset.com/kb3204.

Another interesting, but potentially useless point, when staff at my office contacted ESET regarding the software's ability to block adware and browser hijacks the reply was:

Quote

Yes we do. With our Exploit blocker as well as other features.

But that's a sales team, always answering affirmative without speaking with anyone else. 

 

So, all this leaves me wondering if ESET is protecting me against websites that use my computers' (potentially overheating, using my electricity, etc) without my permission. 

Edited by jdashn
Spelling/clarity

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.