Countermeasures to free software that secretly uses CPU time to mine cryptocurrencies
They say if you think there is a free lunch, you are the lunch. Free proxy software such as psiphon MAY be an example. The CPU monitor often goes right up with this, even when you are not downloading anything. This is in windows actually but similar things happen in linux with other freeware such as kproxy agent. It is not enough to run the software with a low priority, it still consumes power. How can we slow down the mining but hopefully not mess up the useful function?
|
What makes you believe either psiphon or kproxy agent contains secret cryptominer functionality? Such activity should be easy to spot by simply monitoring network traffic.
Proper Free Software ("free as in freedom") comes with source code that you can compile yourself. If there are no malicious components in the source code, there will be no malicious components in the generated executable. |
They both appear high in cpu usage, such as if you type "top" in the linux command line they both show up with usage like 99% CPU in bursts of several seconds even when you are not using them. With so much encrypted traffic going through when you do use them, it is easy to conceal in this traffic the results of mining.
|
Quote:
CPU usage has nothing to do with network traffic. The latter is what you need to test for. To suspect every CPU spike caused by buggy (or stable) software to be an indicator of cryptomining, is ... erm, I struggle for non-offensive wording ... wrong. |
Quote:
"There are spikes in CPU usage, therefore cryptominers" doesn't make much sense as an argument. Quote:
Given that hidden cryptominers is a fairly common and well-known problem, you'd think that a concerned user or a security researcher would have found such a component by now, especially considering that psiphon is in fact free software that anyone can analyze and compile themselves, and kproxy agent is a Java application that can easily be decompiled using a number of freely available decompilers. |
Quote:
On the networking issue: I do not know much about crypto mining but the premise that it needs CONTINUOUS network access can't be right. Mining is related to searching for prime number pairs or something akin to that, it's a mathematical problem. Progress made can be "published" ie included in the blockchain every minute maybe or far less frequently if need be. And critically, in the context of proxy software which is really tunneling software that you access from a local proxy, you cannot sniff anything useful on the network because ALL data, legitimate or not, travels encrypted through the same tunnel and it is trivial to pass secret data along with legitimate data next time the user uses the proxy. Which won't take too long, we are all using the web a lot. |
Let's suppose the software is extremely buggy. We still want countermeasures to its bugginess. It is consuming electricity. Maybe pausing it when no traffic is sent or requested by the user. Can an iptables rule help? Here's how to pause and resume a process:
kill -TSTP $PID_OF_PROCESS kill -CONT $PID_OF_PROCESS |
Quote:
|
Iptables along with a number of other "best practices" can help you avoid this sort of malware.
Free software that comes from sources that may be less than honest. |
Quote:
|
Can an iptables rule delay a packet for a few seconds?
|
Quote:
Logging outbound packets via iptables might help but I shudder to think about the size of the log files produced and that the traffic associated with mining would be lost in the huge amount of information -- thinking of the end of `Raiders of the Lost Ark' here -- that'd be logged unless you suspended all other, normal activity while you were looking for suspicious traffic. If you were a smart miner, you'd wait some random amount of time after any CPU intensive work to transmit results so as to remove, or at least limit, the ability to correlate CPU and network traffic. |
Now I saw your post rnturn. I run both examples of software in their own VM's and the browser in a separate VM. So it is easy to tell with certainty when the browser is the culprit causing the CPU fans to speed up. Psiphon always goes 100% CPU when you disconnect the virtual ethernet cable irrespective of the presence of the browser VM. Probably does some polling trying to reconnect and does it way too frequently. At other times, it's high in CPU % even if the browser VM is suspended so it's definitely not the client traffic that is causing these intervals of high CPU activity.
Psiphon is supposed to be open-source but trying to build it I discovered the source code they give is 4 years old, needs a little "hack" to complete the build as a hop to put off programming newbies, fails to get a list of servers to connect to from psiphon's site, and psiphon ignored my email about it. So the current version is firmly proprietary but marketed as open-source - a big red flag. Saw an ad where they are looking to recruit hacker-tier developers if that says anything. Here's a damning analysis of their software from a security and privacy auditing service: https://www.hybrid-analysis.com/samp...nvironmentId=4 After all the above, it is not unreasonable to suspect mining is a possibility. Not sure why you believe mining requires high network bandwidth, a miner is not a normal node but maybe you know better. |
Quote:
Quote:
(this is the first I've heard of this Psiphon software though, no idea what it's good for, I cannot vouch for it) |
All times are GMT -5. The time now is 01:49 PM. |