Skip to content

Top Best Ask Show New Jobs

Detecting Monero Miners with Bpftrace (opens in new tab)

(blog.px.dev)

192 pointsphilkuz4y ago84 comments

84 comments

37 comments · 9 top-level

garaetjjte4y ago· 7 in thread

>If these cryptojackers were to mine Bitcoin or Ethereum, their transaction details would be open to the public, making it possible for law enforcement to track them down

That doesn't actually matter at all. Monero is used for these purposes probably just because it's mineable only on CPU, thus viable to mine on ordinary hardware. (Bitcoin requires ASIC and Ethereum high-end GPU)

anonporridge4y ago

Yep. Monero is explicitly designed to remain CPU mineable, so that theoretically it remains more decentralized and mined by individuals rather than an industrial complex like bitcoin and ethereum have become.

Counterintuitively, I think this also makes it more susceptible to nation state attacks, since you can easily deputize fleets of existing CPUs to 51% attack the network, whereas no nation state on the planet can easily get enough sha256 ASIC miners to attack bitcoin, not even accounting for the enormous electricity requirements to sustain a destructive attack.

Then again, the consolidation of bitcoin mining as an industry is also a systemic risk compared to millions of individuals in the network mining. Tradeoffs.

22c4y ago

Supposedly one of the "worst kept secrets" of Monero is that a lot of the network is being "secured" by, essentially, botnets. Miners who are unaware that they are participating in the network.

I guess the controllers of these botnets seem to agree that there's no reason to kill the cash cow and (aside from the fact that they're running a botnet) don't tend to act maliciously towards the network.

technofiend4y ago

>Monero is explicitly designed to remain CPU mineable

You're not wrong, but it can be and is mined on GPUs. Not sure about the payback period though because it is very CPU sensitive and the top benchmarks are for AMD's EPYC processors which don't come cheap. An i9-12k handily mines several times more than an Nvidia GPU so GPU mining payback is also potentially slow.

At least according to the online guides it's also a losing proposition relative to the costs of electricity. So then allegedly the only way to profitably mine it is on someone else's energy and maybe their hardware too. For anyone truly seeking anonymity it seems like far less work to buy Monero from a localcoin vendor rather than mint your own, unless you have a lot of free time and hardware on your hands. Which may explain why antivirus software assumes if you're mining with xmrig, you've been pwned.

> no nation state on the planet can easily get enough sha256 ASIC miners to attack bitcoin

What if you set up several sock puppet mining pools, all supposedly independent and in competition with each other, and beat the existing pools on fees by enough that miners join you en masse? That would take some investment on your end as you would have to run pool infrastructure at a loss. But if you are a nation state, it's not a huge investment. You don't need to have any mining hardware of your own if you offer miners better returns for the use of their hardware than the other pools do.

Once your pools, taken together, have a dominant share of miners, I would think you could run a 51% attack without ever acquiring a single ASIC. The reputation of your pools will not survive but I think you could complete a 1 hour attack (reversing 6-conf transactions) before you lose the miners.

Would this work?

Hjfrf4y ago

51% just doesn't feel like a meaningful threat model when governments can instead prevent exchanges offering monero pairs from accessing banking services in their country/currency.

That's based on the pretty big assumption that there's a lot of under-utilized hardware being slaved to some central government authority, which by definition it probably isn't.

I would bet more on cloud infrastructure providers being able to do better than nation-states in a CPU takeover of an ASIC-resistant network like Monero.

Motivations aside, it still comes down to cost though, and without any handwaving, Monero just isn't that important to take over.

ETH doesn't require a high end gpu. It is typically more ROI efficient with something like a RX470 8gb, which is a 5 year old piece of tech.

ethash, the algo ETH uses, is memory controller bound (aka: memory hardness), not compute bound.

https://www.vijaypradeep.com/blog/2017-04-28-ethereums-memor...

alfonmga4y ago· 7 in thread

I feel bad about this because I wrote an article[0] about how to hide Monero miners on Linux systems. Sometimes I ask myself if I should unpublish it as probably some of the criminals doing this type of attacks found it helpful.

[0] https://alfon.xyz/posts/hiding-cryptominers-linux

brobinson4y ago

Skimmed the article. Looks nice. Good colors and formatting throughout.

Don't delete it.

Hiding processes and tidying up the CPU time (adding it to System Idle Process on Windows, etc.) is Rootkits 101. This technique has been documented in books for 15+ years. If they don't get the info from you, they'll get it somewhere else just as easily.

philkuzOP4y ago

That article is very interesting! Looks like a similar approach to: https://sysdig.com/blog/hiding-linux-processes-for-fun-and-p...

I wouldn't feel bad about it. The article provides info for security experts about a potential attack vector that exists. That doesn't change if you unpublish the post.

Keep it up!

You could remove references to crypto without changing the rest of the article. That way the cool educational bits remain, and helping bad people do bad things with very very little effort is gone.

0xdeadb00f4y ago

Who cares? It's not your duty to police the net.

nigma13374y ago

Great article, i'd keep it up, as another commenter says, this is mostly rootkits 101 stuff.

I'm wondering, how would one go about finding one of these rootkits? Looking through loaded kernel modules for anything "weird"?

EDIT: I should really start reading the articles before going to comments, how to find these is litterally what the article is about..

teruakohatu4y ago

How much search engine traffic does that article get?

I don't know exactly how much traffic it gets because I don't do any type of tracking.

I frequently receive emails from anonymous persons asking for help and even some of them are willing to pay me to set up it for them… so you can imagine what these last ones are using it for.

devops0004y ago· 6 in thread

Monero is not anonymous anymore as soon as you want to convert to fiat.

vmception4y ago

It's been over half a decade since that stopped mattering, for me.

I've bought goods and services directly with Monero plenty of times. I've paid invoices that the merchant put in Bitcoin, while using a third party to pay in Monero, which the third party then paid in Bitcoin.

Now in the 2020s I can swap Monero directly to SECRET network, a Tindermint/Cosmos blockchain where all smart contract executions are private (such as the amount and quantity of your erc20-style wrapped Monero), allowing further bridging over to the EVM ecosystem for all the liquid DeFi trading activities, and Tornado cash if desired.

and the times when I use KYC to convert it to fiat, I haven't cared either. I like that the OTC desk or exchange doesn't even receive the address I sent from, much more similar to wiring from another bank account, where the receiving bank can't look at all your prior records and balances at the source of money and just has to assume the other place is compliant. it should be obvious that someone with an illicit source of their Monero will need to reintegrate their value into the broader economy first, so that they can account for it properly. with access to the entire DeFi ecosystem now, that is extremely easy.

all crypto users should restore that level of privacy.

ElonMuskrat4y ago

> It's been over half a decade since that stopped mattering, for me.

It's certainly going to matter come tax season to businesses which are/will be forced to convert Monero to local fiat.

> I've bought goods and services directly with Monero plenty of times. I've paid invoices that the merchant put in Bitcoin, while using a third party to pay in Monero, which the third party then paid in Bitcoin.

What exactly do you buy with Monero?

devops0004y ago

What are advantages of doing all those steps using Monero instead Fiat? I understand that you can hide your trances but if you buy legits things, who cares?

It is easy to sell your Monero for fiat anonymously using a service like localmonero.co There is also a growing parallel economy where you can buy goods and services directly with your Monero and avoid selling anything for fiat. For example, I have bought domain names using XMR on nja.la.

rosndo4y ago

So? Monero also makes it trivial to create a fake paper trail for the origins of your money.

devops0004y ago

When you will receive the bank wire from the exchange you need to provide to IRS the source of income. What will you say to them?

m00dy4y ago· 4 in thread

How can we detect it inside the browser ?

blacksmith_tb4y ago

Detect, or block? There are a few options for blocking, if you run uBlock Origin[1] the Resource Abuse list covers many.

1: https://github.com/gorhill/uBlock

m00dy4y ago

Detect. How can we detect js-implemented monero miner inside a browser ? E.g. Is chrome dev tools exposing vm internals like in the blog post ?

I do not think it's possible to mine using RandomX and a browser.

From docs: > Web mining is infeasible due to the large memory requirement and the lack of directed rounding support for floating point operations in both Javascript and WebAssembly.

So you can do whatever you want, but you will end with nothing.

So? implement soft float and round any way you please. Slow? Sure. But don’t say “infeasible”.

Scoundreller4y ago· 2 in thread

My employer does a pretty good job of giving us terrible hardware so the thought of mining on it is self-discouraging.

They have no problems giving us space heaters though.

As largely a joke, I sometimes fire up monero mining on my laptop at home because the average proceeds exceed electricity cost, even though it’ll take me about a decade to ever get a block. The heat is just cake icing.

selestify4y ago

> even though it’ll take me about a decade to ever get a block

Why don't you join a pool to get some of that average payout?

Scoundreller4y ago

Why pay a percentage?

unnouinceput4y ago· 2 in thread

Title is somehow misleading. This is not about uncovering Monero users in the wild and exposing them which are criminals, as I first believed when reading the title. This is about detecting unwanted Monero miner on your system. But if you're already pwned that an unwanted process is already running on your system, a Monero miner is the least of your worries.

jakelazaroff4y ago

That's not necessarily true. You could be a cloud provider offering compute resources within a container, for example.

It's a bit buried, but the article says:

"We want to detect traces of RandomX (the CPU-intensive mining function for Monero) running on a cluster. "

This isn't for "Has someone rooted my laptop and started mining Monero on it", this is for "Have any of the nodes in my cluster (of potentially thousands of machines) been rooted and had Monero miners dropped on them." Your comment about being pwned totally applies to your container orchestration or hypervisor though...

Overheard this from HPC people: 'it's easy to detect cryptominers on the system, it's the only software that uses the nodes efficiently'

wanderer_4y ago

Now they just need to do it with the chip's EM signature like in that PoC a few weeks ago...

https://hackaday.com/2022/01/19/identifying-malware-by-sniff...

_8j504y ago

I just use a list of mining pool domains. Works well.

j / k navigate · click thread line to collapse