How Kaspersky Lab products protect against miners

December 20, 2017

Cryptocurrencies, ICOs, and the mysterious blockchain are all the rage at the moment. But if you think all this “crypto” isn’t your business, we have bad news: You are its business, big time. In fact, this year has seen the value of many cryptocurrencies skyrocket. And whereas before, cybercrooks were merely interested in them, now they are obsessed.

What’s a miner?

Even if you’ve never had a cryptowallet and have no idea why you’d need one, you’re still on cybercriminals’ radar: You have a computer on which cryptocurrencies can be mined — digitally produced with the help of special mining software.

Actually, the word “miner” refers both to the people who mine cryptocurrencies and to the programs used to do it (see this post for the lowdown on mining). You can install such software yourself — and use it for your own benefit.

But there might be a miner on your device without your knowledge — it could’ve been installed by an attacker who somehow gained access to your computer or smartphone. If so, it will mine cryptocurrency on your device for their profit and at your expense. This is known as hidden mining.

Explainer: Bitcoin mining

Why do AVs detect miners?

“So what,” you might say. “It’s no skin off my nose. It’s not stealing anything. Let it do its thing.” But mining for someone else is no good for you or your computer. Here’s why:

  • Mining is a very resource-intensive process. It essentially overloads the processor and video card, slowing down the machine, so you might experience lags and freezes while trying to use it for everyday tasks.
  • The load on the processor and video card not only impacts performance, but also greatly increases power consumption. With a miner working, a computer consumes about five times as much as it would just being used by the average office worker. The electricity bill won’t make for pleasant reading.
  • The excessive load won’t help the circuitry either — it could put the device permanently out of action.

Hidden miners basically feed off your computer, like a parasite. So, you’ll thank your AV for blocking miners and protecting your motherboard, your electricity costs, and your sanity.

On the flip side, you could install your own miner and mine cryptocurrency for yourself. Your antivirus can’t always determine who or what installed a miner. If, for example, Kaspersky Internet Security or another Kaspersky Lab product is sure that it wasn’t you who did it, it detects the miner as a Trojan and prevents it from running. And if it’s not sure, it still detects the miner, but as not-a-virus — that is, it draws your attention to the miner’s presence in the system but doesn’t classify it as full-blooded malware.

Not-a-Virus: What is it?

If you knowingly installed a miner and don’t need AV notifications about it, you can disable them. To do so, in Kaspersky Internet Security’s settings, select Additional followed by Threats and Exclusions, and clear the Detect other software check box. The AV will stop looking for nonmalicious miners in the system. Incidentally, the check box is cleared by default.

What is a Web miner, and how does it differ from an ordinary miner?

As if miners weren’t enough, you should also know about Web miners. A Web miner is essentially a script hosted on a website. When a user visits the site, the script runs in the browser and starts mining cryptocurrency.

Such scripts can be embedded either by the site’s webmaster (to monetize the site), or by an attacker who has gained administrative access to the site. In both cases, whoever installed the Web miner gets the money; those who created the miner earn a fee.

The principal difference between Web miners and ordinary miners is that Web miners do not require the installation of any additional programs on the computer; everything happens directly in the browser window. From an AV’s perspective, it might look like a normal browser tab simply consuming a lot of resources.

But the computer slows down and the fan whirs — and the next electricity bill is a shock. Web miners also work on smartphones and tablets, and that’s where they are a real threat: The increased load might cause the device to overheat and irreversibly damage some of its components.

Kaspersky Lab experts predict that Web miners could be 2018’s most common threat. In 2017 our security solutions stopped the launch of Web miners on more than 70 million occasions, and the use of such scripts is only set to rise. The most common Web miner, and the one used in the vast majority of cases, is CoinHive.

From ransomware to Web miners

How do Kaspersky Lab products protect you from Web miners?

To detect a Web miner, the security solution on the computer must know what’s going on in the browser. This feature was only partially implemented in Kaspersky Internet Security 2017, but in Kaspersky Internet Security 2018 and our other next-generation products, including the latest version of Kaspersky Free, it works in all cases.

So if you have any of our latest security solutions installed, rest assured that the AV will find and stop all Web miners.

And although in some cases ordinary miners can be installed by users on purpose, Web miners are most certainly intrusive and need to be blocked. Therefore, Kaspersky Internet Security 2018 identifies Web miners as malware and blocks them in all cases, regardless of whether the Detect other software check box is selected.

In 2018, Web miners are set to become more widespread. Therefore, we recommend that you:

  • Install a reliable security solution. Kaspersky Internet Security protects against both Web miners and ordinary miners, and against Trojans looking to download miners onto your computer as well.
  • If you already use security solutions from Kaspersky Lab, update them to the latest version. It’s free, and you’ll be even better protected.