Covert mining: find and destroy

</p>

Hidden cryptocurrency miner is no longer a new topic, although there are decent technical instructions on how to do itdetection and elimination of almost none. There is only a mass of scattered information and articles of dubious content. Why? Because everyone benefits from cryptocurrency mining on a global scale, except, of course, for someone who doesn’t get a penny from this and does not even suspect that he has become part of the global computing network. And indeed - after all, the principle of hidden mining can become more than just mining coins in someone else's pocket.

</p>

The concept of hidden mining

It's not about mining, for the time being hiddenfrom housing and communal services, but about the hidden mining of coins on an ordinary computer, despite the fact that the owner of the computer about it is not a dream. In other words, for the extraction of cryptocurrency, it is possible not only to use your own computer, but also many other people's machines.

And it’s not necessary that the load on the video card orthe processor should increase to 100% - these wise men are careful and will not load the machine of the participant of their network in unreasonable limits. You may, in principle, not notice a big difference if you have a powerful enough technique. This is an important condition for maintaining the hidden work of the miner.

For the first time, official reports of the phenomenon of hiddenmining began to appear in 2011, and in 2013 there was already a massive infection of PCs in various countries through Skype. Moreover, the Trojans not only mined, but also gained access to bitcoin wallets.

The most famous case is an attempt by μTorrent developers in this way to make extra money on users by introducing a hidden EpicScale miner into the software.

Additional information about botnets - this information will give a general idea of ​​the phenomenon.

Work principles

And yet – how exactly does this work?It’s simple - secretly from the user, for example, when opening any file, a client program is installed, which connects to one of the mining pools and begins to mine cryptocurrency. I won’t say that it’s Bitcoin – now it’s more profitable to mine other coins using simple machines. Mining pools often choose the most suitable option for a specific hardware configuration.

</p>

Payments are made to the account specifiedThe "entrepreneur" details, and he has the right to connect any number of PCs to his account, and no one requires proof from him that they belong to him or their owners approved this action. I wonder why? Although there are decentralized pools where exactly no one will ask anything.

Therefore, pools are ideal for creatingown mining network (botnet). And everyone is doing it right now (or trying) - from pros to schoolchildren, regulars of all kinds of “dark forums” with drains of “trouble-free and proven” schemes for only 500 rubles, or even for nothing. The payment is symbolic - for the reason that a scheme is being built where the distributor of such a miner has a certain percentage of his “adherents”. Their victims are, as a rule, gamers, who, naturally, have powerful video cards and processors. But this is not a fact - anyone can receive such a “toy” as a present.

Infection occurs in various ways:

• Through any running files;
• Direct replanting on PC (rarity);
• Through unauthorized remote access.

Why is miner operation possible in stealth mode?

1. The miner is distributed in conjunction with cracks, patches, warez software, torrents, or even in the form of simple files, such as pictures or Word files attached to messages;
2. Installation is in silent mode;
3. The process disguises itself as one of the Windows services or does not appear at all;
4. During increased load on the car - the miner is turned off so as not to cause noticeable braking.

All this allows the existence of such Trojans on thousands of machines and bring a stable income to the owners. To accomplish this, special assemblies are made in which there is everything necessary.

In general terms, this is something like this,but, in fact, this makes it even more difficult so that the miner is not so easy to remove. For example, in the depths of the system sits the source file, which is constantly restored by the miner if it is deleted manually or by an antivirus.

Detection and Removal Methods

All instructions say the same thing -if your PC began to slow down, then it is probably a virus-miner that loaded the central processor and video card. In this case, you need to check the task manager and scan the system with antiviruses for trojans. This is partly the right approach, but if you think about it, it’s an extremely superficial measure.

Are all antiviruses effective?

Complete instructions from a specialist, for example,by the way, I did not find from Kaspersky - although the instructions found were mostly quite old and, apparently, were created for the ancient miners of 2010, made on the “knee” by a certain Vasily. Therefore, then these measures were quite enough.

But for people who are likely to have only a faint idea of ​​all this, these aspects are not mentioned at all:

• Non-standard launch methods;
• The presence of two processes that restart each other in case of attempts to terminate them;
• Rebooting the PC when trying to access the miner files or trying to remove them from startup;
• Processes that prevent antiviruses from working normally.

Cool, right? This sometimes does not allow the miner to get rid of children's measures, which, without hesitation, are written by the writers of instructions in the key "... and he will no longer get any so-called bitcoins there." Although a similar idea could be launched in a positive direction.

Work algorithm

I’ll note right away that an integrated approach is needed here, andwill have to work hard. The algorithm is suitable not only for detecting and removing hidden miners, but also for any trojan programs, in particular, spyware, which sits secretly in the processes and does its job.

I also mention that these actions may not giveeffect, but still able to help. In extreme cases, you can reinstall the system or contact a specialist, but this is not the best option. Although in the end, updating the OS and organizing the workflow in a slightly different way makes sense, but more on that later.

So, where to start and is it necessary? Even if everything suits you in the operation of the machine, it is better to do these simple manipulations. Believe me - you can discover a lot of interesting things and save yourself from problems in the future. I am not a cybersecurity specialist, but these are logical actions. Perhaps all of these tips for some will seem commonplace, but from my own experience I know that many neglect basic things and the audience of this resource does not consist entirely of burnt khackers.

I currently have Windows installedtherefore, the instruction was created precisely on its example. The generally accepted advice before such work is to save all data from a PC to a separate storage medium / cloud do not take it seriously - this is nonsense. If there are viruses, they will end up in backup. There are only two ways out - reinstall Windows or treat it.

So, for starters, take control of everythingis happening on the PC, and download the application for monitoring everything that is on the machine - AIDA64. I’ll immediately notice that I myself have been trying lately to use exclusively portable software. Why and why I will describe below. I download mainly from the rsload site - there is clean and working software, take it and use it.

Launch the application, open Settings andwe find the item OSD window - there we note the temperature indicators of the processor cores and the video card, as well as their load level and occupied RAM. Click apply and get the gadget on your desktop, where the selected indicators are displayed. We turn off everything that is possible - if the load remains (it is difficult to name the exact indicators) - it makes sense to think about what creates the strain.

Continue - the standard task manager to usdefinitely not suitable. Download the wonderful AnVir Task Manager utility. This is a really powerful thing - with its help it is much easier to identify suspicious processes. All undefined lines are highlighted in red and you can get the maximum information about each process, which is not in the functionality of similar programs, and even more so in the standard dispatcher. The software also searches for hidden processes.

As already mentioned - the miner can disguise itself asany service or even disconnect when you open the dispatcher. But the chance to catch it is high enough. Remove everything unnecessary from there - everything that can be disabled at the moment, without compromising the operation of the operating system. Now go through all the processes in a row and find out what they are. This utility has a function to search for information about a process on the Web, and most importantly, check it on the VirusTotal website. Pay attention to how much memory it eats, how much it loads the CPU and GPU (video card), and where it works. Hidden miners are often written exactly in the user folder, although not a fact, of course. By the way, turn on the display of hidden files and folders immediately and never turn it off.

Often miners disguise themselves as svchost.exe, chrome.exe and steam.exe processes. Well, or even under something incomprehensible.

To detect processes that load the GPUYou can use an additional dispatcher - ProcessExplorer. It without pre-settings displays this indicator. If you find something - do not rush to kill the process and clean out the folders, because, probably, after a while the original virus, which sits somewhere else, everything will be restored. And often, turning off one process starts a similar one and vice versa. In general, just pause the process, remember it and the files associated with it, and also check them on VirusTotal. If the service beacon of threats - we begin the process of elimination.

By the way, do you know what and how much space it takeson your hard drive? Especially in section C :? If not, I recommend the FolderSizes utility. This is a great thing. If using it you found on the C: drive several gigabyte folders, be sure to check what lies there! Often, the authors of such articles mention the Ethash folder, which some hidden miners use to store work files. But such a repository can be any heavy folder with any name.

Now, even if nothing has been found before, proceed to the next phase. Here you will need a complete set of "combat software."

Weapons against digital evil

For reliability, it is better to scan andremoval of probable threats in safe mode. Often, such viruses do not allow themselves to be detected or removed, but in safe mode this becomes possible. To start it, you need to press the F8 key several times during boot and select the option you need.

In Windows 10, when you restart, do thisit’s impossible, therefore we open the Run window (Win + R), drive in the Msconfig command, select the “System Configuration” section, where in the “Download” section we set the necessary mode, and then restart the machine.

If you want to "fight in black" - create a bootable flash drive with Dr. Antivirus Web or Kaspersky and additionally scan the system from it.

Now, in safe mode, we start to launch the following anti-virus utilities, previously downloaded in a portable version (although many are already made in portable):

1. Web CureIt! (Download only the latest version from the website). If you are embarrassed by the need to send information about your software - do not use it, however, like the rest;
2. Kaspersky Virus Removal Tool;
3. COMODO Cleaning Essentials;
4. Junkware Removal Tool;
5. AdwCleaner (just in case).

Many assemblies for hidden mining use rootkits - utilities to hide traces of certain processes. Therefore, it is additionally worth using TDSSKiller, which is designed to kill them.

If you are already sure that a hidden miner is working in the system, and these utilities did not help, use the AVZ program and the help of professionals from specialized forums.

To do this, open AVZ and updatebases through the same point. Now run the "System Investigation" and get the file avz_sysinfo.htm. Next, fill it in somewhere and go, for example, to the Kaspersky forum. We find the necessary topic there (it is there) and ask for help, be sure to attach a link to the file received in the AVZ. In a good scenario, we get a script that needs to be executed in the same AVZ through the "Run Script" function.

If any of these tools for any reasonfor some reason does not want to work in safe mode - you can carry out the search and cleaning procedures in normal mode, but first run the RKill utility, which in theory should kill processes that interfere with the operation of antiviruses.

So, after checking and stripping with viruses (ifwas that) - we check whether those processes that we noticed at the very beginning continue to work. It should be borne in mind that they may appear a little later. If antiviruses have not deleted the infected files, you need to do this manually using RKill first.

If everything went well - it remains to cleana registry of traces of strangers. Manually - for a long time, and not everyone knows what and how to look for. Therefore, you can use one of the registry cleaners, for example, CCleaner or AuslogicBootSpeed.

If no measures help (even running the script in AVZ), you will either have to ask for help or reinstall the system. And it is better to do a reinstall anyway.

By the way, here is a “combat” set ofsmall portable utilities that I have used. But,  Dr. Download Web CureIt, Kaspersky Virus Removal Tool and COMODO Cleaning Essentials from. fresh sites. All utilities are absolutely free.

By the way, the business of viruses and antiviruses isthis is a very lucrative topic, exactly the same as the arms trade. In other words, you first need to sell one virus for "dark things", and then sell the victim an antivirus for protection. And it turns out that the two sides are fighting, and the third side warms his hands on this. Therefore, trying to knock out another virus from the system - do not purchase paid software, cut the vicious circle.

Prevention methods

During the operation of any operating system - init installs a lot of software with subsequent removal. Programs for uninstalling and cleaning the registry, frankly, do poorly with their tasks. As a result, the registry turns into garbage. In addition, each installed application, especially a serious one, launches additional processes, sometimes not at all necessary for the user and prescribes various settings to the system. And sometimes separate modules remain from long-deleted programs that continue to function. All this allows you to quietly integrate any processes into the system and the user will probably not notice anything in this mess.

So make a habit of usingmostly portable software. Yes, this is not very convenient, yes, programs interact worse with the OS and with each other. But there are a lot of advantages: you do not clog the registry, the computer starts and shuts down faster, because in hidden mode a lot of everything that you don’t suspect is working, and most importantly, the processes are clean and easier to detect something new, for example, A new process that did not exist before and which consumes a significant amount of resources.

All mine - I carry with me

In general, it will be very good if people startto be interested in how their computer equipment and software installed on it work, in particular, operating systems. It will be great if the boundaries of knowledge of many users go beyond torrents, games and porn. It is worth to find out how the operation of the operating system is arranged, and what processes are responsible for what. If you do not clog the space - it will be much easier to navigate.

But, of course, it’s easier to prevent the problem.initially. I am not a supporter of such anti-virus harvesters as Casper or ESET NOD32. Such a "security" is not your guard, this is your overseer. And it’s very difficult to disable such a benefactor, but I’m not going to endure that some kind of piece of iron tells me which sites to visit and what to download from there.

By the way, about the viral and other, quitereasonable, paranoia - I try not to store on the PC at least some information that is important to me. I keep everything on flash drives and disks. On the main flash drive, I have collected all the working files - everything related to my work.

Many programs I work with alsoare there in a portable form, in particular, a browser with important bookmarks and the Electrum Bitcoin wallet. Every evening I scan the system with three portable antiviruses from the “combat kit” and make a backup password-protected archive from a flash drive. Then I pull it out of the port and put it under the pillow. This is my guarantee of the safety of important information.

Every night I scan the system

All your favorite movies, music and photos are also locatedon separate media. In fact, I have a clean system with a minimal set of programs and drivers. True, there is a simple 360 ​​Total Security antivirus - this, incidentally, is a very boring dude who constantly suspects something. But I like it - I listen to him, but when I get tired of him, I simply cash in on the way out. This is enough to turn off the “caring mommy”. But when I need insurance, it works for me at its full potential, and I make sure that for some reason it does not suddenly disconnect.

So that no “add-on” and other evil spiritsI decided to install silently - I have the standard firewall turned on and another small but clear utility - WinPatrol Monitor. When something tries to register in the registry without my knowledge, the softinka really starts yapping and gives a window that describes what and where it is trying to break through.

I quite rarely have the question of whatwhere to download - most sites have been tested for a long time. Therefore, I see no need to use dubious resources for which I have long ago developed an instinct. But if I download something, for example, software from an unknown manufacturer, of course I don’t check it with antiviruses - but I run it in the sandbox, which is included in the 360 ​​Total Security kit. I'm not even interested in its behavior - the fact is that some viruses have a self-destruction mechanism built into them, in case there is an attempt to study it in a sandbox. And that's what I need.

In conclusion, I will say for those who do not thinkhidden mining with something malicious. Whatever the supporters of “gray methods” say, this is in any case an unfair game. Someone, without asking me, installs something on my car without paying a penny for it first. I could mine a little myself, so to speak, “for cookies,” but I don’t want to once again load the equipment into which I have invested a lot and collected it exclusively for conducting journalistic activities. And I’m not happy that some Vasya will quietly mine crypto on it (in kopecks) and load my already overheated video card!

Additional hazards

Similar botnets that can be expanded toof astonishing proportions, combined with the technology of AI and neural networks can bring as a universal good so become an instrument of destruction and total control. Today, Monero is secretly mined on my PC, and tomorrow will the military begin to calculate the trajectory of the movement of ballistic long-range missiles?

</p>

If I were sure that my technique was being usedduring downtime for good purposes and not for my own enrichment - I would gladly agree to this. In the meantime, while people continue to “beat each other over the head with clubs,” reach into other people’s pockets and try to dominate others, I will try to keep my computing resources out of reach of other people’s hairy paws.

The described instruction was made after hittinginto the system of “no one” WannaCry FileDecrypor, which somehow managed to intercept ESET NOD32, which worked at that time. This rubbish did not succeed in encrypting, but something broke in the system, and after that serious problems began. I had to delete. After that, I seriously redrawn everything and arranged it in the manner described above.

I didn’t have a hidden miner, although in the processof writing an article, the temptation to run something similar and get it out of the system was. But then it seemed to me tyranny - I have only one working machine. Therefore, there are no guarantees that the above measures will be effective. If someone has experience in solving this problem or does not agree with something - please, I will make changes to the article at any time, and together we will create useful instructions.

And here is a video where it is clearly shown, as on“real” miners are currently working. These Chinese have 3,000 powerful miners on only one farm! And what network will the next "dealer" need to get a decent income, even when working with altcoins?

And installing the miner on the machine - what are the guarantees,that he was no longer ahead of him and how many people, in fact, can normally earn on this if they infect all PCs without exception? Count and think. Probably, according to this scheme, a relatively limited number of people normally work - and the rest consider pennies and proudly call themselves miners, spreading the virus throughout the network.

 

Posted by: Slash