This article is part of a series about cryptocurrency mining infections and exploits. The word Bitcoin in the tile is used liberally as the same principle applies to almost all cryptocurrencies. My focus here is on malicious crypto miners PEI has been engaged to remove from our customer’s systems.
Crypto Mining Architecture
The block diagram below is how a run-of the mill infection looks like. Notice there are many non-malicious parties at play here, such as DDOS protection service or legitimate miners. More on this later.
There is an obvious bottleneck here—the attacker. Chasing attackers is hard; there are thousands of them, maybe more. But, there are only a couple hundred Mining pools at most…
Why not chase the Mining Pool? And what is it anyway?
The problem is mining pools are legitimate businesses serving crypto miners. Years ago mining Bitcoin was a ‘solo’ activity. You set up your CPU or GPU to mine directly on the cryptocurrency network. Your worker program using CPU or GPU would run for a while performing mathematical computations and eventually you were rewarded with 50 Bitcoins. That’s right, fifty. This was when Bitcoin were 15 cents apiece, I remember it perfectly from when I setup my first miner.
The issue here is the length of time it took to get those 50 bitcoins, it was customary that you would not get a payout for weeks. Mining pools were invented to combat this. Instead of your worker connecting directly to the crypto currency network, you point it at a mining pool that sub-divides smaller chunks of work and doles out the payout proportionally among the workers contributing to the pool. The pool usually charges about 1% for this service.
So that’s that as far as reasons go for why a mining pool cannot be legally shut down. Not only is it a legitimate business, but it does not even require a ‘money transmitter’s’ license, or any other special license to operate. From a legal standpoint, a mining pool is just another web service provider.
DDOS Protection
From a technical perspective, mining pools are indeed load balanced farms of web servers sitting in VPC like AWS, usually behind DDOS protection from providers like Cloudflare. Even if you wanted to bring one down it may not be technically feasible.
Connection Protocols
In the good old days before pools came into existence, mining would have been trivial to spot as you would be able to see an outgoing connection to a known destination port on the crypto network. Pools however, get to set their own rule on how you get to connect to them. Most pools use port 14444, so blocking just that helps some. Other pools use custom ports and nearly all of them support SSL. Traffic analysis is difficult.
Detection
Your AV software typically does not protect you from this type of infection. You need proper IDS/IPS with a paid subscription to a monitoring service. Sure you can setup a Squid Proxy or Security Onion and just look at it, but you really need to have a subscription to a service that monitors IP addresses and identifies these threats. In the user land, even Malwarebytes pro has these capabilities; they do work…sometimes. To be certain, you absolutely have to monitor at a network level.
Prevention
Nothing exciting in this section. Same as any other malware—keep your systems patched for known vulnerabilities and keep your publicly accessible servers locked down tight.
Removal
I’ve written a bunch of posts on this here on the PEI blog; there isn’t a panacea, but finding and blocking malicious IPs is a good start. Are you getting infected with malware? Are you having problems with AV not working the way you need? Address this as soon as you can or it’s a matter of time before you’ll be dealing with an infection like this.
As always, we’re here to help, so give us a call at 303-786-7474 if you have any concerns about your systems or need help with bitcoin miner or other malware remediation.
JacobR, PEI
