How do you detect coinminers?

[kmuland]

We are living in 2025 on planet Earth (not faeryland).
Guys releasing software for free are really really really few.. and today its a problem trying to find new software and be sure that it is free of miners.
I was used to get portables of every software.... but today I cant trust on anyone that release a commercial software portable "just for free", and just as easy as "click" "download" "unrar". Everyone want to become rich mining crypto currencies nowadays.

Of course using an AV, malwarebites or similar toys are for kids (the evil greedy guys are not idiots of course, and they check against these tools).
I bet that many 3D gamers are not aware of the problem.. powerful GPUs/CPUs dozen of fans making noise constantly.... for me would be hard in these machines to detect the presence of that malware.

So my question is:
what are you using nowadays to detect miners running on your computers when idle?

[Nokiamies]

It depends on coinminer. If it is jabbajavascript based on some website you can tell if it tried get too much cpu time. Best you can do is block JS by default with something like Ematrix, disable WASM and try avoid untrusted sites that try force on JS.

As for programs there is no 100% working way as it is mix of things. First of all I would have something like process hacker 2 for monitoring full network traffic. Then using something else to monitor GPU idle usage like hwmonitor. If gpu usage keep cranking up high while idle that is usually sign of some process utilizing it. For network you need understand what is normal and what is not normal connections and I cant really explain it properly, but you can detect if some program that should not make requests keep making them constantly to some odd ip address. It might also be telemetry or other spyware activity.

[Duke]

It depends on coinminer. If it is jabbajavascript based on some website you can tell if it tried get too much cpu time. Best you can do is block JS by default with something like Ematrix, disable WASM and try avoid untrusted sites that try force on JS.

Just use NoScript

There is also this list for uBlock Origin:
https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt

You can also use some alternate DNS server like Quad9, Adguard or DNS.Watch which are blocking malware sites, ads and trackers.


That's for a browser but for a software there is not much you can do. You can block it from accessing the internet with a firewall, also use alternate DNS servers as seen before if internet access is required but the best is to download and use stuff from a trusted source

[Nokiamies]

It depends on coinminer. If it is jabbajavascript based on some website you can tell if it tried get too much cpu time. Best you can do is block JS by default with something like Ematrix, disable WASM and try avoid untrusted sites that try force on JS.

Just use NoScript

There is also this list for uBlock Origin:
https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt

It highly depends what do you want. If you want allow certain CDN or other on certain sites and deny it on other and also control Media, css, frames etc. eMatrix will sweep floor with noscript. There is version for "modern firefox" webextension (umatrix) but I still roll on UXP based browser.

Downside is of course amount of work per site eMatrix requires but it is fine for me since there is very few sites I use and most are pretty basic.

[K4sum1]

I'm not sure I've run into a malicious coinminer before. r3dfox (Firefox) has built in cryptominer blocking and I also block ads and stuff with uBlock Origin, but even on phone where I run Vivaldi with the built in adblock, it's never been an issue. For software I download, I run it through Virustotal, which scans it with everything.

If something got past all of that, then I would notice my CPU or GPU pinned to 100%, or hell even 25% if they try to be smart. I'd notice the fan noise and slowness that would cause. I'd go to task manager and see what is using up all of that. This has yet to happen to me.

My question is:
Is this actually an issue?

[The-10-Pen]

I'm not sure I've run into a malicious coinminer before.

This has yet to happen to me.

My question is:
Is this actually an issue?

I simply cannot resist a semi-sarcastic half-truth smart-alec answer -- "Yes, it's an issue on p0rn sites."

[kmuland]

It depends on coinminer. If it is jabbajavascript based on some website you can tell if it tried get too much cpu time. Best you can do is block JS by default with something like Ematrix, disable WASM and try avoid untrusted sites that try force on JS.

As for programs there is no 100% working way as it is mix of things. First of all I would have something like process hacker 2 for monitoring full network traffic. Then using something else to monitor GPU idle usage like hwmonitor. If gpu usage keep cranking up high while idle that is usually sign of some process utilizing it. For network you need understand what is normal and what is not normal connections and I cant really explain it properly, but you can detect if some program that should not make requests keep making them constantly to some odd ip address. It might also be telemetry or other spyware activity.

The suspicious activity of GPU is the main way I use to check these miners.. I would also recomend check with different GPU usage monitors.. because some of them does not show all the activity of your GPU... or bypass some apps (the evil guys that include miners abuse of that "weakness").

My question is:
Is this actually an issue?

For me yes.. because I use really weak computers (atom netbooks/celerons) and I need all the hardware performance to do my tasks not theirs.



Another big problem are "lite/gaming tweaked OS". Many of these relases includes the crap. A pity... because stripped OS releases were great in the past.. a simply wat to boost your computer (microXP days)

[K4sum1]

My question is:
Is this actually an issue?

For me yes.. because I use really weak computers (atom netbooks/celerons) and I need all the hardware performance to do my tasks not theirs.

I don't mean it like that, I mean are coinminers actually something you'd come across enough to need to look out for one?

[Bird]

Shift the focus away from the GPU and look soely at what's happening on your machines network interface. Because cryptominers would have to get their information across the internet, else it would be useless, sitting on a metal box below some desk, right?

Now if you want to become boss of your system, you have to check for every connection that your computer is doing and decide, whether you want to have it in your system or whether to dump it.

Can recommend Wireshark as a good tool for looking at network traffic. Then you need to figure out a solution for actually blocking connections.

Regardless of cryptominers, you will free up ressources this way, which especially old machines are grateful for.

[kmuland]

Shift the focus away from the GPU and look soely at what's happening on your machines network interface. Because cryptominers would have to get their information across the internet, else it would be useless, sitting on a metal box below some desk, right?

miners that I detected into lited OSes uses the GPU even in offline computers. Probably the miner will share their finding when connected

[kmuland]

My question is:
Is this actually an issue?

For me yes.. because I use really weak computers (atom netbooks/celerons) and I need all the hardware performance to do my tasks not theirs.

I don't mean it like that, I mean are coinminers actually something you'd come across enough to need to look out for one?

Sorry me, I didnt understand you (Im not english language native)

In my case I rely on stripped OSes to upgrade my computers when I have to use newer programs beyond XP... and belive me that today it is really hard to find lited OSes without miner included.Since last 5 years almost all OS modders that I knew include miners. I deleted tons of releases cause that. I cannt trust in nobody. I know that we are living hard times... and really few people do releases for the community and not for his own benefit.

If this is a problem in modded OSes... I can imagine that rest of software will not be free of that plague

[K4sum1]

For me, I've tried like 5 or more different stripped down Windows 10 ISOs, and as far as I can tell none of them had any cryptominers. Most recently I've been using Windows X-Lite (19045.3757) 'Micro 10' SE [x64] by FBConan.iso and I have it on a Windows 10 gaming PC, and various VMs used for compiling stuff (r3dfox mostly). I'm big into debloating and having minimal background usage, so I'd notice if a cryptominer started running and was using up resources.

[Bird]

miners that I detected into lited OSes uses the GPU even in offline computers. Probably the miner will share their finding when connected

Hm, you're right, that would be really sophisticated, but it is possible, if the miners would actually do work even when being offline, especially since on Windows 10 "Shut Down" doesn't mean shutting down the computer anymore.
In that case, you'd see any activity by monitoring network traffic over a longer period, maybe a whole day.

Since last 5 years almost all OS modders that I knew include miners.

Could you name some names? Those deserve to be called out!

[The-10-Pen]

I've ran "micro" and "lite" and "tiny" and *several* FBConan OS's.
When it comes right down to it, I personally DO *NOT* TRUST ANY OF THEM !!!
MORE IMPORTANTLY, I GET MUCH BETTER RESULTS DOING THE MOD'S MYSELF !!!
Just DO IT YOURSELF and make your OWN mod'd OS using things like NTLite and WinReducer.

[kmuland]

Since last 5 years almost all OS modders that I knew include miners.

Could you name some names? Those deserve to be called out!

Ill not point anyone with my finger.

Just think about youtube.
There are people that upload a video someday.. when they are happy, when they have time to share something interesing for the community.
In the other hand there are people that upload several videos daily... because his job is to make videos... because a channel with more videos will receive more money. (I think you get what I mean)

So ... think about these guys that release a new OS modded version each week/month. Like a weekly full job as OS modder.

My full respect for all the good guys and friendly souls that continue releasing things for free and does not look for his own benefit, but the happiness of the community.
Of course OS modders and computer enthusiasts that try to improve and help people to use a less bloated OS exist... so my blessings to all these good guys that survive.

[The-10-Pen]

Ill not point anyone with my finger.

I strongly disagree!

If something like an FBConan OS becomes so "popular" here at Eclipse Community that "several" of us start using it because they heard about it from HERE (Eclipse Community), then if anybody finds it to upload telemetry to whoknowswhere, then the ECLIPSE COMMUNITY *owes it* to the ECLIPSE COMMUNITY to share that finding!

[K4sum1]

I've ran "micro" and "lite" and "tiny" and *several* FBConan OS's.
When it comes right down to it, I personally DO *NOT* TRUST ANY OF THEM !!!
MORE IMPORTANTLY, I GET MUCH BETTER RESULTS DOING THE MOD'S MYSELF !!!
Just DO IT YOURSELF and make your OWN mod'd OS using things like NTLite and WinReducer.

I tried it myself in the 1809-2004 days, and found the results to be unreliable at best. So I just use these premade ones since they're better than what I could do.

Sounds like you should release your mod here if you feel so strongly about it.

If something like an FBConan OS becomes so "popular" here at Eclipse Community that "several" of us start using it because they heard about it from HERE (Eclipse Community), then if anybody finds it to upload telemetry to whoknowswhere, then the ECLIPSE COMMUNITY *owes it* to the ECLIPSE COMMUNITY to share that finding!

Only Microsoft telemetry

[The-10-Pen]

Sounds like you should release your mod here if you feel so strongly about it.

I basically *DID*, even some process-count and RAM-consumption screencaps.
I shared the config files on how to create and what software to use.
OVER NINE HUNDRED downloads but no replies.
So I moved on, nobody here wants to do the legwork, they just want to download an .iso instead of creating that .iso.
I personally disapprove of that approach - I'll take instructions any day of the week so that I can walk through them and witness how "trustworthy" they are.

[UCyborg]

Most recently I've been using Windows X-Lite (19045.3757) 'Micro 10' SE [x64] by FBConan.iso and I have it on a Windows 10 gaming PC, and various VMs used for compiling stuff (r3dfox mostly).

Does it speed up build time compared to regular build?