Paessler PRTG helps security analyst Troy Mursch detect and prevent cryptojacking
About Troy Mursch
Many believe that cryptocurrencies will serve as the financial underpinning of an increasingly global economy. Bitcoin is the most widely known, but there are hundreds of similar digital currencies or altcoins as they are sometimes called.
Troy Mursch is an independent security researcher and creator of the Bad Packets Report, devoted to research on cryptojacking, botnets, and other security topics.
Monero, an open source cryptocurrency that was launched in 2014 is one. Anonymous and untraceable, it works much like small bills in a traditional open market. Other popular cryptocurrencies, or tokens, include Dash, Ethereum, Litecoin and Ripple - all of which provide a global standard that avoids the need for a centralized bank.
Mursch is not only the leading researcher on cryptojacking malware, but is also one of the most experienced professionals when it comes to helping companies, including numerous small and medium-sized businesses, detect and combat cyber threats like cryptojacking. Few people know more about the impact it can have on infected computers and mobile devices.
"As with all things in IT, visibility is key. If you see a server running at peak capacity for no reason, you immediately know there’s a problem. You can’t account for, let alone combat, threats you can’t see or don’t know of. PRTG isn’t a security tool, but it’s my favorite compliment to them. Besides monitoring malware and botnets, I also use it to monitor phishing sites, which I find and report to the hosting provider."
Troy Mursch, independent Security Researcher
Blockchain, cryptomining, and the crime of cryptojacking
The underlying technology on which cryptocurrency is based is blockchain. With cryptography to ensure that privacy is maintained, blockchain acts as a public ledger - a public database spread across multiple computers. Every time a transaction or asset is sent to another member, a block of data is created. And because the block is shared with every member, but remains encrypted, the integrity of the transaction or the movement of the asset can’t be tampered with. In other words, there’s no way to “cook the books” because every member receives every block and in that way possesses the entire ledger.
Of course, the underlying cryptography and complex mathematical algorithms required to make this happen require massive computing power, such as when adding transactions to the blockchain or verifying them. Miners are the computers that complete these complex computations, and in payment for solving them first they receive newly created cryptocurrency. This cryptomining is the digital equivalent of the minting process.
Not surprisingly, cyber criminals are drawn to the money-making potential associated with mining – something Troy Mursch, an independent security researcher and creator of the Bad Packets Report, a website devoted to research on cryptojacking, botnets and other security topics, knows all too well.
“Cryptojacking typically happens after a website is compromised to inject cryptojacking malware. In most cases this malware is merely a few lines of JavaScript,” says Mursch. “Once it’s placed on the website, visitors to the site immediately begin mining cryptocurrency on behalf of the cybercriminal who placed it there. It can also be delivered in the form of an executable that targets servers rather than clients, but in both cases the outcome is the same: computing resources are hijacked by the malware, which directs CPU capacity to the mining process. And of course, all newly minted cryptocurrency – typically in the form of Monero that can’t be tracked – is then sent to the cybercriminal’s account.”
Using PRTG to detect cryptojacking malware
Last year Mursch was the first security researcher to discover cryptojacking malware on two very popular websites – CBS’s Showtime, and Politifact, a Pulitzer Prize-winning site that verifies the accuracy of politicians’ claims. Both were infected with Coinhive, which immediately commandeered 60 percent or more of visitors’ CPU capacity to mine Monero.
He also discovered a similar scheme that infected around 1,500 websites with a copy of the Coinhive cryptocurrency miner that was hidden in the JavaScript files used by LifeHelpNow, a live chat and customer support widget. Most of the sites infected were online shops or the homepages for private businesses.
In each case, Mursch used Paessler PRTG Network Monitor to find the offending malware. Using an HTTP Advanced sensor and remote probes, he was able not only to find the offending code but also to confirm when it was successfully removed.
“I’ve used PRTG to find and combat many high-profile cryptojacking incidents and a simple HTTP Advanced sensor is really all you need to monitor affected websites,” notes Troy. “It confirms the malware is there, tells you when an affected site is cleaned up, and confirms how long it was infected for. And perhaps most importantly, you can do all of this without going through the trouble of visiting a website that’s infected with malware.”
A system administrator’s nightmare
Mursch cautions that cryptojacking is a serious issue that all system administrators, particularly those that serve small and medium-sized businesses, should take very seriously. He recently used PublicWWW, a search engine that indexes the entire source code of websites, to gauge the seriousness of the problem.
What he discovered was disturbing. Mursch found more than 48,953 sites infected with cryptojacking malware, 7,368 of which were WordPress sites used primarily by small businesses.
“In addition to impacting consumers’ trust, or in the case of executables impacting businesses’ servers, the impact is always the same. Cryptojacking takes existing CPU resources and funnels it to the mining process. Given that some of these mining operations take place over months, affected businesses and consumers will see higher electric bills, far more wear and tear on hardware, lost productivity due to slow-performing networks and in some cases serious physical damage to devices,” he says.
“Mobile phones and tablets are particularly susceptible because they aren’t designed to run at peak CPU capacity for extended periods of time. When infected with cryptojacking malware, they can literally burn themselves up if left on a charger.”
Of course, all of this is further complicated by the fact that some websites are increasingly inserting Coinhive into browsers, and openly asking for visitors’ consent as a legitimate way to generate revenue in exchange for content, gaming or other services – something IT departments will increasingly need to address with policies that safeguard their IT infrastructure.
“As with all things in IT, visibility is key. If you see a server running at peak capacity for no reason, you immediately know there’s a problem. You can’t account for, let alone combat, threats you can’t see or don’t know of. PRTG isn’t a security tool, but it’s my favorite compliment to them. Besides monitoring malware and botnets, I also use it to monitor phishing sites, which I find and report to the hosting provider.”
Liability is another issue. With more cybercriminals launching cryptojacking campaigns that target hundreds and even thousands of websites simultaneously, Mursch feels it’s only a matter of time before the liability for cryptojacking becomes a serious issue.
“If your customer’s mobile device fails because it overheated while cryptomining without their consent because they visited your e-commerce site, it wouldn’t be inconceivable for them to look for compensation,” adds Mursch. “Most importantly, they might not want to visit your site again.”
Troy Mursch's tips
- Remember that without monitoring you are flying blind.
- Always be on the lookout for malware, whether it’s cryptojacking-oriented JavaScript or an executable that impacts your servers.
- Use remote probes. It’s important to look at your network from outside and inside.
- Use the non-security oriented data you get from your monitoring efforts to improve your network infrastructure and provide your users with greater service.
- Monitor, monitor, monitor...today’s increasingly complex networks require constant vigilance. You always want to be the first to know when a problem arises.
Get to know more happy PRTG customers
Customer success story PEAK Internet & PRTG
PRTG enables ISP PEAK Internet to provide a monetized service to monitor their customers’ networks and grow revenue. ➤ Read the complete customer success story now!
Customer success story ADITUS & PRTG
ADITUS ensures smooth operations at trade shows through reliable monitoring for cash registers, access systems, and visitor registration with PRTG. ➤ Read the complete customer success story now!
Customer success story Wire Technologies & PRTG
PRTG allows Wire Technologies to monitor temperature and humidity sensors in its server rooms to protect expensive hardware from environmental damage. ➤ Read the complete customer success story now!