Inventory of the common routines of mining code

Recently, many corporate websites in Shaanxi have been implanted with JS web mining Trojans. It is understood that the first one to be implanted with the JS web mining Trojan was the website of a gas and heat association in Shaanxi. When the relevant agencies further found the operator of the website, Xi'an Chang Gung Internet Technology Co., Ltd., they found that many websites designed by the company had implanted JS web mining Trojans.

The implantation of mining codes into web pages does not rule out the possibility that someone is intentionally using these corporate websites for personal gain. It may also be a sign that the website has been hacked.

According to the Warp Speed ​​​​Future Safe Zone, there are more than 30,000 websites on the entire network with built-in mining codes. As long as the user opens the website to browse and operate, the website will call on the computing resources of the computer or mobile phone to mine. About 500 million computers around the world have been hijacked for mining.

Mining for Monero

Browsing the mining code, many of them are mining Monero. Monero uses the Cryptonight mining algorithm, which is very suitable for running on ordinary computers, so hackers have developed a perfect profit-making plan for this.

They use javascript to write code, and when a user loads a website, the mining code is also loaded. According to data from Coinhive, the largest Monero mining code provider, their code running efficiency is about 65% of Monero mining machines, and there is still room for improvement in the future.

Although users can only contribute a little computing power during the time they visit the website, the more visits they receive, the more money they make.

Many mining code providers have calculators for developers to predict income. If your website has 10-20 users visiting it every day, you can earn 0.3 XMR per day, about 270 yuan, and 8,100 yuan per month.

Previously, the famous BT resource download website Pirate Bay was exposed to have built-in Monero mining code on the website. The Pirate Bay’s website directly and arrogantly announced: "As long as you enter the Pirate Bay website, you agree that we will use your CPU to mine Monero. If you disagree, you can leave immediately or install an adblocker."

However, this passage can only be seen at the very bottom of the Pirate Bay website, and it is deliberately set to small font size.
That is to say, even if you just open The Pirate Bay to see if there are any updated resources, your computer's CPU usage will instantly soar to 100%, providing computing power for The Pirate Bay to generate revenue until you close the website.

Currently, websites with less traffic can earn a few dollars a day in extra income, and some can earn thousands of dollars. If you feel that your computer or mobile phone is inexplicably hot when you are surfing the Internet, you should consider whether it has been used by the website to mine.

According to the summary of the Warp Speed ​​​​Future Security Zone, the following are the targets that are most likely to be targeted by hackers and implanted with mining Trojans:

Target 1: Pornographic websites

It is understood that 68% of the websites implanted with mining codes are pornographic websites.

In addition to this, these websites have further practices. They will allow the mining code to continue running after closing the browser. Therefore, even if the user finds these mining websites and closes the browser, the relevant code can still continue to run and occupy CPU resources.

In fact, after closing the browser, the mining code still hides a window in the system to continue executing. This window will be hidden above the system time in the system taskbar. Users can unlock the taskbar and increase the width of the taskbar to make the hidden window visible. Closing it will stop the mining code from running.

Objective 2: College score checking system

In addition to website owners adding mining codes on their own, there are also hackers who hack into other website servers and maliciously implant mining Trojans in the code. After the college entrance examination, many university websites were reported to have been hacked, and candidates had to contribute to the hackers when checking their test scores.

Because score checking websites have a time when scores are released, a large number of candidates will open their web pages to wait for the results to be released, so these websites are more popular than other websites such as blogs. In the past, the official websites of many key universities in Shandong, Hubei, Henan, Heilongjiang and other places were detected to have been implanted with mining Trojans.

Target 3: Game plug-ins

In addition, many game plug-in developers also implant mining Trojans in the plug-ins, which trick many users who are greedy for small profits and enjoyment. In addition to the computer side, a large number of apps containing mining Trojans have also appeared on Android mobile phones.

The black industry chain behind the mining code

There is actually an entire industrial chain behind the mining code and mining Trojans, and the services are very complete.

Opening a web page and mining begins. In fact, this function is not developed by website developers themselves. They use the interface provided by web mining service providers. Developers only need to insert a string of code into the web page code to enjoy the income.

Web mining service providers provide website developers with a variety of mining services, such as verification code mining, short link access, silent mining, etc. As long as you dare to come, they can occupy 100% of your computer resources in an instant.

Any product has room for iteration, so web mining service providers such as CoinHive are also constantly evolving their products, allowing website developers to better hide the fact that they are using users' computers for mining and provide better services to users.

For example, many websites block robots by clicking verification codes to prevent spam comments. CoinHive provides a similar anti-cheating module. When users click this button, web mining will start. After the verification is completed, mining will stop.

If users are really willing to wait to post or log in, they can completely accept the verification time of more than ten seconds, but the price is that the computer CPU will be fully powered to mine within a dozen seconds, and the temperature will instantly rise by dozens of degrees.

In addition to the above introduction, the use of websites or apps to hide mining codes to lure users into mining has accumulated a lot of criminal records in recent years.

• September 2017

Coinhive uses JS code to install mining programs on websites

On September 18, the media revealed that the world's largest BT download website, The Pirate Bay, used a Javascript program (a piece of JS code) embedded in the web page to "borrow" the browser's computer for the purpose of mining virtual currency, which is called mining.

This behavior will cause the JS code of the mining program to run when the website visitors browse the website, resulting in a high CPU usage rate when browsing the website with the mining code inserted, or even running at 100% full capacity.

So how to use js code to make the website mine? It is on a website called coinhive (https://coin-hive.com/), which provides a js engine for mining. The coin mined is called XMR, and the price of one XMR is about $95! This website provides a variety of settings, which can adjust the CPU usage limit during mining. If the CPU usage is lowered, it will be difficult for people to find out if they don't check the website code when visiting the website. By default, the mining program will work as long as someone visits the website.

The advantage of this website monetization method is that it can avoid putting some disgusting advertisements on the website to achieve profit. The disadvantage is that it will occupy the user's CPU and increase power consumption. In serious cases, it will cause the visitor's computer to freeze.

The main codes used are as follows:

• March 2017

In March 2017, a website hosting Coinhive's code was hacked, stealing the processing power of visitors' devices. At the time, several security firms identified the cryptocurrency mining service Coinhive as the biggest threat to web users.

Coinhive is a cryptocurrency mining service that relies on a small piece of code embedded in a website that borrows some or all of the computing power of the browser visiting the site, putting that machine into a bidding system to mine the Monero cryptocurrency.

Monero differs from Bitcoin in that transactions are untraceable, and outsiders cannot track Monero transactions between two parties. Naturally, this feature makes Monero particularly attractive to cybercriminals.

Coinhive then released its mining code, claiming that website owners could earn revenue without running intrusive, annoying ads. But it didn’t take long for Coinhive’s code to become the top malware tracked by multiple security companies, because in most cases the code was installed on hacked websites without the owner’s knowledge or authorization.

Just like being infected by malware or a Trojan horse, Coinhive’s code would often lock up a user’s browser and drain the device’s battery, mining Monero for as long as the visitor was browsing the site.

• November 2017

At that time, as the value of virtual currencies such as Bitcoin continued to rise, even rising to US$11,000 on the 29th, the mining business revived. Everyone saw the profitable side and joined the mining army.

So at that time, a group of mining websites, mainly adult websites, appeared.

When users visit such websites, the CPU usage of the computer will suddenly increase, but it will not use up all the performance. They hope that this method will reduce users' suspicion of the computer becoming slow and stuck, so that the computer can still be used normally.

In addition to this, these websites have further practices. They will allow the mining code to continue running after closing the browser. Therefore, even if the user finds these mining websites and closes the browser, the relevant code can still continue to run and occupy CPU resources.

In fact, after closing the browser, the mining code still hides a window in the system to continue executing. This window will be hidden above the system time in the system taskbar. Users can unlock the taskbar and increase the width of the taskbar to make the hidden window visible. Closing it will stop the mining code from running.

Alternatively, when encountering a corresponding situation, you can also close the corresponding process through the system task manager to stop the running of related code.

• December 2017

Starbucks Group has confirmed that when customers connect to the WiFi for the first time at its Buenos Aires branch, there is a delay of about 10 seconds. During this gap, hackers can mine digital currency without the user noticing.

However, it is still unclear who is behind the attack, how long the malware has been implanted, and how many users have been affected.

The technical side of the mining can be explained as follows: the hacker has a script that can perform an autonomous attack on the WiFi network, because it is an attack that can be performed in a cafe WiFi network. This attack is to connect some devices to the WiFi network, and the attacker will intercept the traffic between the user and the router during the connection.

From the above, we can see that in order to achieve the dream of getting rich through mining, hackers can do anything (even putting mining machines into Tesla cars and connecting them to charging stations). Therefore, being abused in various ways has become commonplace.