Coin miners, are they dangerous?

Hello,
as i know coin miners are ad alternative, making money like ads. So can be those miners really dangerous, something like it install this miner to my PC and run forever? It should stop mining after i close web page. Today avast detected “hXXps://coinhive.com/lib/coinhive.min.js [L] JS:Miner-C [Trj] (0”, but when i go to coinhive webpage, and run test for mining, it starts eat my cpu to 100% and this is not detected. So it is not malware?

https://www.virustotal.com/#/file/c626720ce7b4db02952f2a8a88a23b60750278bbb36f043221eedf55471866a8/detection

If you mean does avast protect against all iterations of bitcoin miners the answer would be no.

Layered protection (defenses from more than one point) works best: uBlock Origin blocks this threat.

See attached below:

I’d consider any program that captures 100% of CPU to be problematic, as above, especially if not personally installed and vetted by me on my system(s).

Yes my adblock block this too but in fact its only eat pc resources and not doing some malicious right? Or just runing this script infect my pc? Thank you

Read here: https://forum.avast.com/index.php?topic=209628.0

Hi TheOwner,

You could check here whether your browser is vulnerable: https://mineblock.org/
I get:

If the miner doesn't start, your browser is safe! Can't start miner. Your browser is safe!

The baddies are listed here: http://www.badbitcoin.org/thebadlist/

Bad Bitcoin i.m.o. is a big ponzi-like blockchain scam scheme, like the Black Tulip hype in the days of our Dutch painter Rembrandt, moreover the bitcoin value now halves every three years and over a few decades all present bitcoins will be mined.

When you wanna block mal-ads, you certainly wanna block bad-bitcoin-mining as well,
a good adblocker and scriptblocker combination will keep you safe from bitcoin mining scripts-
uBlockOrigin together with uMatrix.

polonus (volunteer website security analyst and website error-hunter)

Some side-remarks

Good Crypto-money is feared as unregulated.
Russia and China will soon regulate their crypto money systems,
others may fear to travel where they have no longer full control of the money chain.

But there are always good spin-offs, coming from a new technology - crypto and blockchain,
also as it can give back private decentralised Internet to the people.

Good the rulers cannot abolish MATH else they certainly would have done so.

Read about innovation decentralised Internet apps-> https://blockstack.org/

polonus

Thanks for answer. I use Adblock for Chrome with “Cryptocurrency (Bitcoin) Mining Protection List” which block coinhive and also other miners. But even i dont block it, it is dangerous? Or it just only eat PC resources and dont harm anything? This is still not clear for me. Thank you

Read the links provided by Pondus.
https://forum.avast.com/index.php?msg=1426696

Coinhive miners can pop-up anywhere. Example: https://urlquery.net/report/a06087ca-9dc5-43a7-b85c-642c01f52fbd
And a site that is redirecting: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.bioitalia.com&ref_sel=GSP2&ua_sel=ff&fs=1
Nothing on that here: https://www.virustotal.com/nl/url/0084bf4836980375292030f28c7747898102e4a716a33e872c775fd316480f3a/analysis/1511651274/ given a clean bill :o
Cannot understand as it is blacklisted here: https://sitecheck.sucuri.net/results/www.searchstarters.com
A high risk site.

Websites with hidden bitcoin mining scripts, that do not ask your permission are also often involved in launching various other malcode. So it is best to block them. Example random: https://urlquery.net/report/1fb3ed59-b960-43b8-8680-db3adc57864c → abuse at AS: https://www.peeringdb.com/net/1280

polonus

Go to your adblocker of choice Dashboard, open Options Third party Filters add: https://github.com/fvandillen/blocklists/blob/master/adblockplus.txt
(info credits go to fvandillen)

polonus

Another one probably into coinmining: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.mercuryserver.com&ref_sel=GSP2&ua_sel=ff&fs=1
See related through DOM-XSS → -Results from scanning URL: -http://flashbaek.com/home/rowlin-insurance-jobs//
Number of sources found: 5
Number of sinks found: 464

-Results from scanning URL: -http://www.mercuryserver.com/forums/djdb/ajax.js
Number of sources found: 4
Number of sinks found: 1

Results from scanning URL: -https://cgleague.org/index.php?topic=110822.0/
Number of sources found: 3
Number of sinks found: 53

Re: → Results from scanning URL: -https://rawgit.com/Yobamine/new/master/mercuryserver.js
Number of sources found: 2
Number of sinks found: 0

Retirable High Risk: http://retire.insecurity.today/#!/scan/9cc3465d10fbfdaf1a201f16a32d88f62e04b6c708c31ee9141488d04f4c4616

No to low risk gives: https://sitecheck.sucuri.net/results/www.mercuryserver.com

And finally Quttera has it - malicious -https://quttera.com/detailed_report/www.mercuryserver.com

-/forums/external.php?type=RSS2
Severity: Malicious
Reason: Detected reference to blacklisted domain
Details: Detected reference to malicious blacklisted domain -balance.hr

-rawgit.com/Yobamine/new/master/mercuryserver.js max. runtime exceeded -

navigator.systemLanguage=String(“en”); navigator.browserLanguage=String(“en”); document.lastModified=String(“”); var location = new my_location(“-rawgit.com/Yobamine/new/master/mercuryserver.js”,“-rawgit.com/Yobamine/new/master/mercuryserver.js”); var _0xad16=
See code: -https://www.exploit-db.com/raw/8135/ (remove - to go there, only for security researchers)

polonus (volunteer website security analyst and website error-hunter)

This crypto coin mining is going to be the big expanding threat for 2018.

Now also Google Tag Manager being abused to smuggle in Coin miners’script by Crypto-jackers,
and Google not purging their tags.
Read: https://www.theregister.co.uk/2017/11/22/cryptojackers_google_tag_manager_coin_hive/
No Script add-on does a good job to keep these out of your browser.

We will probably not find out who started this and added the code,
as it certainly will be blamed on some poor hacker.

pol

Update on scam block mining IPs:
https://www.globalinvestoralerts.org/ethereum_scam_database_ip_addresses.shtml

Another resource: https://map.httpcs.com/alert/516275 and https://app.cymon.io/search/domain/http-blorckcrhain.info

Block unauthorized mining on websites and company networks.

polonus

P.S. An example from that database of IP addresses: https://mxtoolbox.com/domain/sec-key.ru/
and http://urlquery.net/report/37362183-1db5-493d-ac7b-4dc9a861a1ea and also: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fwww.sec-key.ru%2F netcraft risk rating 9 red out of 10.

443/tcp open ssl/http nginx 1.12.1 | http-robots.txt: 37 disallowed entries (15 shown) | */index.php /bitrix/ /*show_include_exec_time= | /*show_page_exec_time= /*show_sql_stat= /*bitrix_include_areas= | /*clear_cache= /*clear_cache_session= /*ADD_TO_COMPARE_LIST |_/*ORDER_BY /*PAGEN /*?print= /*&print= /*print_course= /*?action= |_http-server-header: nginx/1.12.1 - Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Bitrix vulnerable? -http://downloads.securityfocus.com/vulnerabilities/exploits/13965.pl (dangerous exploit poc link, do not open less you know what you do - you are not advised to (pol)).

pol

A coinminer site to be avoided or block": -tschernobyl-info.de/
alert: ET POLICY Request for Coinhive Browser Monero Miner M2
Re: http://urlquery.net/report/17a1da10-c7e6-42e2-b8d3-956d4d470d56

polonus

Poper Blocker (chrome/firefox) blocks popups, that includes hidden iframes, thus bitcoin miners as well.

https://www.bleepingcomputer.com/news/security/cryptojacking-script-continues-to-operate-after-users-close-their-browser/


https://s2.postimg.org/ag3kmldxx/capture_11292017_224741.jpg

https://s2.postimg.org/42ehjcgrp/capture_11292017_230506.jpg

@TairikuOkami,

Thanks for the heads-up on this. (Nihon iti :wink: )

Right you are, that is why Google Chrome will get a better pop-up blocker,
will function better against scamsites and this, what we discussed here in this thread,
read at their blog:
https://blog.chromium.org/2017/12/chrome-64-beta-stronger-pop-up-blocker_14.html

polonus aka Damian

Another domain with an IDS alert for "coin-hive dot com/lib/coinhive.min.js?ver=4.9.1 malware:
https://urlquery.net/report/633f2968-9980-470d-9637-271b504562e3

Not detected here: https://www.virustotal.com/nl/url/0f9cb105056583040e3c321ebfb235bdff0c332b9539843d262048541a655bd4/analysis/1513889836/
Althought they give this as present: /wp-content/plugins/simple-monero-miner-coin-hive/js/smmch-mine.js?v=1.3&
htxps://coinhive.com/lib/coinhive.min.js Sucuri’s still does not flag this.

polonus