Monday, December 25, 2017

Security: Cryto-Mining How to Block


One of the latest internet threats is some sites (legitimate and illegitimate) are Cryto-Mining Bitcoin (and possibly other crypto-currencies) in people's browser.  

Some group of bad actors developed the ability to distribute and mine Bitcoin using JavaScript that can run in a browser.  All of this is done just by visiting a web site in your browser.  The JavaScript code will download and execute, it will bypass all the security protections you may have in place (i.e. firewall, anti-malware, etc.).  

Technically, this is not malware in the classical sense, meaning it does not infect a computer or spread itself.  What it does do is steal CPU cycles from your computer to mine Bitcoin.  The way it works is by executing JavaScript code; which was designed to make web pages more intelligent by supporting a programming language.  Cryto-Miners are not the first to exploit this technology for other things; it is exploited by advertisers all the time to try to get you to click on more ads by shoving more of them in front of you.

Update:
Cryto-Miners made their crypto-currency mining more stealth, so even when you close your browser windows the mining will still run.  They updated their code to create a pop-under window sized to fit inside the taskbar and behind the clock after you visit a web site. If the taskbar set to be transparent, you might be able to see a tiny window. If not, resizing the taskbar can pop it into view.  The code also tries to evade detection by limiting itself to just 50 percent of the CPU. 

Fighting Back
There are a few ways of fighting back against this threat.  As well as preventing these sites from stealing your CPU cycles.

Method 1. Install a browser extension.  There are several of these out there for the different browsers.  There are too many choices for me to make a recommendation.  I would advise doing your own research and see what others recommend

Method 2. This method is more advanced.  It requires more manual intervention and updating.  It also requires knowledge of how to update your computer's HOST (C:\Windows\System32\Drivers\ETC\Hosts) file.  By putting the Cryto-Mining domains and pointing, those to a bad IP address (i.e. 0.0.0.0). The HOST file will prevent the code from running because when the browser try to resolve the domain it cannot.  The HOST file also runs at the system level meaning it would protect all the browsers installed on your system.

Note: The problem with this method is knowing which domains to block, and having to manually update the list on a regular basis.

3. This method is even more advanced.  It requires more manual intervention and updating of the DNS.  If you are a small, medium or large organization with your own DNS servers, it would be possible to put these domains in your DNS, and point them to a bogus address.  This would help protect the clients in your organization from these type of attacks.  

Note: The problem with this method is knowing which domains to block, and having to manually update the list on a regular basis.

No comments: