Cryptocurrency-mining malware spotted on more than 4200 sites including UK, US, and Australian government sites


#1

Originally published at: https://boingboing.net/2018/02/11/ic-uh-oh.html


#2

I’m lazy and don’t feel like researching:

How much money/btc does something like this actually generate?


#3

Think in terms of distributed processing like SETI@Home. Millions of computers “loaning” spare cycles adds up quickly.


#4

My God! Somebody might use my computer to get a penny! If I never find out, that’s terrible!


#5

If you really feel that way, I have some custom malware applications I’d like to install on your computer.

And don’t worry, they’re harmless. Well, to you, anyway. You have my word as a crimi… as an applications developer.


#6

We’re not talking about badly written Flash ads here. The problem is, they’re maliciously inserting code into other sites that then get used by third parties - e.g. a site that serves Javascript code that government sites* use to read web pages out loud. This isn’t just eating up computer cycles but compromising security, privacy and making web sites into unstable resource hogs. It’s bad.

*(ironically including the UK privacy regulator site)


#7

As I understand it, the maliciously-placed intruder code allows some of the host website’s resources to be used to generate digital currency. If that’s the case, then that is theft.

If that’s the case (2), it opens the door to potentially vast numbers of telehacked machines and could be disastrous.


#8

Yeah, that seems to be the case.
Apparently the UK The Information Commissioner - which is charged with policing data breaches - has actually now shut down their website as a result of this.


#9

I’m guessing that maybe large scale web servers – esp. government sites that primarily serve up static content – are not routinely performance tested?


#10

Problem is - that this code runs on the browser not the server. Even companies that do run perf tests almost never do it on client code.


#11

I get that this is wrong when the site owner is not aware that they are serving a miner, but could this be a legitimate income stream for publishers?

There are some sites where, given the choice, I would rather run a miner in the background for the few minutes I spend on the site over viewing invasive ads.

I’ve come across sites that automatically use your browser to serve torrents, like https://d.tube

It looks and works like youtube except clients serve the videos to each other via IPFS running in the background. They don’t really announce this to users, but something about it seems fair because you only torrent videos you’ve watched.


#12

Yes, and sites have been looking into it. If I recall correctly, The Pirate Bay experimented with letting users choose to run a cryptocurrency miner rather than buy ads, because they historically have problems getting ads that pay and policing them to not be malware.


#13

CPUs don’t mine quickly and given the time it takes for 1 hash how fast could it go before some else finds the coin?


#14

Oh, I didn’t catch that bit (tldr). I just assumed they had hacked into the server and were just running the mining ops on the server itself. Running stuff like that client-side though seems fraught with peril. I guess on some browsers (okay, what I mean is Chrome), you can run native code in a highly sandboxed environment, but I would hope that you’ve got to run a gauntlet of authorization before allowing it, especially now that we are aware of certain vulnerabilities in Intel processors. Anything else leaves you trying to mine btc in JavaScript which would cause most users to quit and restart their browsers.

But who knows – in the world of performance-sucking Google Docs, we may have become accustomed to sub-par performance from most of our internet apps to the point where we don’t question why our fans are running at 110% when we change a text run to Comic Sans.


#15

A LOT, if you have enough traffic.

I have zero problems with this if:

a) It is clearly declared AND voluntary, and
b) The user can specify max CPU/RAM usage.


#16

Could it be that the ads on boingboing are doing this? Perhaps that’s why my phone keeps reloading the page when I’m halfway through reading a post!


#18

All your spare cycles are belong to us.


#19

How much electricity is wasted mining cryptocurrencies? Isn’t banning them the eco-friendly thing to do?


#20

And that’s why I never use my quantum desktop machine for browsing.


#21

Well, you can give yourself x% chance of winning a block if you can throw y processor cycles at it over z time. This is probably a hellaciously inefficient way to do it, compared to a dedicated mining rig with stacks of bleeding-edge GPUs… but that just means you need a slightly more hellacious number of stolen cycles.

[EDIT: you could also probably throw your stolen cycles into a consortium and get a share of its wins, which is how a lot of people make money mining rather than winning blocks outright.]

It’s sort of a “how many kindergartners would it take to beat up a heavyweight boxing champion” kind of question. A lot–far more than would be optimal–but that number exists and there are lots of kindergartens.