Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (52)
  • add to favourites
    Add to Bookmarks

How to hide in plain sight

Read: 477 Comments: 3 Rating: 7

So here I am sitting at my computer…
Suddenly a spider crawls out of the plastic speaker box,
takes a good look around and goes back in…
And my first thought is: That's Dr.Web…
Checking for updates…))

An old joke

We repeat the phrase “criminals keep inventing new malware concealment methods” so often, it’s high time we found a way to abbreviate it. But sometimes the techniques we discuss are not just new, but extremely novel!

Security researchers discovered how unscrupulous site owners force user CPUs to mine cryptocurrencies even after the webpages involved have been closed.

A malicious script opens an invisible pop-under located underneath the clock on the Windows taskbar.

The window remains open indefinitely unless a user takes special steps to close it.


The window's placement coordinates may vary depending on the screen resolution, but it hides behind the clock. However, this trick is not failure-proof either. If a semi-transparent theme is used in the system, the pop-under can be discovered behind the taskbar (see the screenshot at the beginning of this issue).


"This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them", wrote Malwarebytes lead analyst Jérôme Segura in that company’s blog.

The malicious procedure is performed as follows: a pop-under from elthamely[.]com is opened; then resources from Amazon (cloudfront[.]net) are loaded. After that, the payload is extracted from hatevery[.]info.

Sweep dust into the corner where no one will notice it, and voilà!

Also note that the new miner is cautious enough not to harness 100% of a system’s resources. Users may never notice that their computer is working a little bit slower than usual.

And here’s the kicker:

The security researchers accidentally discovered this technique while visiting a pornographic site.

The purpose of their visit remains unknown.

Dr.Web recommends

In this case Dr.Web's Parental Control acts as the anti-virus: it will block access to all the nodes the mining code attempts to contact. Of course, you can blacklist the domains communicating with the miner manually, but that won't be particularly efficient because new iterations of the malicious code will use different addresses. It’s much easier to install Dr.Web Security Space.

PS. And one more kicker: it turned out that no one knew about the Trojan!

The Anti-virus Times proposes that someone made a mistake with the infection indicator


Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.