Posted: February 27, 2018 by Pieter Arntz
Last updated: February 26, 2018
Noticing that your computer is running slow? While sometimes a telltale sign of infection, these days that seems doubly true. And the reason is: malicious cryptomining. So, what, exactly, is it? We’ll tell you how bad this latest malware phenomenon is for you and your computer, plus what you can do about it.
Malicious cryptomining, also sometimes called drive-by mining, is when someone else is using your computer to mine cryptocurrency like Bitcoin or Monero. But instead of cashing in on your own computer’s horsepower, the collected coins go into the other person’s account and not yours. So, essentially, they are stealing your resources to make money.
Cryptomining can sometimes happen with consent, but unfortunately these occasions are rare.
Salon.com gave its site visitors the choice to view ads or let them mine your computer
How bad is it?
If the duration of the cryptomining is not too prolonged and you are aware of what is going on, then it’s not that big a deal for regular computer users. When you are not aware of the mining activity—which is the majority of the time—it is a theft of resources. This is because cryptomining takes advantage of your computer’s Central Processing Unit (CPU) and Graphics Processing Unit (GPU), running it at higher capacities. Imagine revving your car engine or running your air conditioning while driving up a steep hill.
If cryptomining is too prolonged and running at, or near, the maximum of what your computer can handle, it can potentially slow down every other process, shorten the lifespan of your system, or ultimately brick your machine. And obviously, any malevolent threat actors want to keep using as many of your resources for as long as possible.
Finding the origin of the high CPU usage can be difficult. Processes might be hiding themselves or masking as something legitimate in order to hinder the user from stopping the abuse. And as a bonus to the cryptominers, when your computer is running at maximum capacity, it will run ultra slow, and therefore be harder to troubleshoot. Besides the theft and the slow, possibly damaged computer, being cryptomined could also make you more vulnerable to other malware by introducing additional vulnerabilities to your system, like in the case of the Claymore Miner.
Local or website?
When you notice high CPU usage and suspect it might be malicious cryptomining, it is important to know whether it’s being done in your browser or whether your computer itself is infected. So the first thing to do is to identify the process that is gobbling up your resources. Often using the Windows Taskmanager or MacOs’s Activity Monitor is enough to identify the culprit. But, like in the example below, the process may have the same name as a legitimate Windows file.
In case of doubt about the legitimacy of the process, it is better to use Process Explorer, which allows you to see the parent process (what started the suspicious process) and the location of the file. In the same example as we used above, Process Explorer shows you the path is different from the legitimate Windows file and the parent process is strange.
And if you have the VirusTotal check enabled, you will see that the file itself and the parent are widely detected. (The Chrome detection 1/66 is a false positive by Cylance). Knowing this, you can stop the process to speed up your system and then start working on removing it.
Finding the offender, however, is harder when the process is a browser like in the example below.
Of course, you can simply kill the process and hope it stays away, but knowing which tab/site was responsible does provide you with information that can help you avoid it from happening again. Chrome has a nifty built-in tool to help you with that. It’s called the Chrome Task Manager. You can start it by clicking “More Tools” in the main menu and choosing “Task manager” there.
This Task Manager shows the CPU usage of the individual browser tabs and of the extensions, so if one of your extensions included a miner, this will show up in the list as well.
Note that the Chrome Task Manager sometimes shows over 100 CPU usage, so I’m not sure whether it’s a percentage.
An alternative method that can also be used in other browsers is to disable extensions and close tabs in reverse historical order. If disabling an extension does not help, it’s easy to re-enable it. And if closing a tab does not help, you can use the “Reopen last closed tab” option in browsers that have this option, such as Opera, Chrome, and Firefox.
Firefox’s reopen last closed tab is called “Undo Close Tab”
How to protect against cryptomining
Malwarebytes stops the installation of many bundlers and Trojans that drop cryptominers on your system. We also block the domains of the most abused scripts and mining pools.
If you want more specialized blocking capabilities there are programs like “No Coin” and “MinerBlock” that block mining activities in popular browsers. Both have extensions for Chrome, Firefox, and Opera. Opera’s latest versions even have NoCoin built in.
Cryptomining can be done locally on the system or in the browser. Knowing the difference can help you remediate the problem, as both methods require different forms of protection. The solutions are almost as popular as the problem, so choose wisely, as there may be frauds out there trying to grab a portion of the market.
ABOUT THE AUTHOR
Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.