Newly discovered cryptojacking code is designed to kill off its rivals

Posted: 6 March 2018 6:08 pm
News

Dramatic re-enactment.

Newly discovered cryptojacking code is designed to eliminate rivals and take more power for itself.

Freelance security consultant Xavier Mertens has discovered a new cryptojacking code that searches for and eliminates rivals before going to work. It's designed to hunt for other processes that use a lot of CPU cycles and kill them.

Cryptojacking is when someone unknowingly mines cryptocurrency for another person. It's not dangerous per se, but it can slow computers to a crawl by diverting their processing power to crypto mining. Cryptojackers can take a few different forms. One of the more common methods is to infect websites with malicious code that saps the processing power of those who visit the page. These have been discovered on government websites, and even running as ads on YouTube and embedded in Microsoft Word documents.

These will usually stop their mining once you leave the page, which closes the program. As such, the trickier but more valuable option for cryptojackers is to infect computers outright, so it will keep mining cryptocurrency as long as it's switched on. It's more valuable because it runs for a lot longer, but more challenging because it means actually infecting someone's computer.

That's what this particular piece of malware does. It poses as HP drivers, and the victims it searches for include a lot of ordinary Windows processes. But it also searches for a range of common cryptojacking and mining processes, and eliminates them as well.

It makes a lot of sense. There's only so much processing power to go around, and there's no point in leaving rivals around. Plus, as time goes by, it seems more likely that the easier-to-infect targets have been struck already. And in a sense, the perfect target is someone who doesn't know their machine has been infected and is happy to keep using it for a long time while unintentionally mining cryptocurrencies.


Conveniently, Mertens dissection of the murderous cryptojacker's code gives a neat list of common mining processes.

"If you find one of these processes on a host, there are chances that it is being used to mine cryptocurrencies!" he writes.

Silence
Carbon
xmrig32
nscpucnminer64
mrservicehost
servisce
svchosts3
svhosts
system64
systemiissec
taskhost
vrmserver
vshell
winlogan
winlogo
logon
win1nit
wininits
winlnlts
taskngr
tasksvr
mscl
cpuminer
sql31
taskhots
svchostx
xmr86
xmrig
xmr
win1ogin
win1ogins
ccsvchst
nscpucnminer64
update_windows

Cryptojacking 101: How to spot it.


Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VEN, XLM, SALT, BTC and NANO.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site