CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring...

26
Coinminers Detection Surged by 8,500% in 2017 Source: Symantec

Transcript of CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring...

Page 1: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Coinminers Detection Surged by 8,500% in 2017

Source: Symantec

Page 2: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Omri Segev-MoyalCo-Founder & VP of Research, Minerva Labs@GelosSnake

The Rise of Coinminers

Get these slides now at: https://tinyurl.com/rise-of-coinminers

Page 3: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Source: Google Trends

Naming Convention?

Page 4: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

CryptoJacking is Everywhere

Source: similartech

Page 5: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Source: malware-traffic-analysis.net

Jumping on the Wagon

Page 6: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Finding Similarities

Page 7: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

• Stealth Address - virtual P.O. box

• Ring Signatures – transactions can't be tracked

• CPU still very effective

• Ease of use

XMR – Currency of the Day

Page 8: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Source: @bad_packets - https://arxiv.org/pdf/1803.02887.pdf

CryptoJacking – Hiding in Plain Si(gh)te

Page 9: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Source: zerodot1 - https://zerodot1.github.io/CoinBlockerLists/

CoinBlockerLists – It’s Free

Page 10: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

https://github.com/xmrig

XMRig - Relying on Open Source

Page 11: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

https://tinyurl.com/MinerSnort

Public Pools - Miners Unite

Page 12: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Shhhhh They are Watching

Page 13: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Catch Me If You Can

Page 14: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

• Using traceable email in public pools

• Uploading source code to public repos

• Hardcoded credentials in the payload

Source: Any.run

Common #OPSec Failures

Page 15: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Source: https://tinyurl.com/BleepingWater

Case Study - Waterminer

Page 16: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Show Me The Money

Page 17: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

• XMR transactions are anonymized but pools statistics are (often) not

• Monitor for hash rate, payments, running periods

• Shared backend technology

• Graphics!

Using Pools Data to Track CoinMiners

Page 18: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Case Study - PhotoMiner

Page 19: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Use Your Enemy’s Strength Against Them

Page 20: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

GhostMiner - Eliminating Malicious Mining Competitors• Kill running miners process

• Stop and delete miner blacklisted services by name

• Remove miners that run as blacklisted scheduled tasks by the task name

• Stop and remove miners by their commandline arguments

• Stop and remove miners by going through the list of established TCP connections,

Source: https://github.com/MinervaLabsResearch/BlogPosts/tree/master/MinerKiller

Page 21: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

What’s Next?

Page 22: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Staying Ahead of The Curve• Solo mining and proxy between pools and infected machine

• Unique protocols (hiding traffic )

• Less CPU consuming, immediate versus on-going (nice miner)

• Targeting less tracked connected devices

Page 23: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Recap

Page 24: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

What Did We Discuss

• Similar features of Coinminers

• Methods to detect and prevent this attacks

• How to track down and hunt for common opsec failures

• Monitoring Coinminer profits

• Using Coinminers anti-competition tools against them

Page 25: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Q&A

Page 26: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of

Want to Share CryptoMiners Findings?Have Any Other Questions?

• Email me at

• Reach out to me on Twitter: @GelosSnake

• Get these slides now at: https://tinyurl.com/rise-of-coinminers


Stealth Fighter

Stealth Fighter

Justifying “Dow 8,500 before Dow 11,500”

Justifying “Dow 8,500 before Dow 11,500”

Stealth Antenna Farm - k5rmg.comk5rmg.com/wp-content/uploads/2015/08/Stealth-Antenna-Farm.pdf · Stealth Antenna Farm T.Apel 1. K5TRA Preliminary Considerations T.Apel 2 •Why stealth

Stealth Antenna Farm - k5rmg.comk5rmg.com/wp-content/uploads/2015/08/Stealth-Antenna-Farm.pdf · Stealth Antenna Farm T.Apel 1. K5TRA Preliminary Considerations T.Apel 2 •Why stealth

STEALTH TECHNOLOGY

STEALTH TECHNOLOGY

Stealth Productsheet

Stealth Productsheet

documents.worldbank.org · Web view8,500 8,500 8,500 8,500 Annual Annual Monitoring Report Directorate of Preschool Two types of learning material packages are delivered: i) educational

documents.worldbank.org · Web view8,500 8,500 8,500 8,500 Annual Annual Monitoring Report Directorate of Preschool Two types of learning material packages are delivered: i) educational

Stealth Technology..

Stealth Technology..

Low Observable Principles, Stealth Aircraft and Anti-Stealth ...

Low Observable Principles, Stealth Aircraft and Anti-Stealth ...

JABRA stealth - Sport headphones/media/Product Documentation/Jabra Stealth... · JaBRa stealth CONteNts 1. welCOM ... Say a command Voice on Voice off. 15 ENGLISH JaBRa stealth 7.

JABRA stealth - Sport headphones/media/Product Documentation/Jabra Stealth... · JaBRa stealth CONteNts 1. welCOM ... Say a command Voice on Voice off. 15 ENGLISH JaBRa stealth 7.

STEALTH OWNER'S MANUAL - Home - Stealth Trailers of Contents Stealth Enterprises LLC DBA Stealth Trailers Owner’s Manual – 1st Edition September 2010 Table of Contents Introduction

STEALTH OWNER'S MANUAL - Home - Stealth Trailers of Contents Stealth Enterprises LLC DBA Stealth Trailers Owner’s Manual – 1st Edition September 2010 Table of Contents Introduction

Airborne Stealth

Airborne Stealth

CEO compensation surged in 2017 - files.epi.org

CEO compensation surged in 2017 - files.epi.org

Stealth Key M500 & Stealth Key M550 Quick Start Guidemedia.kingston.com/support/ironkey/StealthM500_M550_Quick_Start_… · Stealth Key M500 & Stealth Key M550 Quick Start Guide 6

Stealth Key M500 & Stealth Key M550 Quick Start Guidemedia.kingston.com/support/ironkey/StealthM500_M550_Quick_Start_… · Stealth Key M500 & Stealth Key M550 Quick Start Guide 6

Analogues Stealth

Analogues Stealth

STEALTH AIRCRAFTS DESIGN ASPECTS AND CONSIDERATIONS · STEALTH AIRCRAFTS DESIGN ASPECTS AND CONSIDERATIONS. ... The Lockheed Martin F-117 stealth fighter ... to an ideal stealth shape.

STEALTH AIRCRAFTS DESIGN ASPECTS AND CONSIDERATIONS · STEALTH AIRCRAFTS DESIGN ASPECTS AND CONSIDERATIONS. ... The Lockheed Martin F-117 stealth fighter ... to an ideal stealth shape.

Why huntington ingalls and orbital atk surged

Why huntington ingalls and orbital atk surged

Stealth Technology - Study Mafiastudymafia.org/wp-content/uploads/2016/08/CIVIL-STEALTH-TECHNO… · Stealth Technology Submitted in partial ... 16.2 Plasma stealth ... preventing

Stealth Technology - Study Mafiastudymafia.org/wp-content/uploads/2016/08/CIVIL-STEALTH-TECHNO… · Stealth Technology Submitted in partial ... 16.2 Plasma stealth ... preventing

Stealth Virus

Stealth Virus

2020 Reverb Stealth C1 - SRAM · Product Identification - Reverb Stealth C1 Production versions of Reverb Stealth can be identified visually. Your Reverb Stealth C1 can be identified

2020 Reverb Stealth C1 - SRAM · Product Identification - Reverb Stealth C1 Production versions of Reverb Stealth can be identified visually. Your Reverb Stealth C1 can be identified

stealth _report

stealth _report