Menu
homeiOS

What does a miner look like? How to get rid of a hidden miner? Evolution of Bitcoin virus: malicious actions of ransomware variant

If your computer starts to slow down and your electricity bills suddenly increase several times, you may have become a victim of hackers engaged in hidden (black) mining.

Hidden mining: how to detect and can the problem be fixed?

To engage in cryptocurrency mining (mining), the average user needs several things: computer equipment high power, availability of special software for mining, reliable server to distribute subscriptions among members of the mining community and, of course, self-confidence. But it's not that simple. Every day the Bitcoin mining process becomes more complicated, and competition between miners is growing.

Electricity costs are a topic for another day. Already today, one transaction consumes one and a half times more electricity than the average American family consumes per day. And according to expert forecasts, in three years the cost of producing the most popular digital currency will be comparable to the annual electricity consumption of a country like Denmark.

Tighter conditions have completely taken Bitcoin miners with home computers out of the game, but they still have the opportunity to make money on alternative coins - the so-called. altcoins. For this reason, some “entrepreneurial” programmers are looking for ways to earn digital cash using other people's computer power.

Crypto mining on someone else's hump: how hackers do it

In any type of human activity, there are those who work honestly and those who try to profit at the expense of others. And the mining world was no exception. Some people don’t pay for electricity by running a cable to a transformer, others use smuggled Chinese video cards. But another way of “playing without rules” is more common - using other people’s computers for mining without the knowledge of their owners.

Thus, in the fall of 2017, Kaspersky Center specialists uncovered two large-scale networks engaged in mining - with 4 thousand and 5 thousand units of equipment. As it turned out, the owners of the infected computers had no idea about their participation in the extraction of virtual coins, but the creators of the malicious program replenished their wallets with thousands of dollars every month.

Most often, black miners use Litecoin, Feathercoin and Monero - types of cryptocurrencies that do not require heavy-duty equipment. Therefore, the victims are mainly users of ordinary home and gaming computers.

Types of black mining

Let's look at two types of illegal cryptocurrency mining that attackers use.

  1. Hidden browser mining

Surely you know that visiting unknown Internet resources can harm your computer. This rule also applies in our case. It is enough to go to a page in which the fraudulent code is written, and your laptop or computer will instantly become an integral element of someone’s system for generating virtual coins.

Today, not only unknown sites can become a breeding ground for infection, but also, as it turned out not so long ago, completely respected resources. In September of this year, a scandal occurred related to the official website of a large Ukrainian media holding, whose visitors became unwitting Monero miners. A similar accusation was later brought against the well-known TV channel ShowTime (USA).

  1. Virus miners

The first information about virus miners dates back to 2011. Since that time, they have continued to attack the equipment of ordinary users in different countries of the world. You can become infected by following the link from the e-mile. High-power computers, mainly gaming ones, are at risk.

In general, viruses are more dangerous compared to browser-based mining, since they more actively use the power of computer equipment. At the same time, hundreds of thousands of users around the world become their victims.

How to check hidden mining?

The first and most obvious sign of a computer infection is slowdown. If the equipment works fine most of the time and starts to slow down only on one site, it is possible that black miners have entered your computer through the browser. The most dangerous sites in this regard are those that require a long time for the user to stay on - torrent trackers, resources for computer games and watching movies. Very often, gamers with powerful processors and video cards are attacked by a virus. Another symptom of infection is a sharp increase in electricity consumption.

The main difficulty in checking for hidden mining is that antivirus programs identify it not as a virus, but as potentially dangerous software. After all, in fact, miners only steal the resources of someone else’s computer, but cannot cause technical failures or breakdowns. This is also important to understand.

Hidden mining virus programs

We list the main malware that is important for users to know about in order to increase the security of their equipment.

  1. Miner Bitcoin (Trojan). Typically, people load their computers at about 18-20% capacity, while the Bitcoin Miner increases this figure to 80 and sometimes up to 100%. In addition to illegal use of resources, spyware steals personal information and can even give attackers access to your wallets. Distributed by this type Trojan mainly via Skype; it can also be picked up by downloading photos or Word documents.
  2. EpicScale. This program discovered by uTorrent visitors. Responding to well-founded accusations, the company's owners stated that they send the funds received in this way... to charity. At the same time, users did not receive an explanation as to why they “forgot” to inform them in time about their participation in this “charity event.” It is noteworthy that it is impossible to get rid of EpicScale completely; after removal, the executive files of the virus software remain on the computer. Later, a similar scandal erupted around the Pirate Bay torrent tracker.
  3. JS/Coin Miner. A malicious program that allows you to mine cryptocurrency through the browsers of other people's computers by introducing special scripts. Users of online video viewing portals and gaming sites are at particular risk. Such sites are CPU intensive, so in most cases JS/CoinMiner goes undetected. To detect a fraudulent script, you need to check whether it is in the list of miner scripts.

How to block hidden browser mining

Today there are several effective ways protection against attacks by black miners on the browser:

  1. Edit the hosts file.
  2. Install the NoCoin browser extension and the Anti-Web Miner utility.
  3. Disable JavaScript in your browser using No Script.
  4. Add anti-mining uBlock and AdBlock.

But if everything is quite clear with JavaScript and utilities, then the hosts edition needs a more detailed consideration. Below we provide instructions on how to do this:

After these simple steps, your browser will receive reliable protection from infection.

Protection against hidden virus mining: precautions

Basic protection rules: do not follow dubious links, do not download unlicensed products; Do not activate keys from unknown sources.

And now a few more important rules For safe work with a computer:

  1. It is not enough to simply install an antivirus; you need to systematically update it.
  2. Create an account for yourself in Windows and log in through it every day. Since administrator rights are required to install any software, the risk of accidentally downloading and running a malicious program is eliminated.
  3. For equipment from the company Apple is the best The solution would be to install a function that allows downloading software only from the AppStore.
  4. At the first sign of slowdown, launch the “task manager” and check if there is a program on your computer that is using it at its maximum capacity (80-100%). Even if you don’t find it, don’t rush to calm down, because there are viruses that use less power.
  5. Install special utilities, which provide virus protection and report updates to the registry. The best option– simultaneous installation of Request Policy Continued and uMatrix, and for those who use Google Chrome, in addition to them the Antiminer blocker.

Computer security is important to every user, no matter what the PC is used for. But those who store financial data on it need to monitor its security personal information and the correct operation of the equipment especially carefully. Otherwise they will have to face dangerous virus bitcoin miner. It can bring a lot of trouble and make victims worry. And those who have not yet encountered such a problem should think in advance about how to find and remove the miner virus.

It is worth getting to know the potential threat before meeting it, so that you know what to do when identifying a Trojan. This will reduce possible losses and cure infected equipment as quickly as possible.

What is a miner virus?

Despite the self-explanatory name, which indicates the connection of the malicious file with cryptocurrencies, almost every user is capable of becoming a victim, even those who do not understand virtual money and have not thought about purchasing them.

The name is associated not with potential victims, but with the behavior of the Trojan.

By infecting a computer, it begins to use free resources for mining in favor of the developer.

As a result this computer becomes part of a huge bitcoin mining farm. Only the profits are made not by the owners of the equipment, but by the creators of the dangerous program.

The main difficulty that victims face is that the PC constantly freezes. Available resources are spent on earning cryptocurrency, and other programs are unable to work normally.

Additionally, theft of important data is possible, but this rarely happens, since the main goal of the malware is completely different. This does not mean that you should not worry about the safety of passwords, codes and personal information.

They could have been stolen to be used later.

How does infection occur?

Infection with a miner virus is no different from infection with other malicious files. Careless users follow unverified links, download programs from unfamiliar sources, and simply visit dangerous sites. Most often it hits computers and laptops:

  • via Skype;
  • while updating torrent trackers;
  • from email;
  • when following unfamiliar links in in social networks.

As a rule, it cannot be detected immediately after hitting the PC; it takes time to take the time it needs to work disk space and seize free system resources. And at the moment when it is discovered, it can be quite difficult to correct the situation.

Given that a Trojan can end up almost anywhere, there is no single answer to the question of how to determine which sites and activities to avoid. You can become a victim even if you take precautions.

How to find a miner virus?

The main sign of the appearance of a bitcoin miner is freezing and slow work systems. As mentioned above, this is due to its use of all available resources. But similar problems are not always associated with malware, so the next step that needs to be taken to ensure the absence or presence of a Trojan is to check running processes.

To discover dangerous process, you will have to turn on the task manager (on most modern devices, to do this, press ctrl, esc and shift simultaneously), and carefully examine the existing processes.

If you find a strange program that uses a large number of memory and heavily loads the processor, you should sound the alarm.

If the discovered process does not eliminate your doubts, you should remember its name and look for a description on the Internet. The result will not be long in coming, and the user will have to think about how to deal with the problem that has arisen.

How to remove a miner virus from a computer?

Having figured out why the miner virus is dangerous and how to detect the problem, you should move on to solving it. And the first thing a PC owner needs to take care of is saving the information and files he needs. To do this, they should be transferred to a flash card in advance or, if their volume is too large, to an external hard drive. If your Internet speed allows, you can use cloud services.

Usually high quality modern programs can be identified without any problems dangerous files and remove them.

True, in some cases this seriously affects the operation of individual applications, but the security of the system and personal information is much more important. And the most useful components had to be transferred to a separate medium.

But when transferring them back later, you should carefully check the saved files for threats. This is the only way to avoid re-infection.

Bitcoin miner virus: how to treat?

If all attempts made to treat the computer modern antivirus turned out to be useless, you should use one of the four remaining ways to deal with difficulties:

  1. entrust the equipment to a professional;
  2. use system restore;
  3. reinstall the operating system;
  4. find and remove the Trojan manually.

The first option practically guarantees a positive result, but is costly and sometimes turns out to be extremely inconvenient.

The second approach is acceptable only in cases where users took care of creating recovery points in a timely manner. If they are not there, you will not be able to roll back the latest changes.

The third method will lead to the loss of all unsaved information and will require not only installing the operating system, but also all additional programs, which were used by the PC owner.

And the last method is only suitable experienced users. It requires knowledge of the exact name of the malicious file and the ability to turn on the computer safe mode. One way similar inclusion does not exist, since it depends on the manufacturer of the equipment.

An additional disadvantage of this approach is the time that will be spent searching for all dangerous files.

What should you do after treatment?

Having dealt with miner, you should take care of system security. The first step is to make sure that the trouble is a thing of the past and that the virus has been completely removed. Next you need to start changing passwords. This is especially true for email and important sites where confidential information. These include electronic wallets. This is necessary to prevent attackers from stealing personal data or gaining access to finances.

It will not be superfluous to install an antivirus if this has not been done previously. It is necessary to keep it up to date so that no one dangerous program did not become a source of new experiences.

Once you understand security and passwords, you can return saved files.

But it is important to reiterate that they should be carefully checked before being transferred to the hard drive.

They will burn a virus that was only recently destroyed on the PC. Knowing how dangerous bitcoin miner is and what kind of virus it is, you should avoid mistakes once made.

Precautionary measures

The described Trojan is only one of the brightest representatives miner viruses. Such malicious programs appear with enviable regularity, so it is almost impossible to describe each one. But this does not mean that they are less dangerous and do not pose a threat. Therefore, in order not to become a victim virus attack, you should take care of protection in advance. To do this you need:

  • install a good antivirus and keep it updated;
  • take care of a restore point (to do this, read articles on how to create such points and keep them up to date);
  • do not visit dubious sites and do not download strange ones, unknown files from unknown sources;
  • monitor installed programs;
  • update software in a timely manner;
  • do not save important logins and passwords (it is safer to write them down on a piece of paper and keep them in a safe place);
  • Do not share personal information and passwords with strangers.

It must be remembered that maintaining security is a personal matter for each user, and most reliable way to avoid trouble - carefully monitor your actions and think about your own actions.

Working with finances does not tolerate a dismissive, frivolous attitude.

Such behavior can become a source of enormous difficulties and even financial losses. In extreme cases, everything will be fine simple repair equipment, but even this will bring a lot of worries and lead to unexpected expenses.

The passion for easy, dishonest money is an unchangeable part of human nature. So methods for making money like this will continue to be invented as long as humanity itself exists. In the century information technologies The most popular method of this type of enrichment is the creation of computer viruses, from which their creators earn a lot of money. Every year viruses develop, become more sophisticated, and are increasingly difficult to detect. One of the most striking examples of such a “smart” virus is a miner virus.

Before answering this question, we need to delve a little deeper into the theory and complex terms. Mining is the extraction of cryptocurrency. Cryptocurrency is digital currency, which is based on cryptographic methods(that is, on methods for ensuring confidentiality and data integrity).

Cryptocurrencies have become popular for two reasons:

  • firstly, transactions involving cryptocurrencies are anonymous;
  • secondly, their exchange rate is unstable and constantly “jumps”, which provides good ground for trading (earning money from changes in exchange rates).

Cryptocurrency mining involves a huge number of complex calculations. To perform these calculations, the computing power of computers is used. Many miners (people involved in mining) spend a lot of money on purchasing equipment that allows the necessary calculations to be performed. But the creators of virus miners went even further - they do not want to make large investments, they want to use the computing power of your computer for personal enrichment. This is exactly the essence of the work of this type viruses.

Why is he dangerous?

Virus is different from virus. Some viruses are relatively harmless (for example, some Amigo browser that installs against your wishes), while others are those that cannot be called anything other than outright extortion and a threat (for example, winlockers that block your computer and demand that you transfer money to a certain wallet to unlock it) ). At first glance, the miner seems to be a harmless virus. Allegedly, someone is making money from you, but you yourself are not losing anything from this. But it is not so.

As mentioned above, mining works through a huge number of calculations. To carry out these calculations, the computer loads its hardware components (processor, RAM, but mainly the video card, because it is where all the calculations take place and it is its power that the attacker is interested in). The more these components are loaded, the hotter they become. Excessive load causes overheating, and overheating causes component failure. In the best case, the presence of a miner virus will negatively affect the performance of the computer, for example, it will reduce FPS in games (the number of frames per second). If you are an avid gamer, then this alone should make you want to get rid of this virus as quickly as possible.

Types of virus miners

Mining viruses can be divided into two categories: executable files and browser scripts. Many people to this day quietly use a computer and do not even suspect that at this time he is making money for someone else.

Let's take a closer look at each of the categories of viruses, and also look at how to detect and remove them.

Virus miner in the form of an executable file XMRig CPU Miner

Most viruses are executable files with the .exe extension, and the miner virus is no exception. Such viruses can enter your computer using different methods, but the most common method is additional modules when downloading files that are installed along with them. Below we will look at ways to detect and remove them.

How to detect

The miner virus in the form of an executable .exe file is called XMRig CPU Miner. It should not be confused with a program that has the same name. Unlike a program, which is quite useful, a virus consumes much more computer resources and works not for you, but for someone else. But there will be no problems with confusion - everything is simple here. If this program is installed on your computer, it means that you voluntarily installed it and knew why it was needed and what functions it performed. After all, unlike a virus of the same name, it does not seek to penetrate the file system of your computer through deception and by any means complicate the process of its detection and removal.

For detection of this virus must be carried out periodically. That is, do the following things:


It is advisable to carry out such monitoring regularly to monitor the condition of the computer. If in the Task Manager you see that the load on components is too high, although no demanding games or your programs are not running, then you should think about whether you have malicious files.

The same goes for checking the temperature - if it is too high, then perhaps the hardware components are overheating due to the presence of a virus (provided that you clean the computer from dust at least twice a year and replace the thermal paste).

If your computer is overloaded and overheating, then it’s time to check the processes, since this is where the XMRig CPU Miner virus should be displayed. To do this, follow these steps:

  1. Launch Task Manager using the buttons Ctrl+Alt+Delete" or " Ctrl+Shift+Esc".

    On a note! It is advisable to get into the habit of constantly keeping the “Task Manager” running and minimized. It will help you learn a lot in one click useful information about the current state of the computer, while it consumes very few resources.

  2. Go to the tab "Processes".

  3. If you find yourself in the processes XMRig CPU Miner, then your suspicions about the miner virus have been confirmed.

How to delete

The XMRig CPU Miner virus, after penetrating into the computer, becomes firmly entrenched in it. It takes root deep into the operating system, which makes its removal not an easy task. Removing this virus requires a consistent and comprehensive approach.

First of all, you need to scan your computer with an antivirus. The following programs are suitable for this:

  • Kaspersky;
  • Avast;
  • DrWeb;
  • AdwCleaner.

Let's look at the deletion scanning process using the example program AdwCleaner. Among its advantages are the high speed of scanning and removal of detected threats. So, if you want to remove viruses using this program, then follow these step-by-step instructions:

  1. Download AdwCleaner. This can be done by following link: https://toolslib.net/downloads/viewdownload/1-adwcleaner/.

  2. Click on the button "Download" and wait for the file to download.

  3. Run the file "adwcleaner_7.2.4.0.exe". 7.2.4.0 is latest version programs at the moment.

    Reference! If a new version is released while you are reading this article, it will be listed on the download page above. The version number will also be indicated in the file name. After downloading, the file will be moved to the folder "Downloads" on your computer. To access this folder, go to the following directory: " C:"/"Users"/" Your computer name"/“Downloads”.

  4. Open the tab on the left "Control Panel" and press "Scan".

  5. Wait for the scan results. AdwCleaner is famous for its high speed, which means you won’t have to wait long for the scanning process to complete.

  6. After the program shows you the scan results and detected malicious files, click on the button "Clean and restore".

Important! After clicking on this button AdwCleaner will warn you that your computer will restart, so you should save your current work (for example, save a document in Word, a picture in Photoshop, music file in FL Studio or just save in the game). “Save” wherever you can, then confirm to reboot.

After you have scanned and “cleaned” your computer, you need to do the same with the registry. The program is perfect for this procedure. CCleaner. It not only checks the registry for problems and inconsistencies, but is also widely used to optimize the performance of the computer by freeing up space on the system C drive.

So, to clean the registry, follow these steps:

  1. Download CCleaner from the official website http://ccleaner.org.ua/download/. On the download page, select your OS version and click on the program name. After clicking, the download will start automatically.

  2. Run the file "ccsetup547.exe". 5.47 is the latest version on this moment. The file will be stored in the folder "Downloads"(the system address of this folder is indicated above).

  3. After launch, click on "Install" to begin installing the program.
  4. Wait for the installation to complete. The program itself is not demanding, so it will install in a matter of seconds. After installation, you can immediately launch it by clicking on the button "Run CCleaner". Do so.

  5. Go to the tab « » and check the boxes next to each parameter (“Fonts” can be left alone). Then click on "Search for problems" and wait for the program to scan the registry. In most cases, this process takes less than a minute.

  6. When scanning is complete, click on "Correct Selected". You will be prompted to save backups of your changes. Decide for yourself whether to do this or not, but this will not affect the process of cleaning the registry in any way.

  7. Click on the button "Correct marked", to fix all found errors at once, rather than sorting through them one by one. After fixing, you can close the program.

  1. Launch menu "Run". This can be done by simultaneously pressing the keys " Win+R".

  2. Enter text in the input field « regedit» and press "OK".

  3. Click on the button combination " Ctrl+F" to run a search in the registry or select the appropriate function in the tab "Edit".

  4. In the search, enter "xmrig"(letter case is not important), press "Find Next".

  5. Delete all registry settings that contain this name. This is done by right-clicking on the parameter, then left-clicking on "Delete".

  6. Restart your computer.

And remember! Always look at what boxes you check when installing files, especially if they were downloaded from a dubious resource!

Video - Miner virus, how to find and remove?

Browser miner

The miner virus in the form of an executable file was not difficult to detect; difficulties could arise in the process of removing it. But in the case of an “online” miner, the opposite is true. Moreover, removing it is not just difficult - it is impossible to do. And to detect it, you need to have at least superficial knowledge of web programming (in particular, know the structure of an HTML page). But first things first.

How to detect

There is such a popular programming language as JavaScript. Its capabilities are quite wide, but most often it is used to improve the appearance of website pages. Almost all sites have several scripts installed, and if your browser does not support JavaScript, then you will not even be able to access VK from it.

But some craftsmen used the capabilities of the language to create an online miner. It works as follows - while you are sitting on the page, the script uses the resources of your computer through the browser to mine cryptocurrency. Such scripts are mainly used on sites that are intended for long-term viewing.

These include:

  • websites with online books. While you are replenishing your intellectual luggage, the attacker, with your help, is replenishing his wallet;
  • websites with films and TV series. Watching movies takes a long time, and this plays into the hands of the attacker;
  • sites for adults.

A virus miner (miner, Bitcoin miner) is malicious software whose main purpose is mining - earning cryptocurrency using the resources of the victim’s computer. Ideally, such software should operate as secretly as possible, have high survivability and a low probability of detection by antivirus programs. A “high-quality” virus miner is hardly noticeable, almost does not interfere with the user’s work, and is difficult to detect by anti-virus software. The main external manifestation of a virus infection is increased consumption of computer resources and, as a result, additional heating and increased noise from the cooling system fans. In the case of a “low-quality” miner virus, in addition to the listed symptoms, there is a decrease in the overall performance of the computer, short-term freezes or even the inability of some programs.

What is mining?

The word “mining” comes from the English “mining”, which means “mineral development”. Mining is nothing more than the process of creating new units of cryptocurrency (cryptocoins) by special algorithm. Today, there are about a thousand varieties of cryptocurrencies, although they all use the algorithms and protocols of the most famous beginner - Bitcoin .

The mining process is a solution to complex resource-intensive problems to obtain a unique set of data confirming the authenticity of payment transactions. The speed of finding and the number of cryptocurrency units received as rewards are different in the systems different currencies, but in any case require significant computing resources. Mining hardware power is usually measured in megahashes (MHash) and gigahashes (GHash). Since the complexity of mining the most expensive cryptocurrencies has long been unattainable on a single computer, special farms, representing powerful computing systems industrial level and pools mining - computer networks, in which the mining process is distributed among all network participants. Mining in a shared pool is the only way to simple user participate in receiving at least a small profit from the process of creating cryptocoins. Pools offer a variety of profit distribution models, including the power of client equipment. Well, it is quite clear that by driving tens, hundreds and even thousands of computers infected with the miner into a pool, the attackers receive a certain profit from the exploitation of other people’s computer equipment.

Mining viruses are aimed at long-term use of the victim’s computer and, when infected, usually install auxiliary software that restores the main mining program if it is damaged, removed by an antivirus or crash for some reason. Naturally, the main program is configured in such a way that the mining results are tied to the accounts of the attackers in the pool used. The main program uses legal mining software, which is downloaded from official cryptocurrency websites or special resources pools and, in fact, is not malicious software(virus, virus software - software). You can download and install the same software yourself. own computer, without causing any particular suspicion to the antivirus used on your system. And this does not indicate the low quality of anti-virus software, but rather the opposite - the absence of events false alarm, because the whole difference between mining that is useful for the user and mining that is useful for the attacker lies in who will own its results, i.e. from an account in the pool.

As already mentioned, the main sign of a system being infected by a miner is the intensive use of resources by some program, accompanied by an increase in noise level system unit, as well as the temperature of components. Moreover, in a multitasking environment, as a rule, the virus works with the lowest priority, using system resources only when the computer is idle. The picture looks like this: the computer is not busy with anything, it is idle, and its temperature of components and the noise emitted by the ventilation resemble Game Mode in some very demanding computer shooter. But, in practice, there have been cases when the priority of mining programs was set to the standard value, which led to a sharp drop useful speed. The computer began to “slow down” terribly and it was almost impossible to use it.

Removing a miner using a rollback to a restore point

The most in a simple way getting rid of unwanted software is to return the previous one Windows status using restore points, often called a system rollback. This requires that there be a restore point created at a point in time when the infection had not yet occurred. To launch the recovery tool, you can use the key combination Win+r and type the command rstrui.exe in the input field that opens. Or use the main menu – “Programs – Accessories – System Tools – System Restore”. Next, select the desired restore point and roll back to it. If the rollback is successful, in most cases it is possible to get rid of the virus without special effort. If there is no suitable recovery point or the rollback did not neutralize the virus, you will have to look for more complex ways to resolve this problem. In this case, you can use standard operating system tools or specialized programs, allowing you to search and terminate processes, obtain information about their properties, view and modify program startup points, check digital signatures of publishers, etc. Such work requires certain user qualifications and skills in using the command line, registry editor and other utility utilities. Using several anti-virus scanners different manufacturers, programs for cleaning the system and removing unwanted software may not give a positive result, and in the case of a miner, it usually does not.

Finding and removing a miner using utilities from the Sysinternals Suite

The difficulty in identifying programs used for mining is that they are not detected by most antivirus programs, since they are not actually viruses. There is a possibility that the antivirus can prevent the installation process of the miner, since it uses unusual software tools, but if this does not happen, you will most likely have to search for and remove the malicious (from the point of view of the owner of the infected computer) program manually. For your information, in June 2017 average level of detection of maliciousness of such software, for example, using a well-known resource Virustotal amounted to 15-20/62 – i.e. out of 62 antiviruses, only 15-20 considered it a malicious program. Moreover, the most popular and high-quality antivirus programs are not included in this group. For well-known viruses or those discovered relatively recently, the level of detection of malware may be higher due to signatures in anti-virus databases and some additional measures taken by anti-virus program developers. But all this does not always allow you to get rid of the miner virus without additional efforts that will need to be made to solve the problem.

Below is a practical case of a system being infected with mining malware. The infection occurred through the use of modified game programs, downloaded from one of the untrusted torrent trackers. Although the method of infection could be different, as with any other malware - following links on unverified resources, opening mail attachments and so on.

A set of mining malware for the benefit of attackers implements the following functions:

Providing your automatic start. One or more programs modify registry keys to automatically start in the event of an unexpected shutdown, reboot, or power failure. Periodically (approximately once a minute) the registry keys are reviewed and, if they are violated (deleted, changed), they are restored.

Automatic launch of the mining program. The program also starts automatically and its autorun parameters are monitored and restored by one or more auxiliary programs.

While processes that ensure automatic startup are running in the computer's memory, there is no point in deleting executable files and registry entries - they will still be restored. Therefore, at the first stage, it is necessary to identify and forcefully terminate all processes that ensure automatic restart of malicious programs.

To find and eliminate a miner virus in modern operating systems, you can use standard tools or, for example, more functional software from the package Sysinternals Suite from Microsoft

- Process Explorer– allows you to view details about processes, threads, resource usage, etc. You can change priorities, pause (resume) work necessary processes, kill processes or process trees. The utility is convenient to use for analyzing the properties of processes and searching for malware.

- Autoruns– a convenient means of controlling the autorun of programs. Controls almost all automatic startup points, from startup folders to scheduler tasks. Allows you to quickly detect and isolate programs that you do not want to run.

You can also use the utility as auxiliary software Process Monitor, which in difficult cases allows you to monitor the activity of specific programs using filters (access to the registry, file system, network, etc.) As well as the SearhMyfiles utility from Nirsoft, which is convenient for searching files and folders, the main feature of which is the ability to search for files and folders using file timestamps NTFS systems(Time stamp). As search criteria, you can specify creation, modification and access time ranges for files and folders (Created, Modified, Accessed). If the approximate time of infection or hack is known, you can collect full list files that were created or modified during a given period.

But I repeat, to find and remove miners, as a rule, it is enough to use standard Windows tools - task manager and registry editor. It's just that the software listed above is easier to use and more convenient for finding malware.

System resource usage information displayed by Process Explorer:

Column CPU Displays the CPU utilization rate of various processes. System Idle Process- this is not a process, but an indication by the program of idle mode (inaction). As a result, we see that the processor is in idle mode 49.23% of the time, some processes use hundredths of its resources, and the main consumer of the CPU is the process system.exe- 49.90%. Even with a superficial analysis of the process properties system.exe, there are noticeable facts that give rise to reasonable suspicion:

Strange description (Description) – Microsoft Center

Strange name Company Name – www.microsoft.com Other processes that are actually related to Microsoft have the line as a description Microsoft Corporation

More detailed analysis is performed via context menu, called by the right mouse button – Properties item:

Executable path ProgramData\System32\system.exe is also clearly suspicious, and going to the folder with the executable file when you click on the corresponding button Explore showed that both the folder itself and the executable file have the “Hidden” attributes. Well, and the command line parameters:

-o stratum+tcp://xmr.pool.minergate.com:45560 --donate-level=1 -u [email protected]*-p x -t 2 –k clearly indicate that the system.exe process is a miner program (for using pools pool.minergate.com).

Field Autostart Location contains the value n/a, which means that this process does not have automatic start points. Parent process for system.exe has PID=4928, and does not currently exist ( Non existing Process), which most likely indicates that the process was launched using batch file or a program that has completed its work after starting. Button Verify intended for forced verification presence of a parent process.

Button Kill Process allows you to terminate the current process. The same action can be performed using the right-click context menu for the selected process.

Tab TCP/IP allows you to get a list of network connections of the system.exe process:

As you can see, the system.exe process has established connection local computer - remote server static.194.9.130.94.clients.your-server.de:45560.

In this real case, the system.exe process had minimal priority and had almost no effect on the operation of other processes that did not require increased consumption resources. But in order to assess the impact on the behavior of the infected system, you can set the miner’s priority equal to the priority of legal programs and assess the degree of deterioration useful performance computer.

At forced termination system exe process, it starts again after a few seconds. Therefore, the restart is provided by some other program or service. When you continue to view the list of processes, the Security.exe process is the first to be suspicious.

As you can see, to run the program Security.exe autorun point is used from standard menu user programs, and executable file Security.exe located in the same hidden folder C:\ProgramData\System32

The next step is to force quit Security.exe, and then - system.exe. If after this process system.exe will no longer start, then you can begin deleting malicious files and system settings associated with the functioning of malware. If the process system.exe will be launched again, then search support programs, ensuring its launch must be continued. As a last resort, you can sequentially terminate all processes one at a time, ending system.exe each time until it stops restarting.

To find and disable autorun points, it is convenient to use the Autoruns utility from the Sysinternals Suite:

Unlike the standard msconfig.exe tool, the Autoruns utility displays almost all possible options for automatically starting programs that exist on a given system. By default, everything is displayed (Everything tab), but if necessary, you can filter individual records by type by switching to the tabs at the top of the window (Known DLLs, Winlogon, ... Appinit).

When searching for entries that allow malicious programs to autorun, the first thing you need to pay attention to is the absence of the developer’s digital signature in the Publisher column. Almost all modern legal programs have digital signature, with rare exceptions, which usually include software products third party manufacturers or drivers/services from Microsoft. The second alarming principle is the lack of description in the Description column. In this particular case, the entry that opens the Security.lnk shortcut in the user’s startup folder is suspect:

C:\Users\Student\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

The shortcut refers to a file c:\programdata\system32\security.exe

The Time Stamp gives the date and time of infection of the system - 06/23/2017 19:04

Any of the entries displayed by the Autoruns utility can be deleted or disabled, with the possibility of further restoration. To delete, use the context menu or key Del. To disable, uncheck the selected entry.

The hidden folder c:\programdata\system32\ can be deleted along with all its contents. Then reboot and check for the absence of malicious processes.

According to various sources, from 7 to 10 million computers are infected with hidden mining viruses. Malware mainly affects China, Singapore, America and Europe, and to a lesser extent Russia. About 25% of computers in Russia are engaged in secret mining. There are no official statistics, since the virus code is quite difficult to detect. What harm can these programs do, and how do they use the computing resources of other people's equipment to make money for their creators?

Software virus.

Most ordinary users do not know what kind of process is called mining, and therefore do not realize the danger of hacker programs.

Shadow mining, in simple terms, is a solution mathematical problems using someone else's processor or video card.

Hidden mining is carried out on any device with a processor:

  1. On smartphones and tablets, and most often Android suffers from the miner virus.
  2. On desktop computers and laptops, the most vulnerable operating system Windows.

While the unsuspecting owner of the equipment goes about his business, works with documents, watches a movie or plays a game, the attacker receives cryptocurrency for the equations that the processor solved.

The virus is independently transmitted from one owner to another, and can infect home and office computer networks. It brings especially a lot of cryptocurrency to hackers when it gets into the banking system or into a research center where there are many powerful computers that work around the clock.

Consequences of infection by a miner


Infected code.

Mining requires a lot of power from a computer or smartphone, which means it costs equipment heavy load. The virus causes the following consequences:

  1. Rapid wear of parts. This especially affects processors.
  2. Overheat. An increase in temperature leads to a slowdown and deterioration in the operation of the device; the computer or smartphone begins to slow down, freeze, or constantly reboot. In the latter case, hackers, of course, will not get their money, but the person will not be able to use the equipment normally.
  3. Breaking. If a smartphone or PC has low-quality parts, then the extreme load can cause the contacts to burn out.

In specialized mining farms and centers, much attention is paid to cooling computer equipment. There is a high-quality and uninterrupted power supply, and fuses against power surges in the network. Miners try to optimally calculate the load so that ASICs and video cards are profitable, but at the same time remain operational for a long time.

Hackers do not spare other people's equipment and try to get the most out of it. Home computers and smartphones do not have a high-quality cooling system, and they do not need one when normal use. Owners usually do not monitor the temperature of the processor, and the system cannot cool itself on its own, as a result of which sooner or later the equipment fails.

As a result of the virus, the computer owner will experience an increase in energy costs. This is more relevant for home networks of two or more computers.

Types of virus miners


Types of malware.

There are 2 types of mining malware.

Browser viruses are less dangerous than desktop viruses because the malicious code is not saved to the computer. The script miner does not overload the processor so much, but if a person visits the infected site regularly, then Computer Engineering still gets damaged.

The rarest type of virus is mobile, because smartphones are not so powerful processor like a computer. It is less profitable for attackers to mine via phone.

Ransomware viruses that steal users' personal files, encrypt information and demand ransom in cryptocurrency are not miners.

The names of mining viruses are not particularly often mentioned in the press, because such software is not easy to detect and differentiate. Here are 3 known families of viruses.

Hackers are constantly improving their code and creating new solutions.


Task Manager.

For example, until 2017, it was possible to detect miners using Task Manager. This is a panel showing the load on the processor; to call it in Windows, you need to press Ctrl+Alt+Del on your keyboard and select “Show task manager” from the list.

Modern desktop viruses have learned to immediately stop mining when the Manager is launched, so that they cannot be noticed due to the increased load on the processor. Browser scripts do not do this yet, and if some tab in which a long video in Full HD quality does not load causes more than 30% of the CPU load, then this signals a Trojan.

How can you become infected with the virus?


Browser viruses can be found on websites of absolutely any topic, not necessarily dedicated to cryptocurrencies. IN Lately scammers love the “female theme”:

  • cooking;
  • raising children, family relationships;
  • psychology;
  • handicrafts and plant growing;
  • pet care;
  • health and beauty, manicure;
  • astrology, Tarot fortune telling, mysticism, etc.

Visitors to such sites usually have less knowledge of computers than, for example, programmers, and therefore are easier to use. Women can visit the same web resource many times and give attackers the opportunity to earn money again and again.

Browser viruses are often installed on sites where the visitor spends more than 10 minutes of time. Are exposed to infection the following types web resources:

  1. Online cinemas, especially with full-length films lasting more than an hour.
  2. Services for listening to music online.
  3. Online Games.
  4. Services for drawing, creating business card templates, etc.

The owners of all these sites have no idea that there is a script miner on their web resource. Such code can be inserted not only by hackers, but also by employees working for the webmaster, for example, a programmer, layout designer, content manager, or anyone with access to site administrator rights.

The second type of viruses, desktop, infects computers when downloading any files and programs:

  • films and music;
  • books and other texts;
  • drivers, for example, for a printer, etc.

The miner virus can be downloaded along with a wallet for storing cryptocurrency. The logic of hackers here is clear: if a person wants to download a wallet, then he probably has quite powerful equipment for mining cryptocurrency, and he can make good money on it.

The malicious code of the miner can be combined with other programs, for example, with those that steal money from a wallet or remember and transfer passwords, PIN codes, private keys and seed phrases to attackers.

Viruses-miners for video cards are especially often installed in hacked computer games and cheats for them. Gamers, however, notice quite quickly unwanted code due to a drop in FPS (frames per second) and try to remove such a game, but the virus still remains in the system files.

Hackers use various tricks to force a person to download the file they need:

  1. Hacking accounts in instant messengers and social networks. A file is sent to all the victim’s friends, for example, a picture with the caption “Look how funny they took a picture of you here!” text file with the comment “I’ve been wanting to tell you this for a long time, and now I’ve finally decided” or the audio track “This song reminds me of you, be sure to listen!” Skype is especially weakly protected, as it does not allow you to view files without downloading.
  2. Email newsletters. Hackers are well versed in social engineering and send messages that people cannot ignore. This could be, for example, a letter from a bank or from the tax office.

After downloading a file to a computer, a person may realize that he has been deceived and will launch an antivirus, but in the case of high-quality virus miners, this will not help.

Symptoms of infection, how to recognize miner viruses


Dispatcher.

You can suspect something is wrong based on the following signs:

  1. The computer's fan is noisier than usual. Thus, the system tries to cool the heating processor. This is a consequence of the work of miners on central processors and video cards.
  2. Video slows down or computer game. Miners on video cards lead to this result.
  3. When you open three or more tabs in your browser, your computer's speed decreases. This is a sign of a browser virus.
  4. There is an interesting class of viruses that disable the Task Manager for 3-5 minutes. If the user opens it and leaves the computer, then after a short time the program will close it so that the Manager does not interfere with its mining. It is important to know that the Manager should not close on its own.

As the hardware wears out, the system begins to reboot, may burn out, and it all ends with the equipment being unable to be turned on at all. Moreover, if the processor burns out, you can replace it and again gain access to your files on the hard drive. If HDD suffered from unstable work electrical network, then the files will be completely or partially lost.

You can understand more about the symptoms of infection and how to get rid of the miner virus from this interesting and useful video review.

How the virus miner works

Malware works on the same principle as any other Trojans:

  1. Gets onto the computer and is installed on drive C or any other drive that contains system files. Sometimes installation occurs in temp folder, where temporary files are stored.
  2. It disguises itself as service information, for example, as a browser update, or creates Windows folder with the Russian letter "o" to distinguish it from the normal operating system folder.
  3. It starts and stops its work according to the algorithm specified by the developers.

Viruses can even update their code by masquerading as updating browser applications or drivers.

How to find a miner virus on your computer and remove it?


You can deal with the virus using the following scheme:

  1. Carry out a comprehensive diagnosis.
  2. Remove a cryptocurrency miner using antivirus program or manually if the defender does not see the miner. To manually remove it, you need to understand which specific file is infected.

If a person is not very well versed in computers, then it is best to take the equipment for diagnostics to professionals and not try to remove the virus yourself.

How to detect a hidden miner virus, the best antiviruses 2018


Avast Free Antivirus.
AVG Antivirus.

To scan, you can use the following programs:

  1. Avast Free Antivirus.
  2. IObit Malware Fighter.
  3. AVG Antivirus.
  4. Panda Antivirus.
  5. Dr.Web Antivirus.

Utilities such as AIDA64 give good diagnostic results. It provides a detailed report in HTML format that contains information about all installed programs and the state of the OS as a whole.

How to remove a miner virus from a computer, step-by-step instructions for beginners


Advanced Boot Options.

After starting the scan, the antivirus will show what malware it has detected, where the Trojan is located, and offer to remove it. There is nothing complicated in such a procedure; even a brave grandmother can handle it.

Removing a miner virus can be done even more reliably:

  1. Restart the computer and press the F8 key several times when turning it on. This will bring up the BIOS (black screen console).
  2. Select Advanced Boot Option, then Safe Mood with Networking. This is safe mode.
  3. There will be a practical normal screen, which will have a browser icon. Launch it, download high-quality antivirus of those mentioned.
  4. Conduct diagnostics of the entire system and individual system folders. Remove all software that the antivirus flags as suspicious.
  5. Restart the computer, open the Task Manager, check the system by watching a movie in HD, make sure that the cooler is not noisier than usual.

There are files that are not visible to the average user at all. For example, in this video, the blogger clearly shows such hidden folders, and describes how to diagnose using the AIDA64 utility, and how to remove malware.

Some reviews contain descriptions of deleting specific files containing a miner virus. Such information is practically useless, since there are many types of malware, and the file name can be absolutely anything. If a person is not very well versed in what normal program files should look like and be called, then there is no point in searching for a specific document manually and wasting time on it.