Jump to content

Cryptojacking block for Windows XP


wyxchari

Recommended Posts

Hi. I have just discovered that there are internet pages that use your processor 100% by javascript to generate money without your permission for the web.
Example of javascript mining web: http://www.elitegol.me
It is not dangerous, simply while visiting that website the processor is set to 100% and consumes more electricity. The latest versions of Firefox and Chrome are already protected, but the latest versions for Windows XP that are Firefox 52.6.0esr and Chrome 49.0.2623.112m are not.
Web to test Windows XP browsers: https://cryptojackingtest.com
To block the mining, extensions can be placed. One that I have tried and it works well in FF and Chrome for XP is called: Mining blocker

Edited by wyxchari
Link to comment
Share on other sites


My observations :ph34r::

  • Your browser version doesn't really matter, all you need to get "You're protected" is somehow blocking coinhive.com and coin-hive.com.
  • This can be done in any browser by running a regular adblocker like uBlock Origin, etc., I don't see much need for specialized addons.
  • While raising awareness is commendable in itself, the cryptojackingtest.com site seems to be more about advertising Opera (specifically its built-in adblocker) than serious testing for cryptojacking protection. In my opinion, actually mining cryptocurrency on the site (instead of just checking if it could be done) is a pretty questionable move, even if they claim to donate the proceeds.
  • Edit: If Opera were the ones behind this site, I don't see why they'd register this domain anonymously - this is starting to look like a clever ruse to use people to mine a bit under the guise of an awareness campaign. Apparently the site is referenced in Opera's official blog so it should be legit. It's still weird that they'd use a domain privacy service instead of registering the domain with their official contact information. :rolleyes:
Edited by mixit
Link to comment
Share on other sites

8 hours ago, Tangy said:

The one I have been using is called NO COIN. I did that test and I am protected.

That I tried it in my Firefox 52.6.0esr and it blocked well but the icon stays blocked with an exclamation mark even if I keep surfing. That's why you can "Mining blocker."
The malicious javascript file is called "/adsensebase.js" for "elitegol.me" in case you want to block in Adblock but any web page can change its name and it does not have to be hosted in a certain web.

Edited by wyxchari
Link to comment
Share on other sites

@wyxchari You are correct, domains and especially script file names can always be changed. And since Mining Blocker simply blocks the following sites:

'*://coinhive.com/lib*','*://coin-hive.com/lib*','*://cnhv.co/lib*','*://coinhive.com/captcha*','*://coin-hive.com/captcha*','*://cnhv.co/captcha*','*://*/miner.pr0gramm.com/*','*://miner.pr0gramm.com/*','*://*/coin-have.com/*','*://coin-have.com/*','*://*/hashforcash.us/*','*://hashforcash.us/*','*://*/hashforcash.com/*','*://hashforcash.com/*','*://*/coinerra.com/*','*://coinerra.com/*','*://*/pr0gramm.com/*','*://pr0gramm.com/*','*://minecrunch.co/web/*','*://mine-crunch.co/web/*','*://jsecoin.com/server*','*://*.jsecoin.com/server*','*://*.35.190.24.124.com/server*','*://load.jsecoin.com/*','*://*.load.jsecoin.com/*','*://server.jsecoin.com/*','*://*.server.jsecoin.com/*','*://static.reasedoper.pw/*','*://mataharirama.xyz/*','*://listat.biz/*','*://crypto-loot.com/lib*','*://cryptoloot.com/lib*','*://gus.host/*','*://*/gus.host/*','*://xbasfbno.info/*','*://*/xbasfbno.info/*','*://azvjudwr.info/*','*://*/azvjudwr.info/*','*://jyhfuqoh.info/*','*://*/jyhfuqoh.info/*','*://jroqvbvw.info/*','*://*/jroqvbvw.info/*','*://projectpoi.com/*','*://*/projectpoi.com/*','*://kdowqlpt.info/*','*://*/kdowqlpt.info/*','*://ppoi.org/*','*://*/ppoi.org/*','*://inwemo.com/*','*://*/inwemo.com/*','*://lmodr.biz/*','*://mine-my-traffic.com/*','*://minemytraffic.com/*','*://coinblind.com/lib/*','*://coinnebula.com/lib/*','*://coinlab.biz/*','*://deepc.cc/*','*://*/coinlab.biz/*','*://gridcash.net/*','*://*/gridcash.net/*','*://socketminer.com/*','*://*/socketminer.com/*','*://ad-miner.com/*','*://*/ad-miner.com/*','*://cloudcoins.co/*','*://*/cloudcoins.co/*','*://webmine.cz/*','*://*/webmine.cz/*','*://hashunited.com/*','*://*/hashunited.com/*','*://mineralt.io/*','*://*/mineralt.io/*','*://authedmine.com/*','*://*/authedmine.com/*','*://easyhash.io/*','*://*/easyhash.io/*','*://webminepool.com/*','*://*/webminepool.com/*','*://monerise.com/*','*://*/monerise.com/*','*://coinpirate.cf/*','*://*/coinpirate.cf/*','*://crypto-webminer.com/*','*://*/crypto-webminer.com/*','*://webmine.pro/*','*://*/webmine.pro/*','*://*/monad.network/*','*://monerominer.rocks/scripts/*','*://cdn.cloudcoins.co/javascript/*','*://minero.pw/miner.min.js*'

and any script URLs containing any of the following strings:

'CoinHive','Coin-Hive','jsecoin','mataharirama','minecrunch','coin-have','hashforcash','coinerra','reasedoper','minemytraffic','lmodr','cryptoloot','crypto-loot','listat','monero.worker','scrypt.worker','scrypt.asm','neoscrypt.asm','gus.host','xbasfbno','azvjudwr','jyhfuqoh','miner.pr0gramm','jroqvbvw','projectpoi','kdowqlpt','ppoi','minemytraffic','inwemo','minero','coinblind','coinnebula','coinlab','cloudcoins','deepc','monerominer','gridcash','monad','ad-miner','socketminer','cloudcoins','webmine','mineralt','authedmine','hashunited','webminepool','monerise','coinpirate','crypto-webminer','c-hive','cryptonight'

and any scripts containing:

'miner','CoinHive','Coin-Hive','Coin-Have','hashforcash','coinerra','jsecoin','mataharirama','minecrunch','reasedoper','minemytraffic','cryptoloot','crypto-loot','inwemo','minero','CoinBlind','coinnebula','minemytraffic','cryptonight','coinlab','cloudcoins','monerominer','deepMiner','gridcash','monad','ad-miner','socketminer','cloudcoins','webmine','mineralt','authedmine','webminepool','monerise','coinpirate','crypto-webminer','c-hive','CRLT.Anonymous','hashunited'

It would seem pretty easy to bypass it by renaming (also easy to get something useful blocked because of false positives).

Since Mining Blocker has only 7,898 installs versus 13,424,117 for Adblock Plus and 5,111,703 for uBlock Origin, I'd rather rely on blocker extensions with massive user base, because their blocklists are likely to be up to date more quickly. :yes: Also, with Mining Blocker you currently have to update the extension itself just to get an updated blocklist. :rolleyes: The only "feature" Mining Blocker has is that upon installation it attempts to stop any mining scripts already running - useful if for some reason you don't like to restart the browser. :whistle:

(I looked at Mining Blocker because I was curious what interesting tricks they might use to detect mining scripts, not to be contrary with you. :) Based on these results, I'm afraid most of the "specialized" anti-mining extensions would similarly turn out to be not terribly useful subsets of full-blown adblocker functionality.)

Edited by mixit
Link to comment
Share on other sites

48 minutes ago, mixit said:

Mining Blocker ... Adblock plus...

You're right. I use BOTH because "Adblock plus" with updated lists did not block "elitegol.me" in which I usually enter a lot. I can add custom filters and in fact I have about 500 additions. For me it is easy to see advertising on a website, give the contextual menu to inspect the element, copy the html and paste it into the custom filters. The problem is that it is not practical that in each web that enters, consult the use of CPU to know if there is mined. As Adblock plus, at the moment it does not work for me, I use ALSO "Mining blocker" which is specialized, although I know that in the background it does the same as Adblock plus.
Greetings.

Screenshot - 30_01_2018 , 13_22_59.jpg

Edited by wyxchari
Link to comment
Share on other sites

Well, It's certainly possible that the big guns don't always cover everything, I just figure they'd generally get more input because of how many users they have. I think you'd get the same result if you added the Mining Blocker rules to ABP. It's slow enough as is even without using another blocker on top of it (had to move to uBO myself for better speed, even though I prefer ABP's interface).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...