Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

Dot the i's and cross the t's on miners

Read: 11461 Comments: 3 Rating: 8

Monday, September 17, 2018

I don’t think you’ve sufficiently covered the topic of miners. For example, how can I configure the anti-virus so that it detects rouge miners? Does this happen automatically? Someone on the Dr.Web forum recommended that the anti-virus be configured to move malware to the quarantine; otherwise mining applications won't be blocked or deleted. Supposedly that’s how Dr.Web modules work. Is that true?

A comment left on the issue Mining clashes

Let's deal with the problem step by step.

What is a rogue miner?

Rogue miners mine cryptocurrencies on infected devices.

Many people point out that mining is not that lucrative.

Running 10-20 mining scripts on a site can generate 0.3 XMR or 97 USD per month (as of February 22, 2018).

https://www.anti-malware.ru/analytics/Threats_Analysis/cryptojacking-new-threat

Frankly, that’s not much. However, advertising is doing its job, and mining remains quite popular among criminals.

Can miners be regarded as malware?

Definitely. What else can you say about programs that use your system without your consent and interfere with your user experience (and sometimes even make it impossible for you to use your computer)?

Those who believe that rogue miners aren't malicious often argue that the programs cause no damage. Well, that's a matter of opinion!

Synopsys revealed the cause behind the interruption in availability of the Coverity Scan service, which remained inaccessible to users for four weeks.

Perpetrators managed to gain unauthorised access to the Coverity Scan servers and set them up to execute mining code.

http://www.opennet.ru/opennews/art.shtml?num=48297

If a miner of this kind interferes with the operation of a server in a manufacturing facility, the consequences can be dire!

Ironically, the Coverity project was founded by DHS (Department of Homeland Security) in 2006 to enhance the security of the United States’ IT infrastructure. Indeed, a shoemaker's son always goes barefoot!

Can anti-viruses protect computers from rogue miners?

Of course, they can. After all, an anti-virus is designed to protect systems from all sorts of malicious programs.

A brief digression:

  • Recently, a colleague of mine asked me to check a file in our Cisco Threat Grid sandbox. He had suspicions about the file, but his anti-virus didn't detect anything. A few minutes after the analysis started, Cisco Threat Grid came up with a verdict: ZBot malware. But this is a well-known Trojan that was discovered a while ago. Why doesn't the anti-virus catch it? The problem is in the "a while ago". It turns out that to make its virus database smaller, the anti-virus developer decided to discard old virus definitions. And this is understandable. The number of signatures is growing and is already measured in the hundreds of millions and even billions—no hard drive has enough storage capacity for a volume of data like this. We have to make a choice, and it can lead to disastrous consequences.
  • What anti-virus are we talking about?
  • I won't reveal the actual title, but it is one of the market leaders.

https://habrahabr.ru/company/cisco/blog/351562

"And this is understandable". Well, not to us. An anti-virus should be able to detect all threats and that's what we try to accomplish. We also do our best to learn about all the possible malicious programs in existence.

Is it necessary to adjust an anti-virus’s settings to protect a system from rogue miners?

From an anti-virus’s point of view, rogue miners are no different than other malicious files.

Common user mistakes:

  • They refuse to install certain anti-virus modules, primarily the traffic scanning component.
  • They put too many applications, folders, and disks on the exceptions list.
  • They apply the “Ignore” action to potentially dangerous programs (rogue miners aren't always detected as Trojans). Opting to ignore riskware is a bad idea.

Which actions should I choose to keep my system protected from miners: cure or move to the quarantine?

It doesn't matter much which one you choose (a sample of a Trojan may be necessary to analyse incidents involving encryption ransomware, but this does not apply to rogue miners). However, the option “Move to quarantine” is preferable. A Trojan sample may come in handy in an in-depth incident investigation or if it proves to be a new unknown rogue miner.

#mining #rogue_software #Dr.Web_technologies

The Anti-virus Times recommends

As of now, most rogue mining applications are easily neutralised by anti-viruses. But you need to remember that rogue miners' speedy evolution has just started. Today they can hide, use detection evasion techniques, and exploit vulnerabilities. It is safe to say that it won't take long for more advanced mining Trojans to appear. And you won't be able to delete those manually!

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments