Streaming link site Alluc has also added a cryptocurrency miner, this is the future for pirate sites?

[Matsuda]

 

Following in the footsteps of The Pirate Bay, streaming link search engine Alluc has also added a cryptocurrency miner, hoping to generate some extra revenue through its visitors. This begs the question: Are these cryptocurrency miners the future for pirate sites?

Last weekend The Pirate Bay surprised friend and foe by adding a Javascript-based cryptocurrency miner to its website. The miner utilizes CPU power from visitors to generate Monero coins for the site, providing an extra revenue source.
 

Initially, this caused the CPUs of visitors to max out due to a configuration error, but it was later adjusted to be less demanding. Still, there was plenty of discussion on the move, with greatly varying opinions. Some criticized the site for “hijacking” their computer resources for personal profit, without prior warning. However, there are also people who are happy to give something back to TPB, especially if it can help the site to remain online.

 

Aside from the configuration error, there was another major mistake everyone agreed on. The Pirate Bay team should have alerted its visitors to this change beforehand, and not after the fact, as they did last weekend. Despite the sensitivities, The Pirate Bay’s move has inspired others to follow suit. Streaming link site Alluc.ee, often used by pirates, is one of the first. While they use the same mining service, their implementation is more elegant.
 

Alluc shows how many hashes are mined and the site allows users to increase or decrease the CPU load, or turn the miner off completely.
 

“It’s a fun way users can get rid of ads (which are disabled after the counter hits 600k) which we are happy to try since just like users we hate ads. In the current implementation, the user actually starts browsing ad-free permanently after a certain amount of hashes have been generated,” Alluc told us.
 

“When being transparent about it, providing an opt-out option and rewarding the user if he chooses to let the miner run it may have the potential of making a great widget for webmasters and users alike.”

 

Alluc.ee miner
 

 

Putting all the controversy aside for a minute, the idea to let visitors mine coins is a pretty ingenious idea. The Pirate Bay said it was testing the feature to see if it’s possible as a replacement for ads, which might be much needed in the future.
 

In recent years many pirate sites have struggled to make a decent income. Not only are more people using ad-blockers now, the ad-quality is also dropping as copyright holders actively go after this revenue source, trying to dry up the funds of pirate sites. And with Chrome planning to add a default ad-blocker to its browser, the outlook is grim.
 

A cryptocurrency miner might alleviate this problem. That is, as long as ad-blockers don’t start to interfere with this revenue source as well.
 

Interestingly, this would also counter one of the main anti-piracy talking points. Increasingly, industry groups are using the “public safety” argument as a reason to go after pirate sites. They point to malicious advertisements as a great danger, hoping that this will further their calls for tougher legislation and enforcement.
 

If The Pirate Bay and other pirate sites can ditch the ads, they would be less susceptible to these and other anti-piracy pushes. Of course, copyright holders could still go after the miner revenues, but this might not be easy.
 

TorrentFreak spoke to Coinhive, the company that provides the mining service to The Pirate Bay, and they don’t seem eager to take action without a court order.
 

“We don’t track where users come from. We are just providing servers and a script to submit hashes for the Monero blockchain. We don’t see it as our responsibility to determine if a website is ‘valid’ and we don’t have the technical capabilities to do so,” a Coinhive representative says.
 

We also contacted several site owners and thus far the response has been mixed. Some like the idea and would consider adding a miner, if it doesn’t affect visitors too much. Others are more skeptical and don’t believe that the extra revenue is worth the trouble.
 

The Pirate Bay itself, meanwhile, has completed its test run and has removed the miner from the site. They will now analyze the results before deciding whether or not it’s “the future” for them.



View: Original Article

[steven36]

 Drive-by mining and ads: The Wild Wild West

 

Posted: September 25, 2017 by Jérôme Segura

There seems to be a trend lately for publishers to monetize their traffic by having their visitors mine for cryptocurrencies while on their site. The idea is that you are accessing content for free and in exchange, your computer (its CPU in particular) will be used for mining purposes.

The Pirate Bay started to run a miner on its site and later publicly acknowledged it. In other cases, the mining was a byproduct of malicious adverts or done via legitimate but compromised websites that are being injected with cryptomining code directly.

Needless to say, this practice is raising many eyebrows and not everyone is on the same page about whether this new business model could be a long-term replacement for ads (although most people agree that ads are often annoying and malicious).

But what exactly happens when publishers turn your PC into a miner and display ads at the same time? In this post, we take a look at what is arguably a bad mix.
Drive-by mining

Because mining happens in the browser via JavaScript without user interaction, we could compare it to drive-by downloads. As publishers need to retain the visitor’s attention so that the JavaScript code runs uninterrupted for as long as possible, this is where the type of content matters. We know that for example gaming or video streaming sites tend to keep people on their page much longer than others.

 

Figure 1: A streaming site that is (not so) silently mining cryptocurrency

 

There is one exception here, in that in some cases, loading the JavaScript mining code once is enough, no matter whether the user decides to change site afterward, the mining will continue. This particular abuse technique affects Internet Explorer (i.e. the zombie script) and was identified and reported (but not fixed yet) by Manuel Caballero.

This concept of mining digital currency via the browser is a little odd at first because it is well known how resource intensive mining can be, requiring powerful machines loaded with expensive hardware. While this is true for Bitcoin, it is not for other currencies that were designed for ordinary CPUs.

Take the Monero digital currency, powered by the CryptoNight algorithm, which can be mined with a standard CPU with little difference in overall results compared to running more advanced hardware. This literally opens the door to a large and still mostly untapped market comprised of millions of typical consumer machines.

Coinhive advertises itself as “A Crypto Miner for your Website” and enables website owners to quickly set up mining by using their JavaScript API. Without a doubt, it has gained very rapid adoption but unfortunately is already being abused.

 

Figure 2: JavaScript API/code from Coinhive on the client side used to mine cryptocurrency

 

 

Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience.

 

The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice.

Forced mining and malvertising

The same site pictured above was not only monetizing via Coinhive, but they also ran adverts. Clicking anywhere on the page – including the ‘Play’ button on the video – triggered a pop under advert that ran through various ad exchanges and resulted in malvertising in almost all instances, leading to tech support scams and several different exploit kit infection chains.

Tech support scams

Tech support scams are one of the most common redirections we see these days. While they do not usually infect your computer, they are still a threat to consider. The most common symptom is referred to as ‘Browlock’ because scammers use code that prevents you from normally closing your browser. The claims are always excessive and designed to scare users about made up infections. Victims that call the posted number for help end up with more computer issues and several hundreds of dollars less in their wallet.

 

 

Figure 3: Malvertising leading to tech support scam (Browlock) is triggered when clicking anywhere on the page

 

Figure 4: Web traffic showing redirection sequence from publisher to tech support scam page

 

RIG exploit kit

RIG is the most popular exploit kit these days and malvertising is its prime delivery mechanism. Victims are filtered using the same tools that marketers have to profile consumers, and there can be a secondary level of filtering, usually via a gate that performs geolocation checks for example.

 

Figure 5: RIG EK via malvertising chain

 

 

Terror exploit kit

Terror EK is on a much smaller distribution scale than RIG but is still a fairly active exploit kit that tries out different things. For instance, some Terror EK infection chains use SSL encryption (via free certificates from Let’s Encrypt). It also has an interesting gate with one of the most convoluted iframe encodings we have seen.

 

 

Figure 6: Terror EK via malvertising, and gate before landing page

 

 

 

Block less or more?

One of the first reactions to the rise of browser cryptominers was to ask how to block them, whether with a typical ad blocker or URL/IP blacklist and even by disabling JavaScript. There’s no question that users are annoyed by a rollout that did not include their opinion, even though many were actually favorable to this alternate solution to online ads.

While cryptominers do have an impact on system resources, there was at least a sense that they may be safer and less intrusive than ads. But publishers ought to be more transparent with their audience because no-one likes unannounced guests. Unfortunately, there will always be publishers that care very little about what kind of traffic they push, so long as it generates good revenues; for those, cryptominers are just an added income to their existing advertising portfolio.

Malwarebytes users are already protected against this drive-by mining. In fact, we are blocking over 5 million connection attempts to Coinhive every single day, which shows that browser-based mining has really taken off in a big way.

 

 

Our goal is to protect people from unsolicited drive-by cryptomining. However, for those users that are aware and want to participate in mining, they can absolutely do so by adding an exclusion for this domain.

 

Indicators of compromise

Tech support scam

192.241.220[.]40/877microsoft/

RIG EK

Fobos: hudsonentertainment[.]info/

Fobos: 204hdchdhhh[.]cf/tako/?re=6128546021
RIG IP: 188.225.83[.]85
43bc543d26f755474b355a70c25077df8ab71836056619216792a112a79bcd3d

Terror EK

onpakfucli.salary-radar[.]bid/search-w3kpShD3axxD/R5ALkH3JyPBC/rzcp4YrhDgzu.html

wabusfqdty.salary-radar[.]bid/search-w3kpShD3axxD/iqW1OavoNisD.php

4fccf7246b6807e22c42dd93507592cca0594694f4487b03db04ef13e7a99c54

Source:

https://blog.malwarebytes.com/threat-analysis/2017/09/drive-by-mining-and-ads-the-wild-wild-west/

 

[straycat19]

9 hours ago, steven36 said:

Malwarebytes users are already protected against this drive-by mining. In fact, we are blocking over 5 million connection attempts to Coinhive every single day, which shows that browser-based mining has really taken off in a big way.

 

 

 

So much for malwarebytes protecting you, since that is only one IP that coin-hive uses.  I posted a list of them last week when this was first announced.  I have every coin miner in existence blocked as of yesterday.

[steven36]

3 hours ago, straycat19 said:

 

 

So much for malwarebytes protecting you, since that is only one IP that coin-hive uses.  I posted a list of them last week when this was first announced.  I have every coin miner in existence blocked as of yesterday.

I don't use malwarebytes  real time so why are you telling me?  you block 15 ips for coin-hive  when only one simple rule needed in you're adblocker! I was blocking them since day one and never needed to block any ips its a 3rd party site it's easy too block without using ips. I been testing it without blocking coin-hive's script and the single rule  in uBlock Origin Filters stops it 100%. if it don't stop it you will know because you're cpu will shoot up. When i check it in the loggers  it only calling too https://coin-hive.com/  it don't be calling too those other domains  if it did  uMatrix would block it  If you want too block others and don't use uMatrix you can use this adblocker list.

https://github.com/hoshsadiq/adblock-nocoin-list

And you don't know  what ips Malwarebytes  is blocking based on one screenshot.  Its  not a program were we have make sure we block every ip the site has so we don't become unregistered  It's a 3rd party site .

you just need add the rule for the site like this in you're adblocker

||put domain here^$third-party

If you see them in you're logger if they don't ever exist  there no use blocking it. yet

[straycat19]

10 hours ago, steven36 said:

I don't use malwarebytes  real time so why are you telling me?  you block 15 ips for coin-hive  when only one simple rule needed in you're adblocker! I was blocking them since day one and never needed to block any ips its a 3rd party site it's easy too block without using ips. I been testing it without blocking coin-hive's script and the single rule  in uBlock Origin Filters stops it 100%. if it don't stop it you will know because you're cpu will shoot up. When i check it in the loggers  it only calling too https://coin-hive.com/  it don't be calling too those other domains  if it did  uMatrix would block it  If you want too block others and don't use uMatrix you can use this adblocker list.

 

I prefer to block them BEFORE they access the system, not when they are already through the system and knocking on your browser.  It is the difference between real security and a sense of real security. 

 

I also have quit using adblockers of all types on an experimental basis and using the firewall to block them.  I found that websites load much faster.  Again, it's the difference between real security and a false sense of security.  Anytime you create a list, such as in a hosts file or an adblocker list, it is going to slow the system or the browser down.  Using a firewall and blocking them before they ever get to the system has little to no effect.  You may block an ad from showing in your browser, but how are you going to block the payload it brings with it that is now on your system, and don't say by using an AV because ransomware proved how effective that isn't when it first appeared on the scene.

 

[steven36]

2 hours ago, straycat19 said:

 

I prefer to block them BEFORE they access the system, not when they are already through the system and knocking on your browser.  It is the difference between real security and a sense of real security. 

 

I also have quit using adblockers of all types on an experimental basis and using the firewall to block them.  I found that websites load much faster.  Again, it's the difference between real security and a false sense of security.  Anytime you create a list, such as in a hosts file or an adblocker list, it is going to slow the system or the browser down.  Using a firewall and blocking them before they ever get to the system has little to no effect.  You may block an ad from showing in your browser, but how are you going to block the payload it brings with it that is now on your system, and don't say by using an AV because ransomware proved how effective that isn't when it first appeared on the scene.

 

If you're trying too block all ads with a firewall  you are living in a false sense of security because

1.It would not even be possible because there is way  too many ips too block.

 

2. Using host files or Firewall rules for certain ads will break websites. This is the reason uBlock Origin has unbreak filters because it allows host block filters witch it's not possible to write code in a firewall to unbreak sites.  Blocking ads were they don't have internet access  and blocking ads were they don't break sites is two different things . And Anti ad-block can detect  Firewalls  and host block too and block you from using sites just like they can adblockers  so you need something too get around Anti ad-block too.

 

3.I been blocking ips for years  and its not fool proof all they have too do is change ips up on you and you're not protected and in malware ads many times antivirus will block them or they get shut down then they will change ips too ones you want know yet. I seen it fail on people so much for apps that need internet i don't find it very useful any more and only block Ips as a last resort . Time is not on you're side  sooner or latter they will most likely figure out how to defeat it and this is if you're firewall is stealth and not leaking all over the place.

 

I block many exes  in my Firewall that don't need internet  and it works for me but  many people have problems because there Firewalls leak . Blocking apps exes that don't need internet and trying too block a server is two different things. Blocking exe if a firewall is stealth there is no way they can get around it  but blocking ips all they have too do is get more ips too get around you.

 

4.There is no way too make a cosmetic rule with a firewall ether .

 

5.Everyday  adblock filters update and here you are trying to add them one by one too you're  Firewall  do you have a life outside of playing with you're Firewall ?

 

6. uBlock Origin don't slow down my browsing and it never has but other AD Blockers have in the past but id rather have slower browsing than wasting my time trying too  chase down every ad campaign  and breaking many websites in the process . Can we say Overkill much?

 

[dcs18]

Check out for yourselves the results of blocking advertisements using both the methods — firewall and ad. blocker, as well.

[mazigh]

Not bad if coming like this..