Thursday, November 30th 2017

Web Cryptocurrency Mining Evolves: Now Keeps Running After Closing Browser

Well, after users think they've closed their browsers, more specifically. Researchers form anti-malware provider Malwarebytes have discovered a new form of web-based cryptocurrency mining that has a stealth-like approach to running mining code, which might cause less attentive users' machines to keep mining even after their web browsers have been closed. This is done via an utterly simple method, really: upon opening a malicious web page that has been coded to make users' machines mine cryptocurrency, the web page opens a pop-up window that is minimized behind the Windows Taskbar's clock. It's ingeniously simple - but could be surprisingly hard to detect, and could mean that the mining process will actually keep on using CPU cycles and mining crypto indefinitely until the next system reboot.

In a blog post published Wednesday morning, Malwarebytes Lead Malware Intelligence Analyst Jérôme Segura wrote that "This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the "X" is no longer sufficient." He then added a possible solution for the problem, writing that "The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser's icon with slight highlighting, indicating that it is still running." Segura said the technique worked on the latest version of Chrome running on the latest versions of Windows 7 and Windows 10.

At the moment, there are no indications the hidden window trick is being deployed on other browsers or operating systems, but that's just the logical next step in this saga. Until then, maybe just keep your task manager at hand, and inform your less tech-savvy familiars of this issue. You can also take some additional steps to prevent these new kinds of web-based mining algorithms to sideblind you: a good option would be to have a resource monitor app open on the desktop (Rainmeter has many of these, but there are other more tech-oriented, motherboard and CPU-vendor specific solutions), and also to disable the "Combine Taskbar Buttons" on your OS. On Windows 10, right click the taskbar, open "Taskbar Settings", Choose the "Combine Taskbar Buttons" and change that from the default "Always, hide labels" to "Never".

Sources: Malwarebytes Blog, via Ars Technica
Add your own comment

74 Comments on Web Cryptocurrency Mining Evolves: Now Keeps Running After Closing Browser

#1
notb
TheinsanegamerN said:
And yet another reason to use ublock.
What law is it breaking?
It's using your resources against your will. It's like joyriding.

cdawall said:
Why? When you get a 3D ad open it pulls more power. They do the same thing for minimizing and what not yet that has been ok for decades.
The sole purpose of pop-ups / ads is for you to see them. And by using a website you're agreeing on viewing advertisements.
Yes, they use some of your PC resources, but you can consciously close them (ending your use of the website or part of it).

This is vastly different, because the script hides the browser window. So you're not using the website anymore, but it still runs a script.

BTW: mining WHILE you're using the page is also illegal.
Posted on Reply
#3
newtekie1
Semi-Retired Folder
notb said:
The sole purpose of pop-ups / ads is for you to see them.
No, the sole purpose of pop-ups/ads it to generate money for the website you are using.

notb said:
BTW: mining WHILE you're using the page is also illegal.
No its not.
Posted on Reply
#4
notb
newtekie1 said:
No, the sole purpose of pop-ups/ads it to generate money for the website you are using.
That's an interesting point of view. So what's the purpose of a hamburger?
No its not.
It is. :-)
This is why no mainstream page (apart from porn, torrent etc) uses this "method of payment".
Posted on Reply
#5
cdawall
where the hell are my stars
9700 Pro said:
Yea I know, and my GTX 980 is OV'd and OC'd. But still I consider that as stealing.
It isn't anymore of theft than an animated avatar is theft or a webpage with heavy amounts of 3D rendering. I would say it is immoral at best, but so is tweaktowns ad bs.

notb said:
The sole purpose of pop-ups / ads is for you to see them. And by using a website you're agreeing on viewing advertisements.
Yes, they use some of your PC resources, but you can consciously close them (ending your use of the website or part of it).

This is vastly different, because the script hides the browser window. So you're not using the website anymore, but it still runs a script.

BTW: mining WHILE you're using the page is also illegal.
Mind showing the law it is breaking, make sure to break down the countries as well.

notb said:
It is. :)
This is why no mainstream page (apart from porn, torrent etc) uses this "method of payment".
You mean google doesn't data mine from you? What about target? It is not any bit different than capturing all of your searches and selling it or targeting ads towards you. The goal is revenue. Also I don't quite know why you think the pron industry isn't mainstream, on a yearly basis it generates more money than the collective membership of TPU.
Posted on Reply
#6
notb
cdawall said:

Mind showing the law it is breaking, make sure to break down the countries as well.
Tax law in general.
I guess this should be true for all countries with mature tax systems.
Posted on Reply
#7
dorsetknob
"YOUR RMA REQUEST IS CON-REFUSED"
mab1376 said:
You can use a plugin to block the scripts that execute the miner: https://addons.mozilla.org/en-US/firefox/addon/nominer-block-coin-miners/
Latest version of firefox (ver 57) breaks and blocks All plugins apparently

Firefox 57: Good news? It's nippy. Bad news? It'll also trash your add-ons
Unless you're lucky and there's already a WebExtensions equivalent

More info from here
https://www.theregister.co.uk/2017/11/10/open_source_insider_firefox_57/
Posted on Reply
#8
cdawall
where the hell are my stars
notb said:
Tax law in general.
I guess this should be true for all countries with mature tax systems.
What tax law is being violated? If the company releases and pays taxes on the income it is just income, no different than ad generated income or booby generated income.

Stop trying to pull shit out of your ass and post an actual law it violates.
Posted on Reply
#9
newtekie1
Semi-Retired Folder
notb said:
That's an interesting point of view. So what's the purpose of a hamburger?
It ain't to get me to look at the hamburger, and it isn't for me to give my mouth something to do, it is to fill my stomach and provide my body with nutrients. If they blended it up, and fed it to me through a tube inserted directly into my stomach instead of me eating it, it would still serve its purpose. Different delivery method, same purpose fulfilled.

notb said:
It is. :)
This is why no mainstream page (apart from porn, torrent etc) uses this "method of payment".
No it isn't. When you visit a website that has a terms of services, you agree to accept those terms of service agreements just by visiting the website. In fact, usually the first term of service is the Acceptance of the Terms of Service that state something along the lines of if you access or use the website, you are agreeing to the terms of service. The websites that use these miners all have terms and services, and buried in those terms of service is you giving them permission to do this either directly or indirectly.

Remember folks, this isn't stealing, because you give them permission to do it just by visiting the website. This isn't illegal, again, because you give them permission to do it just by visiting the website.

notb said:
Tax law in general.
I guess this should be true for all countries with mature tax systems.
It is revenue. As long as they pay taxes on that revenue, there is no legal issue there. Try again.
Posted on Reply
#10
dorsetknob
"YOUR RMA REQUEST IS CON-REFUSED"
cdawall said:
Stop trying to pull shit out of your ass and post an actual law it violates.
How about :)
Computer Misuse Act 1990 - Legislation.gov.uk
https://www.legislation.gov.uk/id/ukpga/1990/18
An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes.
Computer misuse offences · ‎Section 3 · ‎1.

sure there is also similar EU and Even USA legislation

Of Course you would have to find an Authority to take Action
Posted on Reply
#11
notb
cdawall said:
What tax law is being violated? If the company releases and pays taxes on the income it is just income, no different than ad generated income or booby generated income.
If you're lending your PC to a company, which makes money by calculating something, you'd have to sign some sort of an agreement. And you'd have to be paid for your involvement. You can be paid 0, obviously, but it is still a formal operation (i.e. "being paid 0" <> "not being paid").
Keep in mind that the company that uses your PC has to fill their balance sheet properly and it has to report where their revenue came from.
And if you're neither an employee not a subcontractor (another company), this instantly becomes a grey market activity. You can't enroll an unrelated, natural person to work for you or lend you anything - with or without payment.

World is pretty complicated on its own and adding corporate legal issues doesn't help. Don't blame me.

There are other concerns as well. E.g.: if such website mining wrecks your PC, are you eligible for compensation? You haven't agreed for this. You don't even know it's running.

Are you into volunteer computing?
http://boinc.berkeley.edu/wiki/Usage_rules
"The BOINC project and the University of California assume no liability for damage to your computer, loss of data, or any other event or condition that may occur as a result of participating in BOINC-based projects."


newtekie1 said:
It ain't to get me to look at the hamburger, and it isn't for me to give my mouth something to do, it is to fill my stomach and provide my body with nutrients. If they blended it up, and fed it to me through a tube inserted directly into my stomach instead of me eating it, it would still serve its purpose. Different delivery method, same purpose fulfilled.
That's not what you said about ads. You said their only purpose is making money for the company. So this would have to be true for products in general, including burgers.

Whether you like it or not, the purpose of an advertisement is to inform you about a product. And if it was hidden from view (like the mining window is), it wouldn't serve this purpose.
I.e. a TV commercial becomes an advertisement when it's aired for the first time. Before that it's just a corporate video.
The good thing about it is that you can actually sue a company for false advertising.


newtekie1 said:

In fact, usually the first term of service is the Acceptance of the Terms of Service that state something along the lines of if you access or use the website, you are agreeing to the terms of service. The websites that use these miners all have terms and services, and buried in those terms of service is you giving them permission to do this either directly or indirectly.
You're right about the terms of service in general, but again: what's the purpose of this website? If I'm opening a porn site, am I agreeing to anything? Can they come to my house and kidnap my children? Because, based on how porn business is often connected to criminal organisations, it's clearly not out of their scope. :-)

newtekie1 said:

It is revenue. As long as they pay taxes on that revenue, there is no legal issue there. Try again.
Wrong side of the problem. There is a legal issue, because they haven't sold you anything. They bought something! (borrowed your PC)
So for them it's not about a product. It's about means of production.
They should pay you and you should pay the income tax.
Posted on Reply
#12
newtekie1
Semi-Retired Folder
notb said:
If you're lending your PC to a company, which makes money by calculating something, you'd have to sign some sort of an agreement. And you'd have to be paid for your involvement. You can be paid 0, obviously, but it is still a formal operation (i.e. "being paid 0" <> "not being paid").
Keep in mind that the company that uses your PC has to fill their balance sheet properly and it has to report where their revenue came from.
And if you're neither an employee not a subcontractor (another company), this instantly becomes a grey market activity. You can't enroll an unrelated, natural person to work for you or lend you anything - with or without payment.

World is pretty complicated on its own and adding corporate legal issues doesn't help. Don't blame me.

There are other concerns as well. E.g.: if such website mining wrecks your PC, are you eligible for compensation? You haven't agreed for this. You don't even know it's running.

Are you into volunteer computing?
http://boinc.berkeley.edu/wiki/Usage_rules
"The BOINC project and the University of California assume no liability for damage to your computer, loss of data, or any other event or condition that may occur as a result of participating in BOINC-based projects."
Again, you are ignoring the fact that there is a terms of service. Limit of Liability is a standard in every terms of service I've ever seen.

The revenue source is listed as ad revenue. That is enough to fill the legal requirement for a source.

Can we agree that you had no clue what you were talking about when you claimed this was illegal, and just move on now?
Posted on Reply
#13
cdawall
where the hell are my stars
notb said:
If you're lending your PC to a company, which makes money by calculating something, you'd have to sign some sort of an agreement. And you'd have to be paid for your involvement. You can be paid 0, obviously, but it is still a formal operation (i.e. "being paid 0" <> "not being paid").
Keep in mind that the company that uses your PC has to fill their balance sheet properly and it has to report where their revenue came from.
And if you're neither an employee not a subcontractor (another company), this instantly becomes a grey market activity. You can't enroll an unrelated, natural person to work for you or lend you anything - with or without payment.

World is pretty complicated on its own and adding corporate legal issues doesn't help. Don't blame me.

There are other concerns as well. E.g.: if such website mining wrecks your PC, are you eligible for compensation? You haven't agreed for this. You don't even know it's running.

Are you into volunteer computing?
http://boinc.berkeley.edu/wiki/Usage_rules
"The BOINC project and the University of California assume no liability for damage to your computer, loss of data, or any other event or condition that may occur as a result of participating in BOINC-based projects."
You did agree when you hit the "agree" button on your browsers Terms of Service.

Here is an excerpt from chrome's to help with your misunderstandings of life. Remember you aren't running a webpage, you are running a browser which merely visits a webpage. ToS is all handled by the browser. Hence why what you are complaining about is merely immoral instead of illegal. So again, please quote an actual law being violated.

Google ToS

14. LIMITATION OF LIABILITY

14.1 SUBJECT TO OVERALL PROVISION IN PARAGRAPH 13.1 ABOVE said:

16. Advertisements

16.1 Some of the Services are supported by advertising revenue and may display advertisements and promotions. These advertisements may be targeted to the content of information stored on the Services, queries made through the Services or other information.

16.2 The manner, mode and extent of advertising by Google on the Services are subject to change without specific notice to you.

16.3 In consideration for Google granting you access to and use of the Services, you agree that Google may place such advertising on the Services.

17. Other content

17.1 The Services may include hyperlinks to other web sites or content or resources. Google may have no control over any web sites or resources which are provided by companies or persons other than Google.

17.2 You acknowledge and agree that Google is not responsible for the availability of any such external sites or resources, and does not endorse any advertising, products or other materials on or available from such web sites or resources.

17.3 You acknowledge and agree that Google is not liable for any loss or damage which may be incurred by you as a result of the availability of those external sites or resources, or as a result of any reliance placed by you on the completeness, accuracy or existence of any advertising, products or other materials on, or available from, such web sites or resources.
dorsetknob said:
How about :)
Computer Misuse Act 1990 - Legislation.gov.uk
https://www.legislation.gov.uk/id/ukpga/1990/18
An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes.
Computer misuse offences · ‎Section 3 · ‎1.

sure there is also similar EU and Even USA legislation

Of Course you would have to find an Authority to take Action
That act implies the usage of a 3rd party application to do the action such as a virus. This is not a virus.
Posted on Reply
#14
mab1376
dorsetknob said:
Latest version of firefox (ver 57) breaks and blocks All plugins apparently

Firefox 57: Good news? It's nippy. Bad news? It'll also trash your add-ons
Unless you're lucky and there's already a WebExtensions equivalent

More info from here
https://www.theregister.co.uk/2017/11/10/open_source_insider_firefox_57/
Most of the plugins i use are already updated to support v57.

NoScript already released their new version.
Posted on Reply
#15
lexluthermiester
Flat out, this crap is blatantly illegal. Government wants to kill net neutrality, but allows this crap. Yeah...
Posted on Reply
#16
dorsetknob
"YOUR RMA REQUEST IS CON-REFUSED"
cdawall said:
That act implies the usage of a 3rd party application to do the action such as a virus. This is not a virus.
No it is a 3rd Party application program no real difference to a Virus or Trojan Application in regards to the law i suggested
If you did not start the application ( and you don't the web site does with a browser window ) then that would come under unauthorised /misuse of a Computer

Not going to comment on this any more " thank you"
Posted on Reply
#17
cdawall
where the hell are my stars
dorsetknob said:
No it is a 3rd Party application program no real difference to a Virus or Trojan Application in regards to the law i suggested
If you did not start the application ( and you don't the web site does with a browser window ) then that would come under unauthorised /misuse of a Computer

Not going to comment on this any more " thank you"
Read through this again

dorsetknob said:
An Act to make provision for securing computer material against unauthorised access or modification
You visit the webpage you authorized the webpage to perform whatever it is the webpage does.

I used virus as an example because you didn't ask for a virus or Trojan. Watching porn is your choice. Not my fault they are mining your machine.
Posted on Reply
#18
newtekie1
Semi-Retired Folder
cdawall said:
You visit the webpage you authorized the webpage to perform whatever it is the webpage does.
Exactly this! This is what people seem to not be realizing or comprehending.
Posted on Reply
#19
cdawall
where the hell are my stars
newtekie1 said:
Exactly this! This is what people seem to not be realizing or comprehending.
It is hard to understand for some reason. I don't understand why people can't get that into their head, using a webpage is your choice, if you don't like their choice to make revenue, don't use it.
Posted on Reply
#20
Upgrayedd
cdawall said:
Did you go to their web page? Did you use their resources?

This isn't illegal, heavily immoral, but not illegal. It is no more illegal than any other pop-up. Remember every big giant ad with 3D rendering will utilize gpu/cpu cycles and they also do it for profit, there are also ones that auto minimize or refuse to close.

Put you e-lawbook down.
Normal pop-ups dont run after you've left the site and keep using up your bandwidth constantly. Its literally costing you money for them to make money. Illegal af. You cant just remotely takeover resources on someones machine.
Posted on Reply
#21
cdawall
where the hell are my stars
Upgrayedd said:
Normal pop-ups dont run after you've left the site and keep using up your bandwidth constantly. Its literally costing you money for them to make money. Illegal af. You cant just remotely takeover resources on someones machine.
If a pop up opens in a new window please tell me how it magically closes when you exit a different page in a different window?

It cost you bandwidth and money everytime an ad runs. This is no different.
Posted on Reply
#22
xorbe
No, we don't need more laws, they won't help anyway. There are easy technical solutions including rate limiting and resource limits. ie, after a page uses its 15 seconds max, you'll get a browser dialog that you can grant X more time, X% usage, or unlimited, etc. I assume this is a pending implementation. Google/Chrome was already talking about it. Browsers need a pause button too, or a default timeout where inactivity pauses all js if you walk off. If a page has both activity and a miner, the best you'll do is rate limit the page to say 5% so it can do what you want while mining ... for instance, if YT went evil with mining.
Posted on Reply
#23
cdawall
where the hell are my stars
xorbe said:
No, we don't need more laws, they won't help anyway. There are easy technical solutions including rate limiting and resource limits. ie, after a page uses its 15 seconds max, you'll get a browser dialog that you can grant X more time, X% usage, or unlimited, etc. I assume this is a pending implementation. Google/Chrome was already talking about it. Browsers need a pause button too, or a default timeout where inactivity pauses all js if you walk off. If a page has both activity and a miner, the best you'll do is rate limit the page to say 5% so it can do what you want while mining ... for instance, if YT went evil with mining.
Most laptops have this built in, you walk away the screen shuts off and laptop sleeps, before that happens the wifi card goes to sleep so the miner will stop from lack of connection.
Posted on Reply
#24
Athlonite
Exceededgoku said:


Seems FAR better to me than being bombarded with adverts that pop up if you click anywhere on a page (a common practice today). Truth is, if you're visiting a page that has this software installed then you are using resources in some way shape or form.

I think you're either overreacting or misinformed if you have any issue with this. Someone needs to pay the bills at the end of the day!
That's all well and good if the website in question notifies you and asks for permission to use your CPU to mine in order to cover costs, but that's not what this article is about or did you fail reading comprehension...

a: Some websites are launching a minimized browser window with a mining program running in it

b: even when you close the tab that the site was in the minimized browser mining window remains open (minimized) and mining using your CPU resources even after closing the main browser

both those acts described above can be construed as nothing more than malicious behaviour from nefarious website owners who don't give a hoot about you
Posted on Reply
#25
Athlonite
cdawall said:
It is hard to understand for some reason. I don't understand why people can't get that into their head, using a webpage is your choice, if you don't like their choice to make revenue, don't use it.
But it isn't a choice if the mining continues well after the closing of that websites tab ie: If you close the tab that site was in then the mining should also be stopped But it isn't therefor it is acting like malware which is something you did not agree to
Posted on Reply
Add your own comment