Coinminers (also called cryptocurrency miners) are programs that generate Bitcoin, Monero, Ethereum, or other cryptocurrencies that are surging in popularity. When intentionally run for one's own benefit, they may prove a valuable source of income.
However, malware authors have created threats and viruses which use commonly-available mining software to take advantage of someone else's computing resources (CPU, GPU, RAM, network bandwidth, and power), without their knowledge or consent (i.e. cryptojacking). Symantec's video What is Cryptojacking? provides a three-minute overview of this threat.
Symantec has developed robust defenses against unwanted coinminers, Symantec Endpoint Protection (SEP).
Symantec products will typically raise a warning when files related to coin mining are found or running, to bring them to an administrator's attention; though open source and widely-used, mining software may be Potentially Unwanted Applications in an enterprise environment.)
Indications that a computer is mining include:
If Symantec Endpoint Protection (SEP) logs entries similar to those listed in Appendix B: Symantec signatures, this may indicate that a coinminer is active on the computer.
While some administrators may not consider coinminers a priority because the threat is not inherently destructive, as is the case with ransomware, the wasted resources and impact on performance is still viewed as a nuisance. Therefore, Symantec highly recommends that you take action.
Symantec Security Response has encountered coinminers which not only generate income for criminals, but also carry out other nefarious activities on the network, including theft of credentials. The presence of coinminers should also alert administrators that there are weaknesses in their environment.
Destructive forms of malware function using similar methods as coinminers. Eradicating miners and strengthening your network's defenses will help prevent other threats.
There are many different ways to force a computer or device to mine cryptocurrency. These are the three main types of miners:
Coin mining executables can be caught by traditional security tools, including the following components in Symantec Endpoint Protection (SEP): Antivirus, Download Insight, Advanced Machine Learning, and SONAR. Undetected malicious executables can be discovered by SymDiag's Threat Analysis Scan. The more SEP components that are installed and enabled, the greater the chance of detecting these threats.
Browser-based miners can be detected and removed by antivirus definitions (for example, PUA.WASMcoinminer and JS.Webcoinminer). Expect repeated detections in the browser's cache location as the mining code on the webpage is likely to be reloaded as long as the computer user remains viewing that page.
Numerous signatures have been built for this purpose, so ensure that IPS is installed and enabled. Also ensure that the environment's IPS policy has been configured so that mining-related Audit signatures "Block" rather than just "Log" the traffic. As a final measure, you may need to block the website which contains the browser-based miner at the firewall.
Note: It is better to have the Intrusion Prevention System (IPS) component block these miners before they reach the computer.
Advanced fileless miners like MSH.Bluwimps are inherently difficult to detect and stop. Professional expertise from Symantec Technical Support will likely be necessary, who can provide instructions on how SEP components can be configured to block the execution of these miners.
Some tips to help prevent and respond to coinminers:
When you suspect an undetected miner, see Virus removal and troubleshooting on a network
The following catalog of signatures is not comprehensive, but provides an indication of the various definitions in place to halt unauthorized mining.
Many miners are detected under signatures such as PUA.Gen.2, Trojan.Gen.2, Trojan Horse, and other general classifications.
Note: Configure Audit signatures to "Block"