Hello,
as i know coin miners are ad alternative, making money like ads. So can be those miners really dangerous, something like it install this miner to my PC and run forever? It should stop mining after i close web page. Today avast detected “hXXps://coinhive.com/lib/coinhive.min.js [L] JS:Miner-C [Trj] (0”, but when i go to coinhive webpage, and run test for mining, it starts eat my cpu to 100% and this is not detected. So it is not malware?
If you mean does avast protect against all iterations of bitcoin miners the answer would be no.
Layered protection (defenses from more than one point) works best: uBlock Origin blocks this threat.
See attached below:
I’d consider any program that captures 100% of CPU to be problematic, as above, especially if not personally installed and vetted by me on my system(s).
Yes my adblock block this too but in fact its only eat pc resources and not doing some malicious right? Or just runing this script infect my pc? Thank you
Hi TheOwner,
You could check here whether your browser is vulnerable: https://mineblock.org/
I get:
If the miner doesn't start, your browser is safe! Can't start miner. Your browser is safe!
The baddies are listed here: http://www.badbitcoin.org/thebadlist/
Bad Bitcoin i.m.o. is a big ponzi-like blockchain scam scheme, like the Black Tulip hype in the days of our Dutch painter Rembrandt, moreover the bitcoin value now halves every three years and over a few decades all present bitcoins will be mined.
When you wanna block mal-ads, you certainly wanna block bad-bitcoin-mining as well,
a good adblocker and scriptblocker combination will keep you safe from bitcoin mining scripts-
uBlockOrigin together with uMatrix.
polonus (volunteer website security analyst and website error-hunter)
Some side-remarks
Good Crypto-money is feared as unregulated.
Russia and China will soon regulate their crypto money systems,
others may fear to travel where they have no longer full control of the money chain.
But there are always good spin-offs, coming from a new technology - crypto and blockchain,
also as it can give back private decentralised Internet to the people.
Good the rulers cannot abolish MATH else they certainly would have done so.
Read about innovation decentralised Internet apps-> https://blockstack.org/
polonus
Thanks for answer. I use Adblock for Chrome with “Cryptocurrency (Bitcoin) Mining Protection List” which block coinhive and also other miners. But even i dont block it, it is dangerous? Or it just only eat PC resources and dont harm anything? This is still not clear for me. Thank you
Read the links provided by Pondus.
→ https://forum.avast.com/index.php?msg=1426696
Coinhive miners can pop-up anywhere. Example: https://urlquery.net/report/a06087ca-9dc5-43a7-b85c-642c01f52fbd
And a site that is redirecting: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.bioitalia.com&ref_sel=GSP2&ua_sel=ff&fs=1
Nothing on that here: https://www.virustotal.com/nl/url/0084bf4836980375292030f28c7747898102e4a716a33e872c775fd316480f3a/analysis/1511651274/ given a clean bill :o
Cannot understand as it is blacklisted here: https://sitecheck.sucuri.net/results/www.searchstarters.com
A high risk site.
Websites with hidden bitcoin mining scripts, that do not ask your permission are also often involved in launching various other malcode. So it is best to block them. Example random: https://urlquery.net/report/1fb3ed59-b960-43b8-8680-db3adc57864c → abuse at AS: https://www.peeringdb.com/net/1280
polonus
Go to your adblocker of choice Dashboard, open Options Third party Filters add: https://github.com/fvandillen/blocklists/blob/master/adblockplus.txt
(info credits go to fvandillen)
polonus
Another one probably into coinmining: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.mercuryserver.com&ref_sel=GSP2&ua_sel=ff&fs=1
See related through DOM-XSS → -Results from scanning URL: -http://flashbaek.com/home/rowlin-insurance-jobs//
Number of sources found: 5
Number of sinks found: 464
-Results from scanning URL: -http://www.mercuryserver.com/forums/djdb/ajax.js
Number of sources found: 4
Number of sinks found: 1
Results from scanning URL: -https://cgleague.org/index.php?topic=110822.0/
Number of sources found: 3
Number of sinks found: 53
Re: → Results from scanning URL: -https://rawgit.com/Yobamine/new/master/mercuryserver.js
Number of sources found: 2
Number of sinks found: 0
Retirable High Risk: http://retire.insecurity.today/#!/scan/9cc3465d10fbfdaf1a201f16a32d88f62e04b6c708c31ee9141488d04f4c4616
No to low risk gives: https://sitecheck.sucuri.net/results/www.mercuryserver.com
And finally Quttera has it - malicious -https://quttera.com/detailed_report/www.mercuryserver.com
-/forums/external.php?type=RSS2
Severity: Malicious
Reason: Detected reference to blacklisted domain
Details: Detected reference to malicious blacklisted domain -balance.hr
-rawgit.com/Yobamine/new/master/mercuryserver.js max. runtime exceeded -
navigator.systemLanguage=String(“en”); navigator.browserLanguage=String(“en”); document.lastModified=String(“”); var location = new my_location(“-rawgit.com/Yobamine/new/master/mercuryserver.js”,“-rawgit.com/Yobamine/new/master/mercuryserver.js”); var _0xad16=See code: -https://www.exploit-db.com/raw/8135/ (remove - to go there, only for security researchers)
polonus (volunteer website security analyst and website error-hunter)
This crypto coin mining is going to be the big expanding threat for 2018.
Now also Google Tag Manager being abused to smuggle in Coin miners’script by Crypto-jackers,
and Google not purging their tags.
Read: https://www.theregister.co.uk/2017/11/22/cryptojackers_google_tag_manager_coin_hive/
No Script add-on does a good job to keep these out of your browser.
We will probably not find out who started this and added the code,
as it certainly will be blamed on some poor hacker.
pol
Update on scam block mining IPs:
https://www.globalinvestoralerts.org/ethereum_scam_database_ip_addresses.shtml
Another resource: https://map.httpcs.com/alert/516275 and https://app.cymon.io/search/domain/http-blorckcrhain.info
Block unauthorized mining on websites and company networks.
polonus
P.S. An example from that database of IP addresses: https://mxtoolbox.com/domain/sec-key.ru/
and http://urlquery.net/report/37362183-1db5-493d-ac7b-4dc9a861a1ea and also: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fwww.sec-key.ru%2F netcraft risk rating 9 red out of 10.
443/tcp open ssl/http nginx 1.12.1 | http-robots.txt: 37 disallowed entries (15 shown) | */index.php /bitrix/ /*show_include_exec_time= | /*show_page_exec_time= /*show_sql_stat= /*bitrix_include_areas= | /*clear_cache= /*clear_cache_session= /*ADD_TO_COMPARE_LIST |_/*ORDER_BY /*PAGEN /*?print= /*&print= /*print_course= /*?action= |_http-server-header: nginx/1.12.1 - Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelBitrix vulnerable? -http://downloads.securityfocus.com/vulnerabilities/exploits/13965.pl (dangerous exploit poc link, do not open less you know what you do - you are not advised to (pol)).
pol
A coinminer site to be avoided or block": -tschernobyl-info.de/
alert: ET POLICY Request for Coinhive Browser Monero Miner M2
Re: http://urlquery.net/report/17a1da10-c7e6-42e2-b8d3-956d4d470d56
polonus
Poper Blocker (chrome/firefox) blocks popups, that includes hidden iframes, thus bitcoin miners as well.
https://s2.postimg.org/ag3kmldxx/capture_11292017_224741.jpg
https://s2.postimg.org/42ehjcgrp/capture_11292017_230506.jpg
@TairikuOkami,
Thanks for the heads-up on this. (Nihon iti )
Right you are, that is why Google Chrome will get a better pop-up blocker,
will function better against scamsites and this, what we discussed here in this thread,
read at their blog:
https://blog.chromium.org/2017/12/chrome-64-beta-stronger-pop-up-blocker_14.html
polonus aka Damian
Another domain with an IDS alert for "coin-hive dot com/lib/coinhive.min.js?ver=4.9.1 malware:
https://urlquery.net/report/633f2968-9980-470d-9637-271b504562e3
Not detected here: https://www.virustotal.com/nl/url/0f9cb105056583040e3c321ebfb235bdff0c332b9539843d262048541a655bd4/analysis/1513889836/
Althought they give this as present: /wp-content/plugins/simple-monero-miner-coin-hive/js/smmch-mine.js?v=1.3&
htxps://coinhive.com/lib/coinhive.min.js Sucuri’s still does not flag this.
polonus