Thursday, November 30th 2017

Web Cryptocurrency Mining Evolves: Now Keeps Running After Closing Browser

Well, after users think they've closed their browsers, more specifically. Researchers form anti-malware provider Malwarebytes have discovered a new form of web-based cryptocurrency mining that has a stealth-like approach to running mining code, which might cause less attentive users' machines to keep mining even after their web browsers have been closed. This is done via an utterly simple method, really: upon opening a malicious web page that has been coded to make users' machines mine cryptocurrency, the web page opens a pop-up window that is minimized behind the Windows Taskbar's clock. It's ingeniously simple - but could be surprisingly hard to detect, and could mean that the mining process will actually keep on using CPU cycles and mining crypto indefinitely until the next system reboot.

In a blog post published Wednesday morning, Malwarebytes Lead Malware Intelligence Analyst Jérôme Segura wrote that "This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the "X" is no longer sufficient." He then added a possible solution for the problem, writing that "The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser's icon with slight highlighting, indicating that it is still running." Segura said the technique worked on the latest version of Chrome running on the latest versions of Windows 7 and Windows 10.

At the moment, there are no indications the hidden window trick is being deployed on other browsers or operating systems, but that's just the logical next step in this saga. Until then, maybe just keep your task manager at hand, and inform your less tech-savvy familiars of this issue. You can also take some additional steps to prevent these new kinds of web-based mining algorithms to sideblind you: a good option would be to have a resource monitor app open on the desktop (Rainmeter has many of these, but there are other more tech-oriented, motherboard and CPU-vendor specific solutions), and also to disable the "Combine Taskbar Buttons" on your OS. On Windows 10, right click the taskbar, open "Taskbar Settings", Choose the "Combine Taskbar Buttons" and change that from the default "Always, hide labels" to "Never".

Sources: Malwarebytes Blog, via Ars Technica
Add your own comment

74 Comments on Web Cryptocurrency Mining Evolves: Now Keeps Running After Closing Browser

#1
cdawall
where the hell are my stars
Athlonite said:
But it isn't a choice if the mining continues well after the closing of that websites tab ie: If you close the tab that site was in then the mining should also be stopped But it isn't therefor it is acting like malware which is something you did not agree to
Ads don't go away because you close the main page.
Posted on Reply
#2
Upgrayedd
cdawall said:
Ads don't go away because you close the main page.
Ads don't keep popping up after I close my browser either. These miners do keep going.

I bet Valve will start running one while Steam is open :o . Or some company will implement a miner into some always-online games.
Posted on Reply
#3
cdawall
where the hell are my stars
Upgrayedd said:
Ads don't keep popping up after I close my browser either. These miners do keep going.

I bet Valve will start running one while Steam is open :eek: . Or some company will implement a miner into some always-online games.
If you have an ad actively open it will continue to do whatever that ad is programmed to do. I do not understand why this is so hard for people to understand. If that ad has 3D video in it the GPU and CPU will continue to feed it power in the exact same way the miner programs will, except the miners are currently only tagging the CPU.

None of what is happening is illegal, everything that is happening is immoral. Welcome to the modern age. Ads suck this is the evolution of them.
Posted on Reply
#4
bubbly1724
First thing I do when I install Chrome is disable the first option.
Posted on Reply
#6
Tartaros
RejZoR said:
So, what's the problem then? You have to be kinda stupid to not realize something isn't right if there is button stuck in a taskbar but no window is visible. Even total computer newbs get that imo.
Ah, the memories.



Then you would go clicking making things worse. I feel like I'm 15 with all this shit happening. I suppose with the growing awareness of virus, don't going into strange sites and using antivirus there is a lot of people who forgot or don't know the basics.
Posted on Reply
#7
RejZoR
@Tartaros
I once tried to purposely infect a VM system with totally outdated WinXP using outdated IE, visiting all sorts of shady webpages, literally clicked on anything and I couldn't get system as infected as some people had them. But yeah. memories indeed...

In a way, I prefer such malware since it does an indirect damage to the user, not comprimising their personal data or othe prrivacy.
Posted on Reply
#8
Tartaros
RejZoR said:
@Tartaros
I once tried to purposely infect a VM system with totally outdated WinXP using outdated IE, visiting all sorts of shady webpages, literally clicked on anything and I couldn't get system as infected as some people had them. But yeah. memories indeed...

In a way, I prefer such malware since it does an indirect damage to the user, not comprimising their personal data or othe prrivacy.
I suppose viruses nowadays target other vulnerabilites, maybe going with a really outdated OS is not that compromising, I don't know. And about the second part I don't think it was safer before, my mother had her money stolen from her bank account about 15 years ago and was because her laptop was infected, but it was really rare at that time. Nowadays everyone checks their accounts, buy and do a more lot of data compromising things than before but it was always unsafe.

Also most of this people have their computers like this for years, right now I'm fixing a very old pentium m laptop from my aunt and this is fucking horrible, but before she stopped using this thing she was already used to it.
Posted on Reply
#9
AddSub
So very obvious who in this thread has dipped their toe into the whole mining scammathon.

Website browsewrap licenses and agreements are utterly unenforceable in just about nearly every instance and browsewrap agreement is where you actually HAVE TO click on a "I AGREE" or "I CONSENT TO THE TERMS OF USE" before accessing content/webpage. Just visiting a site without any prompts you are agreeing to exactly NOTHING, no matter what the page footer says.

Just visiting a site which doesn't prompt you or asks you for consent and which proceeds to hide a random piece of code which emulates malware behavior, is well... malware. Malware distribution is cybercrime, especially if said malware causes a frail system to fail and take out whatever vital data was on said system.... vital to the owner, meaning the business owner, cubicle drone... grandma. Maybe it was pictures of your cat on your "gamur" box being lost forever, vital customer information lost if this were to happen in a business environment, including system downtime which has quantifiable cash value, or if it burns your house down because that 20 year old power supply from the ATX12V 1.0 era just .....needed ....a ....nudge towards that imploding finale.

...
..
.
Posted on Reply
#10
HopelesslyFaithful
Tartaros said:
I suppose viruses nowadays target other vulnerabilites, maybe going with a really outdated OS is not that compromising, I don't know. And about the second part I don't think it was safer before, my mother had her money stolen from her bank account about 15 years ago and was because her laptop was infected, but it was really rare at that time. Nowadays everyone checks their accounts, buy and do a more lot of data compromising things than before but it was always unsafe.

Also most of this people have their computers like this for years, right now I'm fixing a very old pentium m laptop from my aunt and this is fucking horrible, but before she stopped using this thing she was already used to it.
cash isn't much safer....highway thugs steal it all the time even from


Want to use cash to buy an investment....get robbed
http://reason.com/blog/2017/12/01/cops-steal-91800-from-a-musician-claimin
stealing gift card money
http://reason.com/blog/2016/06/08/oklahoma-police-can-pull-you-over-and-di
christian bands donation money stolen
http://reason.com/blog/2016/04/25/oklahoma-deputies-seize-thousands-raised

Cops steal more money than robbers hahha
http://reason.com/archives/2015/11/27/cops-now-take-more-than-robbers

off topic but a good read
http://www.foxnews.com/us/2017/11/30/ohios-cops-for-kids-charity-bilked-donors-out-4-2m-state-ag-says.html

just saying....taste the freedom
Posted on Reply
#11
R-T-B
lexluthermiester said:
Flat out, this crap is blatantly illegal. Government wants to kill net neutrality, but allows this crap. Yeah...
As stated, none of this is illegal, but it is very highly immoral.

AddSub said:
So very obvious who in this thread has dipped their toe into the whole mining scammathon.

Website browsewrap licenses and agreements are utterly unenforceable in just about nearly every instance and browsewrap agreement is where you actually HAVE TO click on a "I AGREE" or "I CONSENT TO THE TERMS OF USE" before accessing content/webpage. Just visiting a site without any prompts you are agreeing to exactly NOTHING, no matter what the page footer says.

Just visiting a site which doesn't prompt you or asks you for consent and which proceeds to hide a random piece of code which emulates malware behavior, is well... malware. Malware distribution is cybercrime, especially if said malware causes a frail system to fail and take out whatever vital data was on said system.... vital to the owner, meaning the business owner, cubicle drone... grandma. Maybe it was pictures of your cat on your "gamur" box being lost forever, vital customer information lost if this were to happen in a business environment, including system downtime which has quantifiable cash value, or if it burns your house down because that 20 year old power supply from the ATX12V 1.0 era just .....needed ....a ....nudge towards that imploding finale.

...
..
.
If your philosophy was true, Javascript would be essentially illegal.

Miner or not, they are right, and this is coming from a decidedly not-miner who has written articles about mining that are hardly promining in the past...

https://www.techpowerup.com/234971/on-cryptocoins-i-think-i-know-why-satoshi-nakamoto-hides

How about you stop trying to claim everyone who disagrees with you is a prominer now, hmm?
Posted on Reply
#12
notb
R-T-B said:
As stated, none of this is illegal, but it is very highly immoral.
You should really get a second opinion on that.
Talking about being legal: I wonder how many of you miners on this forum report earnings to your state authority (pay taxes etc).

I'm 99% sure that you're only concerned about legality of cryptocurrency itself, not the whole mining process and resulting cashflows.
Posted on Reply
#13
AddSub
R-T-B said:
As stated, none of this is illegal, but it is very highly immoral.



If your philosophy was true, Javascript would be essentially illegal.

Miner or not, they are right, and this is coming from a decidedly not-miner who has written articles about mining that are hardly promining in the past...

https://www.techpowerup.com/234971/on-cryptocoins-i-think-i-know-why-satoshi-nakamoto-hides

How about you stop trying to claim everyone who disagrees with you is a prominer now, hmm?
Malicious javascript is illegal and is what is behind a good chunk of ransomware. All major AV solutions now scan or handle such code as malware. As far as drive-by-coin-miners go, ESET, Malwarebytes and to lesser extent Symantec products are already flagging such code as either malvertisements or straight up malware, although they all have serious blind spots at this moment. Backend databases for many ad-blocking browser plugins have been updated as well to intercept this menace. In addition many hosts file services have already included (or excluded to be precise) relevant domains. I recommend people use all the resources available to them at this point, from browser plugins, well populated hosts files, and AV products from makers that have decided not to sit on their hands and are flagging and intercepting such code as malware.

Yeah, nothing says cyber "currencies" are legit and the next thing, like malware mining applets. :rolleyes: Miners should be first to be against something like this, because they have many enemies who will seize upon this to have the whole thing shut-down, for better or worse.

So far, the shadowy splattering of what is considered the mining community has been pretty quiet, whether its small timers running mining operations from Russia or small town USA, mining from a spare bedroom while playing eBay auction commandos to unload or pick up GPUs, the Chinese industrial plant ops with racks of GPUs being ran off of mega-industrial sized generators next door, or the government of Saudi Arabia which has hinted they may or may not be the first government doing mining as one of the desperate measures to fix their budget defecit, nobody has said anything about drive-by-mining. To busy mining I guess....

Also, between Saudi Arabia, shady ad-hoc Chinese industrial farmers and random splattering of NEET miners across the western world, doesn't this just ring alarms of "stay-away-from-this-non-sense!" in every normal persons mind?


...
..
.
Posted on Reply
#14
R-T-B
AddSub said:
Malicious javascript is illegal and is what is behind a good chunk of ransomware
The difference being the legal definition of malicious, and everyone is ignoring that.

AddSub said:
All major AV solutions now scan or handle such code as malware.
You are aware that doesn't legally make it malware, right?

notb said:
You should really get a second opinion on that.
Don't need one, I am confident. I'd strongly advise you to do so however.

As for earnings reports, I'd have to have profited to report something when I briefly mined, so... I did report pretty heavy business losses but not sure that was what you were aiming for. ;)

Coinbase reports to the IRS now at cashout anyways.

AddSub said:
Yeah, nothing says cyber "currencies" are legit and the next thing, like malware mining applets. :rolleyes:
As I said, it's highly immoral and I am 100% against it. This does NOT make it automatically illegal however. It depends entirely on the sites ToS.
Posted on Reply
#15
cdawall
where the hell are my stars
R-T-B said:
As I said, it's highly immoral and I am 100% against it. This does NOT make it automatically illegal however. It depends entirely on the sites ToS
Googles ToS says it is fine and you have accepted it. So...
Posted on Reply
#16
notb
R-T-B said:

As for earnings reports, I'd have to have profited to report something when I briefly mined, so... I did report pretty heavy business losses but not sure that was what you were aiming for. ;)
Exactly that. So how about the guys who mine with profit? Are they so eager to report as well? :)
Don't need one, I am confident. I'd strongly advise you to do so however.
Being confident doesn't make you right.

As I've mentioned earlier: people here are concentrating on legality of crypto (which is fairly popular and interesting topic) and not everything around it (like taxes, which are boring).
Mining is a proper investment/production business. There are some formal requirements that have to be met.
From what I see (not just on TPU), most home miners have no business/investing knowledge and no interest to get it. They're simply not prepared. Or worse: they have a strong aversion to finance, fiat money and government in general (possibly one of the reasons they're drawn into the crypto phenomenon).
Posted on Reply
#17
lexluthermiester
R-T-B said:
As stated, none of this is illegal, but it is very highly immoral.
R-T-B said:
The difference being the legal definition of malicious, and everyone is ignoring that.
You are incorrect, at least in North America and Europe. While it's open to certain levels of interpretation, generally speaking, using a computer you don't own and don't have explicit permission to access is illegal and even criminal. In the USA, even if the owner of the PC in question agrees, certain statutory rights are always in effect and can not be contractually surrendered. Websites running mining software, even if not maliciously, are using resources that the user is paying for. This aspect is very much illegal as it is effectively stealing electricity, which is a criminal act in most places. Additionally, running remote software without the user's understanding of such is also illegal and is a direct contravention of computer abuse and fraudulent use laws. Showtime's website was briefly running mining software, but it was swiftly pulled down after it became clear that they can be sued for doing so.
cdawall said:
Googles ToS says it is fine and you have accepted it. So...
That point is pointless. Google is not running mining software, as such, their TOS does not apply.
Posted on Reply
#18
R-T-B
notb said:
Exactly that. So how about the guys who mine with profit? Are they so eager to report as well?
Coinbase does it for them now, so at least in the USA, you'd best do it yes, or you will get caught in a nasty lie.

lexluthermiester said:
That point is pointless. Google is not running mining software, as such, their TOS does not apply.
No, indeed the site you are has their ToS apply. It would only be illegal if they didn't cover their ass. I repeat. Nothing about this is inherently illegal.

Don't take my word for it though, by all means, consult a lawyer if you want certainity.

Also, chrome and Firefox and even IE both cover Javascript with blanket clauses in their EULAs for javascript in the browser, making you unable to do so much as sue. This is because ALL javascript uses cpu cycles and it covers their ass.

But I'm betting you didn't read that and are just here to play lawyer, aren't you?

notb said:
Being confident doesn't make you right.
It does if I've done my homework... and I have.
Posted on Reply
#19
cdawall
where the hell are my stars
lexluthermiester said:
That point is pointless. Google is not running mining software, as such, their TOS does not apply
Actually the ToS for the program you are running will always apply. You aren't running pornhub.com you are running the Google Chrome browser which is visiting pornhub.
Posted on Reply
#20
lexluthermiester
R-T-B said:
No, indeed the site you are has their ToS apply. It would only be illegal if they didn't cover their ass. I repeat. Nothing about this is inherently illegal.
There is nothing lawful about what they are doing and is a clear violation of several legal statues in the United States. And while I'm not familiar with the exact legal code, I do know that the UK and Europe have very similar computer abuse laws that cover this kind of situation.
R-T-B said:
Don't take my word for it though, by all means, consult a lawyer if you want certainty.
Ok, thanks. Or I can fall back on previous professional experiences.
R-T-B said:
Also, chrome and Firefox and even IE both cover Javascript with blanket clauses in their EULAs for javascript in the browser, making you unable to do so much as sue. This is because ALL javascript uses cpu cycles and it covers their ass.
That only covers the asses of the makers of the browsers. It does NOT cover the asses of websites that load JS to a browser to run code in this way. The guilt falls to the offending website(s) and they are the ones liable.
R-T-B said:
But I'm betting you didn't read that and are just here to play lawyer, aren't you?
R-T-B said:

Nice. Grow up maybe?
cdawall said:
Actually the ToS for the program you are running will always apply. You aren't running pornhub.com you are running the Google Chrome browser which is visiting pornhub.
The browser TOS does not apply to websites visited. Ever. It applies ONLY to the browser code itself. So again, your point was pointless.
Posted on Reply
#21
R-T-B
lexluthermiester said:
Nice. Grow up maybe?
I want to appologize for that remark. This is getting somewhat heated and I let my emotions get the better of me.

Regardless, I think we can all agree this is immoral and we're really all on the same page here that none of us want to see it spread. If you're genuinely concerned with a legal issue, consult a lawyer and certainly not TPU, needless to say. For our purposes, we're really all on the same side here, so lets take a step back and remember that.
Posted on Reply
#22
lexluthermiester
Tartaros said:
Ah, the memories.



Then you would go clicking making things worse. I feel like I'm 15 with all this shit happening. I suppose with the growing awareness of virus, don't going into strange sites and using antivirus there is a lot of people who forgot or don't know the basics.
That, right there, is why I have never and will never use a Microsoft web browser. This rarely happens in any other browser, and even when it did, it was never as bad as that.
R-T-B said:
I want to apologize for that remark. This is getting somewhat heated and I let my emotions get the better of me.
Accepted. No worries, we've all been there.
R-T-B said:
Regardless, I think we can all agree this is immoral and we're really all on the same page here that none of us want to see it spread. If you're genuinely concerned with a legal issue, consult a lawyer and certainly not TPU, needless to say. For our purposes, we're really all on the same side here, so lets take a step back and remember that.
Agreed. This kind of thing is extremely lacking ethically and morally.
Posted on Reply
#23
cdawall
where the hell are my stars
lexluthermiester said:
The browser TOS does not apply to websites visited. Ever. It applies ONLY to the browser code itself. So again, your point was pointless.
You should really read that ToS and how it applies to anything run inside of it. That includes web pages, extensions and mining programs for that matter.
Posted on Reply
#24
lexluthermiester
cdawall said:
You should really read that ToS and how it applies to anything run inside of it. That includes web pages, extensions and mining programs for that matter.
That depends. Which one are we talking about? Edge? IE? Chrome? Firefox? Something else? The reason I ask is simple, the mining nonsense is browser agnostic. It will run in any browser it seems and no one is immune. So which TOS are you talking about?

EDIT; Out of curiosity, I read through some of the docs for Chrome and Firefox(could care less about Edge and IE) and they both specifically exempt code from remote sources, IE JS code being run remotely from websites.
Posted on Reply
Add your own comment