Don’t Be a Coinmining Zombie

Cryptojacking – The Latest Threat

When your computer or mobile device (and now, even your IoT device) is hijacked to secretly mine cryptocurrencies, it’s been cryptojacked and becomes a coinmining zombie. Its CPU, memory, disk, and power are enlisted in varying degrees in the service of the mining botnet, which labours on behalf of those who use it, with other zombies, to make money in the currency. Cryptojacking not only increases the wear and tear on your PC or Mac; if it’s a mobile device it can overheat and swell the battery, even destroy the device itself. Not a good payment for all that service!

So how do you get cryptojacked? And what can you do to prevent it?

What is cryptocurrency, anyway?

First, a refresher, to clarify the security issues.

cryptocurrency is a digital currency “designed to work as a medium of exchange, that uses strong cryptography to secure financial transactions, control the creation of additional units, and verify the transfer of assets.” (See Cryptocurrency, Wikipedia) Unlike electronic or printed currencies produced by central banking systems, cryptocurrencies use peer-to-peer networked decentralized computers—distributed ledgers, typically blockchains (explained below)—to serve as the public databases that process and verify the transactions conducted in the currency.

First released in 2009, Bitcoin is generally considered to be the first cryptocurrency. Since then, over 4,000 alternative currencies have been created—and some of them, like EthereumRippleLitecoin, and Monero, are very active among a list of over 1500 cryptocurrencies in circulation today. Companies like Microsoft, Dell, Virgin Galactic, Shopify, and Tesla, as well as others (the list is growing) are now among the companies accepting Bitcoin and other cryptocurrencies. Countries like the US, South Korea, Hong Kong, and Japan, as well as  Australia, are now among the countries accepting and regulating cryptocurrencies. This list too is growing, though some countries have refused to recognize cryptocurrencies or have banned them altogether (see Cryptocurrencies by Country, Dividends Magazine, 25 Oct 2017).

Next, what is cryptocurrency mining?

Cryptocurrency mining (aka coinmining for short) is the way transactions are processed and verified over the peer-to-peer network by the cryptocurrency’s coinminers installed on innumerable users’ computers. Each set of transactions are processed as a “block” then added to the “blockchain—the public ledger—when they’re confirmed by a cryptographic hash (a fixed-sized alphanumeric string) generated by the miners. The blockchain is then ready for the next block. The coin-owner’s private key or seed in their cryptocurrency wallet is what identifies the ownership of the coins, seals the transaction for the specified amount, and prevents the transaction from being altered—as verified by the hash. The miners that first calculate the hash, before any others, are rewarded with free currency units—hence the high processing power required to do this quickly (usually, in about ten minutes). To that end, mining can be done by one or more big computers with lots of processing power and high-end graphic cards (GPUs); or it can be done in a pool by many smaller mining computers working simultaneously across the network. Legitimate mining pools may be set up by partners who share any profits by calculating the precise contribution of each of the participating miners in creating the cryptographic hash.

How do you become a coinmining zombie?

That said, it’s not just legitimate entrepreneurs who use pools of computers to mine cryptocurrencies. Transgressive or criminal coinmining can occur whenever your computer and others are “hijacked” (i.e., cryptojacked) to mine without your permission.

Three types of cryptojacking in use today, (apart from the outright theft of cryptocurrency from the wallet that contains it, which can also occur):

Web coinminers. 

Some websites now incorporate known transgressive web coinminers, as in the now infamous example of the publicly-advertised CoinHive miner installed on PirateBay. Sold by the CoinHive creators as a clever alternative to using website ads, when users clicked anywhere on PirateBay, a popup would initiate a coinmining process, significantly increasing the CPU usage of the visitor’s machine via the Javascript coinminer. Hidden web coinminers take this process a step further, allowing aggressive or criminal attackers to compromise a site for coinmining in a clandestine way, even after you close your browser. They do this by minimizing the browser behind the Windows Taskbar, to persist in the mining at a reduced processing rate, so you may not even notice it—though your CPU usage remains higher than normal.

Local coinminers. 

In this case, a fake app masquerading as an update installs a coinminer on your computer, as with the Fake Flash Player Updater you might install because a malicious popup tells you that you need it to make the website work properly. Another example is HiddenMiner, which poses as a legitimate Google Play update app that continuously mines the Monero cryptocurrency on Android, which can cause the device to overheat and potentially fail. It’s similar to the Loapi Monero-mining Android malware, which security researchers report can cause a device’s battery to bloat.

Fileless coinminers. 

Finally, fileless coinminers may be initially executed as a PowerShell script, which then propagates on the target machine using Mimikatz or EternalBlue for Lateral Movement, then Windows Management Instrumentation (WMI) for the exploit in the scanned network connection. This opens a persistent, asynchronous, fileless backdoor on your computer for the purposes of clandestine coinmining. The result, again, is increased CPU usage on your machine.

The Petty Cyber Crime Hiding a Deadly Threat

One of the fastest-growing malware threats of the past 18 months affects half of the businesses in the world, and most of them don’t know it. It’s called cryptojacking, an unintended consequence of the booming popularity of cryptocurrencies like Bitcoin. Most victims don’t notice that they’ve been hit by cryptojacking because its adverse effects are relatively inconsequential: it just steals CPU cycles from your computer, as well as the electricity required to power it.

Getting hit by ransomware — a similarly-pervasive and fast-growing but much more destructive malware threat — is like a roundhouse punch to the face: your files get locked up with encryption until you pay some distant criminal hundreds or thousands of dollars for the key. Compared to ransomware, cryptojacking seems more like a mosquito bite: an annoyance, not a grave threat.

But the harsh reality is that like disease-carrying insects, some cryptojackers bring lethal friends along with them.

Cryptomining Basics

Without delving into the technical intricacies of any cryptocurrency, what you need to understand on a basic level is an essential component process called cryptomining. Cryptomining provides the means to verify digital transactions without the intervention of a centralized authority like a bank, one of the most valuable benefits of blockchain technology.

Cryptomining involves many volunteers on the Internet who have agreed to try to solve a mathematical puzzle in return for a reward. Each participant works from the same collection of transactions, taking a cryptographic hash of them and then making as many as 100 million guesses in an attempt to discover a related hash value that meets certain mathematical criteria. The first person to unwind this abstruse problem has executed a critical piece of the blockchain process, providing incontrovertible validation of the block of transactions, which are then immutably added to the distributed ledger.

In financial applications of blockchain, this solves the so-called double-payment issue, preventing a unit of the cryptocurrency from being copied and fraudulently used in another transaction. The solver gets paid a bounty in cryptocurrency, and everybody races to find a solution for the next transaction block.

Intensive Resource Use

The challenge is that solving these puzzles demands a staggering amount of computing horsepower and electricity: your typical consumer-grade PC might take a century to produce the verification hash for just one block. Nowadays, the profitable business of block-solving for cryptocurrencies is mostly conducted by specialized businesses using large pools of computers equipped with costly custom ASIC microprocessors and cooling systems that are highly optimized for this particular task. It’s not a game for amateurs.

But certain less-popular cryptocurrencies, notably Monero, use mining algorithms that aren’t well-suited to the ASIC-based approach that dominates Bitcoin mining. Some crafty developers figured out a way to mine Monero by creating an application called Coinhive that divides the block-solution problem into many pieces and distributes it to thousands of ordinary consumer-grade PCs. These either run as an application on Windows or Linux, or as a piece of JavaScript code running in users’ browsers. Instead of solving the puzzle with expensive, highly specialized hardware that generates a lot of heat, you borrow a few CPU cycles here and a few there from a legion of cheap PCs.

Some of the usage of Coinhive and its ilk to mine Monero is legitimate, above-board. For example, the online magazine Salon.com makes most of its money displaying ads in its readers’ browsers. But when it detects that a reader is using an ad blocker, it offers an alternative price for access to its content: instead of viewing ads, readers must agree to install Coinhive in their browsers to help mine a little Monero, letting Salon keep any earnings produced.

Turning Good Technology Bad

Meanwhile, bad guys don’t want to ask your permission. Instead they simply find ways to get Coinhive or similar mining programs to run on your computer surreptitiously, either as an app or a browser script. They use your CPU cycles and electricity, without sharing their profits with you.

They gain access to your system by using proven infiltration techniques like duping you into opening an infected link or attachment in a phishing email, or infecting web servers you visit to download that mining JavaScript to run in your browser.

If you haven’t given your consent to this, the cryptominer qualifies as malware: you are the victim of cryptojacking. You’ve been deviously dragged into donating valuable resources to faceless high-tech gangsters.

Staying Hidden

There’s a good chance that you too have been cryptojacked and don’t know it. The latest cryptojacking models only steal about 20 percent of your PC’s processing power at any given time, or they wait till you’re not busy on the PC to execute the most labor-intensive calculations. They strive to be unobtrusive: if you don’t notice the slowdown, you’ll never call tech support or take your own steps to diagnose a sudden plunge in performance.

The infection persists as a minor aggravation that you will mistakenly attribute to your latest OS update, browser bloat, or aging hardware.