Is Your Computer Being Secretly Used for Mining?

No Comments 1227 Views1

Is Your Computer Being Secretly Used for Mining IMG 03

As honest mining workers, we may have heard of mining by means of Trojans, which may also become a headline. Then, let’s have a discussion here.


What’s mining Trojan?

Mining Trojan refers to the mining program implanted in computer for mining without being known by the user.

The mining Trojan appeared in 2013 for the first time, and the mining Trojan attacks reported in 2017 showed explosive growth.


What types of mining Trojan s are there?

There are three types of mining Trojans.

I. Mining Trojan Botnet

Botnet refers to a huge puppet network created by hackers by invading other computers and implanting malicious programs to infect more computers. Each computer in the botnet is a hacked node which can launch attacks. The hacker invaded the computer and implanted the mining Trojan, and then tried to infect other computers to create a botnet in the end.

Is Your Computer Being Secretly Used for Mining IMG 01

Botnet command and control architecture. Image credit:

II. Webpage Mining Script

The browser is one of the most frequently used software. When a user accesses a webpage by a browser, the browser is responsible for parsing the content, resources and scripts in the web page before presenting the parsed result to the user.

When a mining script is implanted in a web page, the browser will parse the content of mining script and execute it, which will make the browser occupy a large amount of computer resources for mining.

The running mining script will slow down or even crash the user’s computer and seriously affect the normal use of computer.

Is Your Computer Being Secretly Used for Mining IMG 02

A webpage with mining script. Image credit:

There are many kinds of webpage mining scripts, such as Coinhive, JSEcoin, resedoper, LMODR.BIZ, MineCrunch, MarineTraffic, Crypto-Loot, ProjectPoi, etc. Most of them are open sourced, so it’s easy for some webmasters or invaders to implant mining scripts in web pages.

Common reasons for website to be implanted with mining codes are follows:

  • The webmaster actively implants the mining code for more income.
  • The network is hijacked and the website is implanted with mining code.
  • The imported advertisement has secretly implanted mining code.
  • The website is hacked and implanted with mining code.

III. Other mining Trojans

Unlike the active attacks adopted by Trojan botnets and webpage mining scripts, some mining Trojans require users to run an executable Trojan program for mining.

Many of such mining Trojans are profit-inducing. Some hackers disguised the mining Trojans as game plug-in, activation tool and other applications “urgently needed” by users, while other hackers focus on some application programs, such as the hook-up software and VIP video player in Internet cafes, which seems to be able to bring directly or indirectly benefits for users.

Is Your Computer Being Secretly Used for Mining IMG 04


Which coin is the most favorite of mining Trojans?

Monero is the most favorite coin of mining Trojans due to the following reasons:

  • Good price of Monero. Although Monero cannot challenge Bitcoin in terms of the price, its price is still quite high.
  • Monroe is an anonymous coin with high level of security. Anonymous coin refers to a special blockchain token which conceals the amount, the sender and the receiver during the transaction. Due to such a special feature, no one can trace the transaction amount and the addresses of both parties in the blockchain browser, thus it greatly facilitates the hackers to transfer the Monero(Read more: The Untraceable Private Crypto Currency Monero).
  • Monero coin is based on the CryptoNight algorithm, which can be conducted in CPU and GPU computers without other ASICs support.
  • There are many excellent open source Monero mining projects on the Internet, and hackers can use them “anytime”.
  • Monero is supported in underground market.

Due to all these “advantages”, more and more mining Trojans choose Monroe as the target.

The Untraceable Private Crypto Currency Monero IMG 02

In recent news report, the servers in some big hospitals in China were hacked. The hackers violently cracked the remote login service of the hospital servers, then downloaded many mining Trojans by means of the file share function at some cloud service providers.

The attackers disguised the mining Trojan as a remote assistance tool Teamviewer. The mining Trojan would detect the process of up to 50 conventional mining programs and occupied all the resources after terminating other mining programs.

The mining Trojan can also ruin the OS security features by modifying the registry: disable UAC (User Account Control), disable Windows Defender, shut down the warnings for running dangerous programs.

According to the analysis on known samples, the mining Trojans used by the attackers have multiple mining pools and the mined altcoins include: Monero (XMR), Ethereum (ETH), Zero Coin (ZEC), etc. According to the pool information, the attackers have accumulated a profit of more than 58,000 US dollar.

As many as 50% medical institutions in China have enabled the remote login services (port number: 22), which means that half of the servers may suffer from the similar attacks.


How is the mining Trojan botnet realized?

The realizing of the mining Trojan botnet is generally carried out in three steps.

I. Establishment of Botnet

Whether the botnet can be scaled up largely depends on its initial establishment. Hackers need a powerful weapon capable of large-scale invasion to control more computers. And the attack weapon is nothing but the tool to make use of different operating system bugs.

In April 2017, the shadow broker released the bug attack weapon, the “EternalBlue”, organized by the NSA. The “WannaCry” ransomware which caused an unprecedented impact in May 2017 was spread by the “EternalBlue”. Most of the mining Trojan botnets broke out in the first half of 2017 also relied on the “EternalBlue” to achieve the initial establishment.

Is Your Computer Being Secretly Used for Mining IMG 05

“EternalBlue” has two advantages beyond the challenges of most bug tools:

  • No carrier to launch attacks. Unlike “passive attacks” which were launched by browser bugs or office software bugs, the “EternalBlue” is a kind of “active attack” with which the hackers only need to send attack packets to the target without additional operations.
  • Wide range of targets. So long as the target computer opens port 445 without prompt patches, the hackers can successfully invade the target computer. The hackers can scan the full network for the prey. Hence, the “EternalBlue” has become the standard configuration for mining Trojan botnets.

As more details of the bugs have been revealed, a variety of “EternalBlue” tools became available. The”mateMiner” botnet, which came into being in September 2017 at fast growing speed, was integrated with the “EternalBlue” written by PowerShell.

II. Expansion of Botnets

When the botnet takes shape, hackers need to attack more computers by means of the existing puppet computers to gain visible benefits by means of the increase in quantity. Therefore, every puppet computer in the botnet acts as the initiator of attack, and the target is just all the computers on the Internet.

Bug tools are still playing an important role in the expansion of botnets. After the hackers have controlled a certain number of puppets, they will make use of them to attack more computers. Due to the large number of puppet computers, the efficiency of bug scan and bug attacks on other computers is much higher than that of hacker-controlled terminals, which helps hackers expand the botnets.

Port scanning and cracking also boost the botnet expansion. Take the “Anonymous” botnet as an example, the program carries a full-network scanning module to continuously perform a specified port scanning on random IP addresses. If the port is open, it will try to perform cracking and login the target computer.

III. Continuous Residency of Botnet

Whether the hacker can continuously control the puppet depends on whether the botnets can continuously reside in the puppet. The mining Trojan botnet also tries every mean to reside in the puppet computer continuously.

It is the best choice to implant botnets directly into the system process. Computers are implanted with mining Trojans and botnets for the sake of further expansion.

The most common attacks, such as servers are hacked, redis database bugs, mysql database bugs, etc., all of which aim to make the server act as a mining machine.

The process can be described as follows: scan server default port, if no password protection, it’s easy to be cracked; if it’s protected by password, it may also be cracked by brute forces. Set up scheduled tasks, implant Trojans and start mining process.

The hacker uses the computer not only to conduct mining, but also to search for other servers as an attacker, so that the mining Trojans will quickly infect the servers in the whole network and establish a complete mining trojan botnet.


Through the above introduction, do you have a clear understanding of the mining Trojan botnet? Finally, we hope that everyone pays attention to the safety of your computers and miners, and happy mining.


Leave a Reply