BSidesCharm - 2018 - Josh Grunzweig - Rise of the Miners

um yeah so i just wanted right off the bat just huge thanks to those guys um so hopefully you guys enjoy this uh research this presentation today it's something i've been working on for a fair number of months at this point my name is josh krunswig i'm a a malware reverser a company called politon networks i'm specifically in a group called unit 42. for those that aren't maybe familiar with us we are essentially the threat intelligence arm wing whatever you want to call it within the organization we're given a lot of freedom and autonomy in what we research and i've been with the group for about three years now so as i said i'm giving a lot of freedom

i'm very very fortunate in the past eight or so years i've been able to look at just a huge range of of malware and related campaigns i've looked at everything from very targeted you know nation state whatever you want to call it campaigns i've looked at very widespread commodity-based malware campaigns i've looked at pretty much everything in between so i guess to set the stage for today you know what are we going to talk about um i do want to mention that i won't be talking about any javascript or web-based mining activity truthfully that's a huge topic and just for the sake of time i really didn't find myself focusing much on that angle so i'm not going to talk about

that today so if you're really gung-ho about javascript and malware that you know operates in the browser i'm going to have to disappoint you we're not going to talk about america's booming coal industry even though this is this image is a little alluding to that fact uh instead we're going to talk primarily exclusively about what i'm calling binary based miners being delivered via malware so a piece of malware that ultimately delivers and executes some executable file that mines a cryptocurrency and the reason this talk really exists is because about four to six months ago i was doing some research as i do and time and time again i kept finding myself in this predicament where i was

reversing some malware i was looking at a new campaign and it kept being a situation where a crypto miner was being delivered and i said what the heck's going on you know am i really just that lucky that i keep finding this stuff or is there some bigger trend at play so i looked and uh there is a trend it it seems so this graph just to put it into context is not an instance of how many times we've seen malware this is actually an instance of when a new malware sample is identified over time at its peak i think we saw about 14 000 new malware miners being delivered in a single day and as you see it's been

pretty interesting the past month or two so for today what i'd like to cover um i do want to talk a little bit about some foundational you know crypto 101 type stuff just to make sure we're all on the same page uh i'm going to talk a little bit you know a little history lesson you know why did this happen a little bit about some case studies i've worked on some research um and then i got some brand new research that i'm gonna share with you guys today um you are probably the second audience ever to see it and the other one was recorded so you're like i don't know there's like 50 other people that have

seen it before and maybe it's a lot about defense we'll see so basic stuff what is cryptocurrency um simply put it is a digital typically distributed currency that runs independently of any sort of central banking authority or government and it's not the first to do this you know there's like e-gold and other things that are out there that have certainly done this in the past but what really differentiates cryptocurrency and the reason it's called cryptocurrency is the fact that it uses encryption algorithms to ultimately verify transactions but also in many cases to distribute those funds to the general public so it really kicked off in 09 right bitcoin was sort of the first to put all

these concepts together in a way that worked and it has since just grown substantially since then both in general public awareness as well as in ultimately value last i checked a single bitcoin is worth about 9 300 and the timing of when bitcoin started is really really important so 2009 most people in the audience probably remember it there's a couple young folks but uh i was graduating college at the time and the economy was in the gutter which is just a really fun combination um but there was a lot of lack of faith i guess you can say in traditional banking systems you know a lot of people are out there saying uh government's corrupt we uh

we don't have faith that our money is safe and so bitcoin kind of started and it caused a lot of pioneers at the time to really adopt it and really just take on this new concept that previously hadn't really been done before and as i said it's grown substantially since then last i checked there's about 1600 or so different cryptocurrencies out there and they really range in many many ways the truth is most of those cryptocurrencies are garbage they are pretty much scams but there's a lot of honest and good people out there that are developing these new currencies and there's a lot of good folks out there as well they vary in a lot of ways so on the

mining side which i'll talk about in just a minute there's a lot of different hashing algorithms that are used a lot of them have different attributes and so far as how they are designed from the ground up there are certain cryptocurrencies that are designed with anonymity in mind so making sure that folks can't necessarily track what transactions you might be making or how much money you you possess like monero which i'll be talking about a lot today and uh ultimately there's just a lot of differences and the reason that's important is because when we talk about malware when we talk about these these bad guys mining cryptocurrency those differences are very very important because it really ultimately

determines what cryptocurrencies are targeted in mind uh and which ones are ultimately left alone not all cryptocurrencies can be mined there's there's a number of them out there that have either been pre-mined meaning the coins are out there there's no more to be made or they use alternative techniques to to verify transactions and distribute funds so what's a minor right like that's kind of the it's in the title um so a minor is ultimately just a computer it's just a machine the concept of mining often has this sort of cloak and dagger like people don't necessarily know what it is but they know if they do it they'll make some money um but truthfully really at a high level all it's all

that's happening is folks are in this perpetual race to try to brute force a hash as i said there's different algorithms that are used based on which cryptocurrencies are in play but ultimately folks are just tossing computing power tossing hashing power at this this problem this this race where they're trying to to be the first to crack at the first to brute force it when they're successful in brute forcing it two things happen as i said the new transactions are verified so everyone's happy about that and as an incentive the person that wins that race is rewarded with you know a few of those cryptocurrencies as an example so bitcoin right now is typically mined around every 10

minutes it's very much dependent on how many people are doing that at a given time and a lot of it's also based on luck but more or less every 10 minutes and the winner the reward currently is about i believe it's 12 and a half bitcoin so by exchange rates it's about 100 grand um so there's a lot of money to be made if you're you know out there mining successfully and winning that race more often than not this really results in a lot of interesting situations where you've got folks like not single mouth there's a lot of organizations and folks in china that have these huge farms these huge warehouses just full of computers that are doing nothing else

than just trying to win this race it also means that as a individual as a user you're kind of at a disadvantage i can't take my computer right here and mine and say oh i'm definitely going to win that race no i would probably never win it and if i did it would probably take years so that really ultimately results in the concept of a mining pool uh before i do that i'm adding this because jessica at the keynote yesterday had this great gift and i was like i gotta steal it so i'm adding this just for some uh some visual eye candy so my co-worker brad doesn't get bored also if you're ever wondering why you

can't buy a video card right now which is what they're shoving at rocks it's because certain cryptocurrencies like ethereum really lend themselves to being mined via gpus or video cards so everyone's buying them and causing the price to skyrocket it's also an important point to make that certain hashing algorithms really lend themselves to different types of devices you know monero for instance really lends itself to cpu-based hashing versus ethereum which is really gpu-based and there's also instances where specified very specific machines are built with the sole concept of mining which i'll talk about in just a minute back to my point though earlier i'm by myself i've got my my laptop my server at home whatever my

odds of winning that race and getting that reward are very very small if anything so this really very quickly you know spawn this idea of a mining pool the way i like to talk about it is really it's sort of this commune right you've got let's say we all are computers in the audience we all banded together and decided we're going to act as one entity if we are able to win that race get that reward uh based on how much effort everyone put in you get your your piece of the pie let's say i'm running the mining pool i'm running the infrastructure i take a little cut myself you know one or two percent

the really nice thing about mining pools is that they not only provide the infrastructure to tie multiple miners together but they also provide a consistent revenue stream because these pools have just a large amount of hashing power at their disposal they've got hundreds of thousands of users all banding together which results in them winning that race very very frequently so it means that you don't have to wait two years hoping to mine and win this race you can simply join a pool and they're gonna win it a lot and every time that happens you're getting a little you know a little sliver a little bit of money very consistently real quick i just want to talk about

asic devices because they they really do play a role when it comes to to malware mining activities so an asic is simply just a very specialized device a specialized computer that literally is designed from the ground up to only mine a specific hashing algorithm they really have a drastic effect when they're released because they just completely saturate the market um these things can put out a lot of hashing power like like over a hundred times what the traditional computer might be able to put out and so when you've got hundreds of thousands of these entering the market it causes traditional computers to almost be rendered obsolete so when asics enter for a given cryptocurrency enter the market

more often than not you're going to see a drastic decline in malware targeting those currencies because there's just not that much much money to be made um case in point uh an asic came out for bitcoin i think in 2013 um the amount of bitcoin miners we've seen recently is is quite low they're also out for a few other ones uh litecoin's got one i think cya coin dash i think might have one as well and uh there was one recently announced about a month ago for the kryptonite algorithm which is what monero uses but monero is asic resistant meaning they really don't like asic devices so they changed their hashing algorithm and rendered all those asic devices pretty

much obsolete so uh that's kind of an interesting side story which i won't get into but needless to say it's caused some weird tension in the uh the crypto industry i guess you call it so let's put it all together um hopefully you guys dig this slide because i spent like a lot of time making an animation uh i don't use powerpoint that often so a little hypothetical here we've got the cryptocurrency network and we've got these sort of three players that are each trying to successfully mine it you've got alice on the left who's super rich and she's got like all these computers in her basement or her warehouse or wherever you've got a mining pool in the center

made up of about five individuals and then you've got josh on the right who's you know he's maybe not the sharpest guy in the room but he says uh you know i'm gonna give him my go give it a go i got my one computer i'm gonna see what happens and so as it goes as the race is perpetually run we see as expected alice who has the most hashing power to ultimately win the race time and time again in certain instances we'll see the mining pool actually win and in which case it is again disseminated based on how much effort the individual players put in they get that little chunk of the reward and if we wait super long

uh well relatively speaking we might see josh get lucky and actually get a reward himself um i made this animation a while ago there we go i couldn't remember um so that's like a super high level of how it works now imagine that there is not three players but there is three million players all trying to do the same thing um and it makes her really interesting environment so let's talk history i guess it's like six months ago so it's technically history but not really um how did we find ourselves in this predicament where there's this huge spike in malware targeting cryptocurrency miners so probably about close to a year now um something happened we saw this weird

decline at the time in ransomware everyone i'm pretty sure in the room knows what ransomware is it's really really bad um but we saw a decline which was really weird because why would that happen you know why would traditional systems whether it be botnets or or um actors or or whomever advertising why would these traditional avenues of attack be all of a sudden shifting from ransomware to cryptocurrency miners you know there's there's some hypothesis hypotheses out there maybe users got smarter they said hey we're going to take backups and we're not gonna click on those links and uh maybe security vendors got smarter you know a lot of security vendors out there uh maybe mine uh are putting out a lot

of ransomware specific stuff so maybe that really turned the tables and made the the bad guys say well we can't we're not going to do ransomware anymore most of that is bs there's a child in the room so i will not i will not be swearing is bs the truth is that uh the value of cryptocurrency just shot to the moon as they say um it spiked drastically and there's not really a as far as i know a perfect reason as to why um but all of a sudden in like june of last year uh a lot of the general public started to get wind of what this cryptocurrency thing was specifically bitcoin and they said i can't miss out on this

right i got to make some money so they start investing and telling others who then had that same reaction it was a weird like self-fulfilling prophecy i think but ultimately at the end of last year the value of bitcoin was something around around like 20k uh it was very very high and wow that's a really small font um all their currencies followed suit so i've included monero litecoin ethereum i even included ripple which is probably not the smartest decision because it's just that red line at the bottom um but it went from like 10 cents to like three dollars and 30 cents like if i zoomed in you guys would be like wow that was super impressive but

uh yeah all these cryptocurrencies values just like shot through the roof and so it had a really interesting effect on uh the malware space because well i think of it as a few ways right so obviously the bad guys are going after where the money is if they say i can consistently make money mining cryptocurrencies i'm gonna do that it's less invasive it probably doesn't take people off as much there's less chance of me getting arrested that sort of thing but also when you think about just the crazy volatility of cryptocurrencies you got to think that has some sort of an impact on the ransomware space i mean you know my aunt sue gets infected on

monday uh she's asked to pay 500 in bitcoin by the end of the week she is taking out that bitcoin and for whatever like let's just assume that she's able to do that she's taken out this bitcoin she's ready to pay by friday the value is now doubled or halved or whatever it's drastically changed causing a lot of uh either good for her or good for the bad guys it's hard to say it also probably impacts her willingness to pay the ransom so um yeah there was a lot of reasons as to why this change occurred but truthfully i mean it was just this huge spike in value everyone wanted their piece of the pie

they all wanted all the bad guys wanted to make some money so let's talk a few talk about a few use cases over the past three or six months i've researched a few interesting campaigns i kind of picked a couple to discuss today so the first one uh is one that i've entitled pickaxe um my co-workers wanted me to call it uh was it black lung or something something i didn't really wasn't really down with but at a high level what pickaxe is is simply a campaign that originates via malicious advertising or malvertising it delivers a self-extracting executable which in turn persists via a link file in the startup folder but it ultimately delivers a series of

vbs files or vb scripts with some url url redirection thrown into the mix and ultimately delivers xm rig which is a completely legitimate benign miner for monero but it is in this case used maliciously so there's about 333 samples that i found ultimately which comes into play later but on the malvertising part of it on the initial infection vector so in this case it used a platform called uh adfly which some folks in the audience might be familiar with quick show hands ad fly people use it it's used a lot in what's that

it's usually used for uh not to single you out because i use it too less than legitimate files uh it's essentially a a url redirection service married with an advertising platform so there's two sides to it right if i want to make a few bucks i create a url shortened link and i get as many people as i possibly can to click on it each time they click on it i get a little you know fraction of a cent or something conversely if i want to advertise my my content which as far as i can tell is almost always malware but if i want to advertise my content i pay like a dollar and i get a thousand

views um if i want to get fancy and have it really specific to certain regions i can pay a few more dollars but it's a very cheap uh barrier to entry i guess you'd say and typically the way it works is something like this so i am you know i am perusing the internet i am very poor and i google you know how can i get counter-strike global offensive for free i stumble on this wonderful youtube video that tells me exactly how to do it which in turn has a series of links to various files that i can in turn download all these links as you can see are add fly links clicking on one

will give you something that looks kind of like this so at the top header that's benign i guess you could say that is the adfly header there is a five second counter that ultimately results in that skip ad at the top right but pretty much everything under that header is the quote unquote advertisement in this case it is a fake flash player update which is very popular um in other cases it might be a fake download manager or you know whatever anything to get the user to ultimately click on on that embedded iframe so as i said this is sort of how the users are initially infected they're ultimately delivered a self-extracting executable which in turn

drops and runs a vbs file that looks very very similar to this as you can see very basic obfuscation they split up save to file that was about it but really all it's doing is just downloading and executing one additional vps file which the link to which is at the top looking at that vbs file we see it's a little bit more fancy they're actually looking at what the processor is on the victim whether it's 32-bit or 64-bit and they've got two bitly links bitly is a url shortener sure most people are familiar with it they've got two bitly links at the front hallway there um it's totally legitimate service uh i work i worked with the guys over

there for a while now i got nothing but good things to say unfortunately once in a while their platforms get abused but it is by and large typically used for benign purposes in this case they've got two bitly links one in case it's 64-bit one in case it's 32-bit and then they are running the payload that gets downloaded via powershell two things i want to call out or maybe it's a couple things so after they download and execute it you can see a number of command line arguments so there's dasho f.pooling.cf there's dash u there is also max cpu usage so the dasho is just pointing it at a mining pool as i said criminals and good guys alike typically

use them the dash u is the user which in this case is just sort of a placeholder type of thing but oftentimes you'll see an actual wallet address being used or an email address that's going to come into play later and max cpu usage so i'll talk a little bit about defense in a bit but ultimately um people think of crypto miners as like oh it's going to use 100 pow cpu usage my computer is going to go you know bananas and i'll i'm going to find it right away the bad guys aren't necessarily idiots they know this too and so in this case they're actually throttling it to only use twenty percent now the fact that use bitly was super

interesting to me because i and anyone can ultimately get uh statistics on who clicked on those links now that bitly link is so far down the chain that every time someone is accessing it you can almost explicitly say that they've been compromised so all in all i had like 30 to 40 bitly links that i'd accrued only about a third of the samples actually used bitly out of the 333 samples i'd collected and so i pretty much scraped all these pages to come up with all the victims so when it was all said and done there were 15 million people that got infected that i knew of um as i said it represented about a third of the

overall number of samples i collected so you could probably guess that it was probably in the 30 to 45 million numbered range when it came to uh victims i am gonna go a little quicker because i'm i gave this talk like two weeks ago and i went through it in like 35 minutes so it's only proper that i would go 30 minutes over this time around because apparently i can't figure this out but uh btor i don't have a clever name for this one it is a russian bittorrent site it is still out there you can still check it out i translated it for you guys because i didn't think you guys spoke russian i don't uh

it came out in july june of last year and it's you know it's good it's got like a quarter of a million bit torrent files but back in september something really interesting happens so when a user clicked on this download torrent link at the bottom right for a given file given torrent they were not given a torrent they were instead given a zip file which was named like the torrent you know in this case it's world of warcraft so it would be named like world of warcraft.torrent.zip the zip file had an executable in it which had a little utorrent logo to try to make it again look like a torrent file once again world of warcraft.torrent.exe

and then once that exe was run it actually did download and execute the real torrent but next to that it also dropped an executed.net payload which did a few things and ultimately delivered again xm rig so i didn't have a lot of telemetry on this one i can't say you know millions of people got infected but i did want to bring it to your attention because i thought it represented a really unique uh method that this stuff is being distributed you know this owner of this torrent site is actually trojanizing his own files to his users to try to earn a little extra you know money on the side and the last example i want to talk

about um is a relatively new one within the last month or so called rarehog rarug is a as actually a malware family that's sold and distributed on various russian underground forums it's typically sold by this dude that goes by the username arsene coo 135 and it's pretty nice it's got like a like a nice web interface and they've got a demo admin panel that you can check out and sort of try before you buy cost five or i think six thousand rubles like 100 bucks and you can't see it because it's super small but at the top right it says developed by foxovsky and then at the top left it says to buy rairog check uh

reach out to again arsene coo 135. so it looks really nice but the the web panel security is not super great was able to through a trusted source i was able to look at about 80 60 60 to 80 c2 databases and map out where the victims were what was super weird was like most of the victims were in russia so the unwritten rule as many people in the room know if you want to do bad things in russia that's fine as long as you don't you know go after your countrymen go after fellow russians so while the guys that developed this i found out were russian while they weren't necessarily targeting these users they were selling the malware that

was so i have to wonder if something might ultimately result as a because of that so about 160 000 infections not nearly as bad as pickaxe but pretty substantial nonetheless specifically i want to go back to this slide that i showed you early on so this was pretty much just a representation of our data set of political networks you know i sought out all the minors i could find um delivered you know as i mentioned via binary and uh so when it was all said and done i had about 470 000 samples i mean i'm i'm a malware guy i'm a researcher i said what can i do with this um i was like it'd be super cool if i

just like analyzed them all and looked at them all and like pulled out interesting artifacts you know whether it be cryptocurrencies being mined wallet addresses email addresses any artifacts i could find so that's what i did um we are fortunate at politics we've got a cloud-based sandbox so i took all these sandbox reports that we had i took pcaps data that i had and i ultimately just scripted the heck out of it over the course of like a couple weeks just fine-tuning uh this really hacky long script i wrote to extract as i said wallets what currencies are being targeted what mining pools are being used that sort of thing and at the end i had a

really big csv file and i was super happy uh when it was all said and done i had as i said about 470 000 samples that i had successfully identified not only as being miners but was able to identify what was being mined for the most part i was able to get about 3 100 email addresses 2 700 mining pools and then various wallets i added ethereum because like i said earlier it's used primarily via video cards so i just thought it was really bizarre and interesting to see that particular currency being targeted because it's like i don't know it's just it was surprising to say the least um so you know taking a step forward

the breakdown it's pretty much all monero uh like 82 of all the samples are targeting monero which for anyone that like looks at this stuff really shouldn't surprise you at all but it's kind of interesting to actually see it on a colorful pie chart um and there's a few reasons you know as i said it's asic resistance so like and it's primarily targeted or used uh it's primarily mined via cpus which is perfect when you're talking about compromising end users machines it's also very anonymous meaning it's very difficult to determine you know where the money is going ultimately so i looked at bitcoin first you know it's the big player you gotta look at it

right um i looked at the thousand or so wallets that i had and i ultimately just tried to determine how much money was made now i'll be the first to tell you my methodology was a little bit flawed on this one because literally all i did was just check the blockchain and see how much money had entered these wallets but as folks in the audience probably know that's not great because what if like those wallets are being used for other legitimate purposes or what if they're also pushing out rants somewhere and that's being paid into it but ultimately it's just really difficult to determine when money was going into those accounts via mining only and that the main reason is because of

mining pools you know a lot of times the stuff had been mined years ago via mining pools that no longer exist and so to determine and to track down where all the money originated from is a very difficult thing that being said um i found about 2 600 bitcoin that had been paid into these thousand or so wallets the top earners you know 279 242 214 some decent money so about 21 million and this is actually a lower estimate because it's using eight thousand dollars as a conversion like i said around 9 300 right now so it's probably close to like 26 or so but still some good money was potentially made i then looked at monero which was much

trickier because you can't just simply check the blockchain and see how much money a wallet made but i remember that the majority of these mining pools that the bad guys are using do allow you to anonymously view statistics so you just plug in the wallet and if that person has mined to that pool before you can get a great breakdown of you know their current hash rate their you know current amount that they are have have mined and made and how much money they've historically made so i took the top nine or so mining pools that allowed you to anonymously view them i took my 2000 wallet addresses and i just checked everything and uh what i came up

with was i think kind of interesting um 782 000 monero and and also the methodology on this one's obviously going to be a lot more accurate so this is this is mining only this is not going to be riddled with ransomware it's not going to be riddled with legitimate stuff this is instances where money is being mined only two wallets that have been seen in malware samples this also this number also represents five percent of all the monero in the world this again isn't accounting for javascript or web-based stuff it's also not accounting for things i haven't seen um i've only got you know my sliver of of insight into into this particular threat um but it's

pretty substantial uh again this is the low end 200 it's probably close to 250 to 60 um so you're probably looking at around 200 million dollars uh with the top earners making you know 10 million or more i should also point out that these one these wallets aren't necessarily tied to individuals there could be one guy that owns all these wallets or there could be one organization that owns them all it's or one wallet could be used for you know multiple multiple uh individuals but at the end of the day a lot of money is being made i also as i said could query the hash rate so i was curious there too so i

queried all the hashes of these various wallets and found about 10 million hashes per second globally which represents about 13 grand a day being made in about one percent of the total uh mining power for monero if we look at a couple use cases so this is a graph of one wallet's mining rate over time so how many guesses he's making in a given day essentially um this is one of the i think the biggest ones i've seen with a hash rate of about a million at its peak but what's really kind of interesting to me is this sort of flow that you see um and in addition to that this this sort of downward

trend over time so i still don't know exactly why this flow occurs my theory my hypothesis is that the malware is configured to only run um during inactive times so when you look at the global number of victims that this person has certain people are falling asleep certain people are you know coming online um and it might account for this sort of consistent flow uh you can also obviously see when a new campaign started because the hash rate went from point six million to you know just over a million in about a day and at the very bottom you can see this guy made about a thousand monero or about 250 grand based on today's exchange rates looking

at other instances we see that similar trend that similar wavy spike and general decline over time meaning people are finding malware on their systems and cleaning them so the general hash rate is going to decline this was part of a rig exploit kit campaign and what was really bizarre too is it just like it just died one day i don't know if the infrastructure was taken down or what but you'll see in early april it just it's just it's gone it's done this is a different mining pool so it looks a little different but that same sort of flow yeah same same sort of patterns they don't always look like that though so here's another example

this guy made about 500 grand about 2 000 monero but it looks much more legitimate like if i were to run a miner on my computer it would look like this um i have not on this one but i have done it in the past and it looks a lot like that so they're not always super easy to identify but there are signs in certain instances let's talk a really quick minute about defense it's not super easy so you think cryptominers you think all right i'm going to look for computers that cpu spike to 100 and i'm going to find them all and like game over it's done right but the truth is as i've as i've shown a

lot of times these guys are throttling it a lot of times they are only running them at certain periods of time i've seen instances where they will actually look at keyboard movements or mouse keyboard clicks and mouse movements and if they see someone's actively on the system they will shut off mining operations rarog had a neat feature where you could supply a series of of processes to essentially blacklist so these were like really high intensive processes like photoshop or various video games and if those are running the mining just stops uh in its tracks so they they do a lot of different techniques to try to prevent it from being super obvious that a miner is running

on a network side you could try to i guess look for the stratum protocol which is pretty consistently used for a lot of these mining pools if you're if you're able to identify it you could you know take action there and try to block it or at least identify which host might be running a minor but yeah i mean this stuff is distributed in so many different ways that unfortunately there's just really not like a silver bullet and i wish there was because i feel like that'd be much better to say right now but unfortunately it's just the way it is like um traditional security practices defense and depth whatever you want to call it uh really is the only

great way to go at this problem i actually timed it pretty good um so i'm gonna i have a couple minutes i think i'm gonna open up to questions in case anybody has any

so how i protect myself i assume you mean like to keep the bad guys from like doxing me and going after me that's a great question and one i should probably have a good answer for um i mean i take some basic precautions i have two factor on like a lot of stuff and i you know i make sure you know unique passwords and all the sort of best practices you assume people are going to be taking um but no i mean truthfully i kind of put i do put myself out there a little bit and and hope that guys videotaping me don't videotape me when i ask them to and that sort of thing and try not to

tick off the bad guys too much um so far as far as i know it's been okay are you going after me are you trying to get like info on me like he's like oh two-factor okay yeah yeah that's a fair point yeah um so how can like the average user defend themselves against these sorts of tax i know that sounds like another question like oh just use that like oh just use this program but what would the average user do like without having to purchase yeah yeah so the question is you know what can the average user do to protect themselves uh you know like i said um just general best practices when it comes to security

i mean it's in truth this really isn't that different when it comes to ransomware or any of these other big threats banking trojans what have you as to how they get on the systems um patching making sure you've got you know some host-based or network-based firewall make sure antivirus is up to date what have you um just general security hygiene yeah maybe don't go to russian bittorrent sites or at least don't download any yeah

yeah but did you compare

yeah so that's a that's a fair question so the question is you know compared to ransomware how does mining stack up you know are these guys making more money less money um in a lot of ways unfortunately it's kind of comparing apples to oranges because a lot of times the miners are much more long-term and how long they run so the guys that are making you know 10 million they've been mining for like years you know they haven't it's not like they just jumped in a couple months ago and they're just raking in the dough um they've been at it for a long long time um conversely you know ransomware is sort of a really quick

you know infect them make sure they know they're infected and hope that they'll pay you back so it's a much more high risk high reward more immediate payback so i wish i had a good answer for you on that one [Music] but unfortunately i just don't yeah so your slide for the infection by country for pickaxe i was surprised at how low the number of infections in the us was compared to a lot of countries yeah so i think my my theory on that so the question is you know pickaxe had very few infections in the united states that's kind of weird right um my theory is the guys that did it you know via adfly and stuff were cheap

and if you want to target more us-based citizens it costs more money costs you know instead of a dollar it costs like four dollars or something so my suspicion is they didn't necessarily care geographically where the victims were they just were trying to spend as little money as possible for the uh the initial compromises and in which case that usually does tend to focus on that sort of southeast region and uh and whatnot that's my guess i don't know for sure but yeah uh so minding itself absolutely yes yeah so so the question is you know mining itself is legitimate right and it is i'd mind you know i know a lot of people that have it's

totally legitimate to do that the problem as you stated is how the malware or how the miners are being delivered and ultimately run without the victim's knowledge um this is why i have a big problem with things like coin hive and some of these javascript based things uh that are ultimately just run in the background because the user doesn't know what they're they're signing up for you know um so i think it's it's more not so much the payload it's it's how the payload got there um and the fact that it's distributed via malware uh without the user's consent or knowledge is is honestly the real problem yeah and also the victims don't get any

money so you know the bad guys get like free power and free resources for ultimately nothing

yeah that's a that's a great question so he ben asked you know can you block mining pools at the edge is that going to be a valid approach in a lot of cases it could be there's also instances where you can run proxy services so i didn't mention it but in pickaxe they're actually using xm rig proxies to uh to connect to so if you were to block the big mining pools the monaro hash.com and moneropool.com and these guys they would just simply use in a lot of cases these proxy services to sort of circumvent it but as i said if you can identify the underlying network traffic if you're able to do that that goes a

long way in not only identifying this activity but potentially blocking it as well which isn't always the easiest thing but if you do have that ability it probably goes a long way yeah

so the question is what is the likelihood of the mining pools going mobile um do you mean like the miners themselves running on mobile devices um i think that's a fair point i i think that's a possibility but the thing also you gotta think about is uh battery life right so whenever you're talking mobile um battery life comes into play and if you're mining on you know your google pixel whatever uh your apple iphone that's going to kill the batteries pretty quick and i suspect that's going to alert people to something being wrong or at least off so again these guys are in it for the long haul in a lot of cases they're not

necessarily looking to get caught for years if at all so i think that's a fair possibility but the reality is i i don't think we'll technically probably see that anytime soon at least with the current you know i can't barely get a full day charge on this thing without monero miners yeah so that's a possibility too they could look for you know making checks to see if the charger is plugged in and then mine um there's possibilities there's possibilities for sure just depends how creative the bad guys want to get or you if you're so inclined which maybe is why you asked i don't know

so the network traffic on that side of things the question is you know what ports and stuff does it use um it varies different ports um the underlying traffic is essentially just tcp though and it uses like a json based um communication protocol they say it's stratum and i think it is technically but usually it's it's a depending what cryptocurrency you're looking at it tends to to vary slightly um so there are some nuances depending if you're seeing someone mine ethereum versus bitcoin versus monero or whatever the case may be um so there is some variance there

it's just a message it's a a json blob and a not a very big one to to boot it's usually just like a few hundred characters back and forth um [Music] okay i think i'm all out of time but i appreciate you guys coming today uh thank you so much bye