Countermeasures to free software that secretly uses CPU time to mine cryptocurrencies
 

They say if you think there is a free lunch, you are the lunch. Free proxy software such as psiphon MAY be an example. The CPU monitor often goes right up with this, even when you are not downloading anything. This is in windows actually but similar things happen in linux with other freeware such as kproxy agent. It is not enough to run the software with a low priority, it still consumes power. How can we slow down the mining but hopefully not mess up the useful function?

What makes you believe either psiphon or kproxy agent contains secret cryptominer functionality? Such activity should be easy to spot by simply monitoring network traffic.

Proper Free Software ("free as in freedom") comes with source code that you can compile yourself. If there are no malicious components in the source code, there will be no malicious components in the generated executable.

They both appear high in cpu usage, such as if you type "top" in the linux command line they both show up with usage like 99% CPU in bursts of several seconds even when you are not using them. With so much encrypted traffic going through when you do use them, it is easy to conceal in this traffic the results of mining.

Ho-hum.
CPU usage has nothing to do with network traffic. The latter is what you need to test for.
To suspect every CPU spike caused by buggy (or stable) software to be an indicator of cryptomining, is ... erm, I struggle for non-offensive wording ... wrong.

There could be any number of reasons why this is happening. A secret cryptomining component is not the most likely explanation by far, considering that mining is extremely CPU-intensive so you'd never get anything useful done by hogging the CPU for a second or two at irregular intervals.

"There are spikes in CPU usage, therefore cryptominers" doesn't make much sense as an argument.
Not really, because the miner would have to stay in regular contact with a stratum server somewhere.

Given that hidden cryptominers is a fairly common and well-known problem, you'd think that a concerned user or a security researcher would have found such a component by now, especially considering that psiphon is in fact free software that anyone can analyze and compile themselves, and kproxy agent is a Java application that can easily be decompiled using a number of freely available decompilers.

Bursts of several seconds is what was written. Not a second or two. Proxy software that uses 100% of CPU 100% of the time and brings everything else to a crawl would not be very popular would it. Let alone successful at hiding its secret purpose.

On the networking issue: I do not know much about crypto mining but the premise that it needs CONTINUOUS network access can't be right. Mining is related to searching for prime number pairs or something akin to that, it's a mathematical problem. Progress made can be "published" ie included in the blockchain every minute maybe or far less frequently if need be. And critically, in the context of proxy software which is really tunneling software that you access from a local proxy, you cannot sniff anything useful on the network because ALL data, legitimate or not, travels encrypted through the same tunnel and it is trivial to pass secret data along with legitimate data next time the user uses the proxy. Which won't take too long, we are all using the web a lot.

Let's suppose the software is extremely buggy. We still want countermeasures to its bugginess. It is consuming electricity. Maybe pausing it when no traffic is sent or requested by the user. Can an iptables rule help? Here's how to pause and resume a process:

kill -TSTP $PID_OF_PROCESS

kill -CONT $PID_OF_PROCESS

I know practically nothing about iptables, at least not first hand, but even so I'm 99.9% sure that the answer is NO.

Iptables along with a number of other "best practices" can help you avoid this sort of malware.

Free software that comes from sources that may be less than honest.

Need I say not directly? I probably know even less about iptables and yet I can imagine an ugly and unstable way to do it by reading the system log. And having rules that write to the log before accepting the packets. New log entry detected, it means time to resume kproxy. No log entries for a while, it means time to suspend. The first time you attempt to go to a site fails when kproxy is suspended but the attempt awakens kproxy and the second attempt succeeds and that is why I call it unstable. Someone must have better ideas.

Can an iptables rule delay a packet for a few seconds?

Indeed. Just traveling to some web sites can peg the CPU. Everyday browsing would have you checking for surreptitious mining all the time. Heck, at the moment, both of my desktop CPU cores are running at 50%-60% and I'm positive that closing the correct browser tab will fix that by killing some darned video that automatically playing.

Logging outbound packets via iptables might help but I shudder to think about the size of the log files produced and that the traffic associated with mining would be lost in the huge amount of information -- thinking of the end of `Raiders of the Lost Ark' here -- that'd be logged unless you suspended all other, normal activity while you were looking for suspicious traffic. If you were a smart miner, you'd wait some random amount of time after any CPU intensive work to transmit results so as to remove, or at least limit, the ability to correlate CPU and network traffic.

Now I saw your post rnturn. I run both examples of software in their own VM's and the browser in a separate VM. So it is easy to tell with certainty when the browser is the culprit causing the CPU fans to speed up. Psiphon always goes 100% CPU when you disconnect the virtual ethernet cable irrespective of the presence of the browser VM. Probably does some polling trying to reconnect and does it way too frequently. At other times, it's high in CPU % even if the browser VM is suspended so it's definitely not the client traffic that is causing these intervals of high CPU activity.

Psiphon is supposed to be open-source but trying to build it I discovered the source code they give is 4 years old, needs a little "hack" to complete the build as a hop to put off programming newbies, fails to get a list of servers to connect to from psiphon's site, and psiphon ignored my email about it. So the current version is firmly proprietary but marketed as open-source - a big red flag. Saw an ad where they are looking to recruit hacker-tier developers if that says anything. Here's a damning analysis of their software from a security and privacy auditing service:

https://www.hybrid-analysis.com/samp...nvironmentId=4

After all the above, it is not unreasonable to suspect mining is a possibility. Not sure why you believe mining requires high network bandwidth, a miner is not a normal node but maybe you know better.

https://github.com/Psiphon-Inc/psiphon-windows has "Latest commit 10 days ago".

This kind of automated analysis is close to meaningless.

(this is the first I've heard of this Psiphon software though, no idea what it's good for, I cannot vouch for it)