>If these cryptojackers were to mine Bitcoin or Ethereum, their transaction details would be open to the public, making it possible for law enforcement to track them down
That doesn't actually matter at all. Monero is used for these purposes probably just because it's mineable only on CPU, thus viable to mine on ordinary hardware. (Bitcoin requires ASIC and Ethereum high-end GPU)
Yep. Monero is explicitly designed to remain CPU mineable, so that theoretically it remains more decentralized and mined by individuals rather than an industrial complex like bitcoin and ethereum have become.
Counterintuitively, I think this also makes it more susceptible to nation state attacks, since you can easily deputize fleets of existing CPUs to 51% attack the network, whereas no nation state on the planet can easily get enough sha256 ASIC miners to attack bitcoin, not even accounting for the enormous electricity requirements to sustain a destructive attack.
Then again, the consolidation of bitcoin mining as an industry is also a systemic risk compared to millions of individuals in the network mining. Tradeoffs.
My employer does a pretty good job of giving us terrible hardware so the thought of mining on it is self-discouraging.
They have no problems giving us space heaters though.
As largely a joke, I sometimes fire up monero mining on my laptop at home because the average proceeds exceed electricity cost, even though it’ll take me about a decade to ever get a block. The heat is just cake icing.
I feel bad about this because I wrote an article[0] about how to hide Monero miners on Linux systems. Sometimes I ask myself if I should unpublish it as probably some of the criminals doing this type of attacks found it helpful.
Skimmed the article. Looks nice. Good colors and formatting throughout.
Don't delete it.
Hiding processes and tidying up the CPU time (adding it to System Idle Process on Windows, etc.) is Rootkits 101. This technique has been documented in books for 15+ years. If they don't get the info from you, they'll get it somewhere else just as easily.
I wouldn't feel bad about it. The article provides info for security experts about a potential attack vector that exists. That doesn't change if you unpublish the post.
You could remove references to crypto without changing the rest of the article. That way the cool educational bits remain, and helping bad people do bad things with very very little effort is gone.
Title is somehow misleading. This is not about uncovering Monero users in the wild and exposing them which are criminals, as I first believed when reading the title. This is about detecting unwanted Monero miner on your system. But if you're already pwned that an unwanted process is already running on your system, a Monero miner is the least of your worries.
"We want to detect traces of RandomX (the CPU-intensive mining function for Monero) running on a cluster. "
This isn't for "Has someone rooted my laptop and started mining Monero on it", this is for "Have any of the nodes in my cluster (of potentially thousands of machines) been rooted and had Monero miners dropped on them." Your comment about being pwned totally applies to your container orchestration or hypervisor though...
I do not think it's possible to mine using RandomX and a browser.
From docs:
> Web mining is infeasible due to the large memory requirement and the lack of directed rounding support for floating point operations in both Javascript and WebAssembly.
So you can do whatever you want, but you will end with nothing.
It's been over half a decade since that stopped mattering, for me.
I've bought goods and services directly with Monero plenty of times. I've paid invoices that the merchant put in Bitcoin, while using a third party to pay in Monero, which the third party then paid in Bitcoin.
Now in the 2020s I can swap Monero directly to SECRET network, a Tindermint/Cosmos blockchain where all smart contract executions are private (such as the amount and quantity of your erc20-style wrapped Monero), allowing further bridging over to the EVM ecosystem for all the liquid DeFi trading activities, and Tornado cash if desired.
and the times when I use KYC to convert it to fiat, I haven't cared either. I like that the OTC desk or exchange doesn't even receive the address I sent from, much more similar to wiring from another bank account, where the receiving bank can't look at all your prior records and balances at the source of money and just has to assume the other place is compliant. it should be obvious that someone with an illicit source of their Monero will need to reintegrate their value into the broader economy first, so that they can account for it properly. with access to the entire DeFi ecosystem now, that is extremely easy.
all crypto users should restore that level of privacy.
It is easy to sell your Monero for fiat anonymously using a service like localmonero.co
There is also a growing parallel economy where you can buy goods and services directly with your Monero and avoid selling anything for fiat. For example, I have bought domain names using XMR on nja.la.
garaetjjte|4 years ago
That doesn't actually matter at all. Monero is used for these purposes probably just because it's mineable only on CPU, thus viable to mine on ordinary hardware. (Bitcoin requires ASIC and Ethereum high-end GPU)
anonporridge|4 years ago
Counterintuitively, I think this also makes it more susceptible to nation state attacks, since you can easily deputize fleets of existing CPUs to 51% attack the network, whereas no nation state on the planet can easily get enough sha256 ASIC miners to attack bitcoin, not even accounting for the enormous electricity requirements to sustain a destructive attack.
Then again, the consolidation of bitcoin mining as an industry is also a systemic risk compared to millions of individuals in the network mining. Tradeoffs.
latchkey|4 years ago
ethash, the algo ETH uses, is memory controller bound (aka: memory hardness), not compute bound.
https://www.vijaypradeep.com/blog/2017-04-28-ethereums-memor...
Scoundreller|4 years ago
They have no problems giving us space heaters though.
As largely a joke, I sometimes fire up monero mining on my laptop at home because the average proceeds exceed electricity cost, even though it’ll take me about a decade to ever get a block. The heat is just cake icing.
selestify|4 years ago
Why don't you join a pool to get some of that average payout?
alfonmga|4 years ago
[0] https://alfon.xyz/posts/hiding-cryptominers-linux
brobinson|4 years ago
Don't delete it.
Hiding processes and tidying up the CPU time (adding it to System Idle Process on Windows, etc.) is Rootkits 101. This technique has been documented in books for 15+ years. If they don't get the info from you, they'll get it somewhere else just as easily.
philkuz|4 years ago
I wouldn't feel bad about it. The article provides info for security experts about a potential attack vector that exists. That doesn't change if you unpublish the post.
Keep it up!
striking|4 years ago
0xdeadb00f|4 years ago
nigma1337|4 years ago
I'm wondering, how would one go about finding one of these rootkits? Looking through loaded kernel modules for anything "weird"?
EDIT: I should really start reading the articles before going to comments, how to find these is litterally what the article is about..
teruakohatu|4 years ago
a_bonobo|4 years ago
unnouinceput|4 years ago
jakelazaroff|4 years ago
bigiain|4 years ago
"We want to detect traces of RandomX (the CPU-intensive mining function for Monero) running on a cluster. "
This isn't for "Has someone rooted my laptop and started mining Monero on it", this is for "Have any of the nodes in my cluster (of potentially thousands of machines) been rooted and had Monero miners dropped on them." Your comment about being pwned totally applies to your container orchestration or hypervisor though...
wanderer_|4 years ago
https://hackaday.com/2022/01/19/identifying-malware-by-sniff...
badrabbit|4 years ago
m00dy|4 years ago
blacksmith_tb|4 years ago
1: https://github.com/gorhill/uBlock
crecker|4 years ago
From docs: > Web mining is infeasible due to the large memory requirement and the lack of directed rounding support for floating point operations in both Javascript and WebAssembly.
So you can do whatever you want, but you will end with nothing.
devops000|4 years ago
vmception|4 years ago
I've bought goods and services directly with Monero plenty of times. I've paid invoices that the merchant put in Bitcoin, while using a third party to pay in Monero, which the third party then paid in Bitcoin.
Now in the 2020s I can swap Monero directly to SECRET network, a Tindermint/Cosmos blockchain where all smart contract executions are private (such as the amount and quantity of your erc20-style wrapped Monero), allowing further bridging over to the EVM ecosystem for all the liquid DeFi trading activities, and Tornado cash if desired.
and the times when I use KYC to convert it to fiat, I haven't cared either. I like that the OTC desk or exchange doesn't even receive the address I sent from, much more similar to wiring from another bank account, where the receiving bank can't look at all your prior records and balances at the source of money and just has to assume the other place is compliant. it should be obvious that someone with an illicit source of their Monero will need to reintegrate their value into the broader economy first, so that they can account for it properly. with access to the entire DeFi ecosystem now, that is extremely easy.
all crypto users should restore that level of privacy.
algorade|4 years ago
rosndo|4 years ago