Browser Coinminer threats

Discussion in 'malware problems & news' started by david banner, Nov 11, 2017.

  1. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    614
    Yesterday Norton AV found
    ce94bf5164c04ae312403c4ca6a85f4f3b1133a2
    [Contained in] c:\users\USERNAME\appdata\local\mozilla\firefox\profiles\j0aauzsv.default\cache2\entries\ce94bf5164c04ae312403c4ca6a85f4f3b1133a2 Deleted

    There is no cache2 in my profile. I am not sure if it is because NAV deleted, or rather gave me the choice of deleting it

    I understand the threat is https://us.norton.com/online-threats/pua.jscoinminer-2017-091515-5134-99-writeup.html

    Full NAV scan and MBAM scans both clear. What is the best way to deal with this type of threat?
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,849
    Location:
    Slovakia
    Adguard Family DNS si very effective in blocking bitcoin miner domains.

    capture_11112017_162139.jpg

    By the way, I love POP Peeper too, the best/safest email client ever. :thumb:
     
  3. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,204
    Location:
    DC Metro Area
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,204
    Location:
    DC Metro Area
  5. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,085
    Is there anything they can't do in our web browsers?
     
  6. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    614
    Would a sandboxed browser protect against this.? Thanks for replies guys
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,481
    Location:
    U.S.A.
    Most AVs now are blocking/alerting on attempts by Coin Miners to be locally installed. They do so by classifying them as a PUA/PUP. As long as you enable that detection option in your security solution, the install attempt will be detected.

    However, most coin mining occurs when you land on a web site that has a coin miner installed on their web server. The way to prevent this type of coin mining is to use a browser extension such as AdBlock/uBlock and then add the filter from here: https://github.com/hoshsadiq/adblock-nocoin-list . Alternatively, use can use the Hosts file and periodically manually update it with entries from a like name filter from the same GitHub web site. Another possibility if your security solution has web filtering capability is to add the URLs from the GitHub hosts file to a block list using the following notation:

    *.xxxxxx.xxx/* where xxxxxx.xxx is the URL associated with coin mining activity.​
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,071
    No.
    After visiting a coin mining URL, your system begins to mine cryptocoins.
    How? "Coin mining scripts" are executed after visiting these URLs.
    Running a browser sandboxed/unsandboxed doesn't make a difference. In both cases these scripts will be executed.

    To mitigate it, users of an Adblocker only have to add a filter list, for example: NoCoin adblock list. They are also providing a HOST file.
    After adding the list, these coin mining scripts cannot run anymore.
     
  9. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    614
    Ok. Does the fact Norton AV found
    ce94bf5164c04ae312403c4ca6a85f4f3b1133a2 in my default profile mean I had started to mine? when i looked for cache 2 there was no cache 2 so it could have been stopped? NAV then gave me choice of keeping or deleting and i deleted. As fas as i remember i was away from the oc and came back to the NAV giving me choice screen

    is adblock technique just adding this link https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt to adblock
     
  10. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    614
    Thanks;)
     
  11. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    614
    I tried adguard but i think it blocked needed scripts too . This page https://www.photographycourses.biz/videos/tips-and-features/features/black-and-white-photo-challenge would not play the video. i got message "A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete." i tried stop and continue but it kept coming back

    Glad you like PopPeeper. I am only a user not involved with the PP people but know from the site Jeff has worked hard on it. I have it since 2003

    Is that windows 10 in your screenshot?
     
    Last edited: Nov 12, 2017
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,481
    Location:
    U.S.A.
    Browser cache is just temporary storage and can be cleared w/o issue: https://support.mozilla.org/en-US/questions/1126189 . Never heard of a coin miner being store there since again, it's temporary storage. Appears you landed on a web site using a coin miner and it just stored some junk in FF's cache folder. Norton detected it and deleted it. I would say you have nothing to worry about.

    Per instructions from the GitHub web page:
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,849
    Location:
    Slovakia
    You also need adblocker for youtube, since adguard dns can not handle that, it blocks the video AD, but also the video, which is supposed to start after the video AD.

    Well, it is the best email client out there and I have tried all. Not to mention secure, opening emails in txt and switching to HTML with a double-click.

    Yes, I use 7+ Taskbar Tweaker to increase size of the icons, otherwise there would be no point of customizing them, since I could not seem them by default.
     
  14. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,446
    Location:
    Hollow Earth - Telos
    i just added this filter list .... Cryptocurrency (Bitcoin) Mining Protection List ... in my adblock chrome ext. .... There's also a Chrome extension called No Coin, created by developer Rafael Keramidas, that blocks Coinhive mining and is adding protection against other miners, too.
     
    Last edited: Nov 13, 2017
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,530
    Location:
    Slovenia
    https://www.theregister.co.uk/2017/11/30/crypto_mining_persistent/
     
Loading...