Originally published in 2017.
Recently while I was reviewing AV logs in a large organization one of the things that caught my attention was a large number of hits categorized as JavaScript with the word ‘Miner’ in the threat’s signature name. I looked up some of the files’ hashes in VirusTotal and downloaded some samples. As I expected the AV signature was targeting at java script code used to mine cryptocurrency. What was curious is that the detections were reported for many different websites and it was just for couple of days of logs.
I was already aware of an old project called JSMiner published some years ago on GitHub but it seems that there were some developments done in this area. Worth mentioning is the project called CoinHive that seems to have a good share in this market. So basically what they do is:
Coinhive offers a JavaScript miner for the Monero Blockchain that you can embed in your website. Your users run the miner directly in their Browser and mine XMR for you in turn for an ad-free experience, in-game currency or whatever incentives you can come up with.
On a side note I have to say that personally I wouldn’t mind if this way of making money by the web portals’ owners replaced the ads. Yes, I guess there will be arguments like what about the battery life on mobile devices and that that’s basically running unwanted code on your machine without a consent. But the most invasive ads are not that much different are they? Usually you don’t have any option to opt out and when it comes to the battery life try running a large news/fashion/commerce you name it portal without any ad/script blockers and check your CPU usage then… Besides that the CoinHive “offering” looks pretty neat and convincing with options to let visitors choose whether to enable mining or not.
Anyways getting back to the subject it would seem that the AV vendors decided to make this decision for us. First thing I did is I checked the newest version of script maintained by the CoinHive project against engines participating in the VirusTotal. The results were:
So 18 AV vendors classified it as malware or as potentially unwanted application. I followed with looking up the original filename of this script and it returned many more results where the highest detection ratio reached 30/59 with all major vendors reporting it as malicious or unwanted.
So at this point I wondered why didn’t I see those detections earlier? I checked the first file uploaded to the VT that I could find and it turned out that it was not classified as malware at the time of upload right until the next analysis triggered by someone on 10 of October where there were already 17 engines detecting this particular version of the script.
So why the decision by AV vendors to classify CoinHive as malicious? My guess is it’s because of some indicators that it is hosted by crooks on compromised websites. Yes, I’d like to think that because the alternative conspiracy theory would be the VirusTotal being a Google company working with participating AV vendors to kill potential AdWords competition in it’s early days (I’m thinking here about the Pirate Bay PoC of using JS mining to potentially replace ads) π Jokes aside when I ran a simple google search to find the default html code including the CoinHive java script the query returned 21 thousands results. I know not all of these are for actual webpages hosting the included script but at least it was a good way to narrow down the search. Deep diving in the results I started finding things like:
This gave me an idea for the following search in VT (what better place to hide…):
filename:jquery p:5+ miner tag:text
The results confirmed my suspicions. The are evidences that the miner’s code is both being hidden under names of well known java script imports as well as is being hosted from malicious domains. When we add the fact that large number of sites that I identified using google search seemed unlikely to be modified by their owners who would add the mining by themselves (low page ranks, pages not updated for a long time, very niche audience) it becomes clear that miners are installed by crooks. I expected to find some examples were ads would be involved in spreading the miner code but I was not able to find any (though I did not try too hard).
I expect this fact to be the reason behind the AV vendors classification. This feeling gets confirmed by the recent blog post on CoinHive site:
Shortly after we launched some adblockers and even antiviruses began blocking Coinhive. We have outlined our ideas about this issue in our previous blog post and we’re happy to report that we have a solution: AuthedMine.
Our goal was to offer a viable alternative to intrusive and annoying ads that litter so many websites today. These ads are not only a distraction to end users, but also provide notoriously unpredictable and non-transparent revenue numbers. We set out to change that.
It seems then that illegitimate use of their code became a significant concern so they moved into a good direction of alway asking the visitors for consent preventing an automatic run. So all in all there still might be a hope for an ad free Internet π Let’s hope so and meanwhile check your page code for any unexpected scripts. Especially this one seems as a solid indicator of compromise π
With #infosec at ππ 