Bitcoin Forum
September 07, 2024, 05:24:57 AM *
News: Latest Bitcoin Core release: 27.1 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Alternate cryptocurrencies / Mining (Altcoins) / Re: Mining XMR on: January 18, 2022, 09:43:30 AM
xmrig from this source looks very suspect.

hXXXs://github.com/xmrig/xmrig/releases/
xmrig-6.16.2-gcc-win64.zip

It use several anti-debugging techniques and it opens up a remote desktop to receive a console connection and creates foregin user credentials.
It looks like it open new processes through DCOM with RPC to bypass security policies.
There is weird activity in the registery as well.

I cannot promise it's malware but it sure looks like it.
I would not dare to run this on a secure system.
2  Alternate cryptocurrencies / Mining (Altcoins) / Re: GMiner v2.74 Ethash(LHR unlock)/KAWPOW/Equihash/CuckooCycle on: January 18, 2022, 09:28:30 AM
Hello,

I'm new to using Gminer. I used the DL link from Github directly from this forum. I successfully ran the program on 2 rigs starting about 4 days ago. When I went to get it again for my main rig it came up with a warning Trojan:Win32/TrickBot!ml and the infected file was the miner.exe. Is this normal? It didn't pop up on the other 2 downloads from a couple days ago. Just wondering what I should do? Thanks!

If you downloaded it from GMiner's link on the first page you are fine. It happens quite often that antivirus programs give trojan/virus alarms with mining software, but you should always take care where you download your miner from. In other words always download from the link provided by the miner on the first page.

We all are not idiot and know where to download the right gminer software. So let's stop to redirect people where is the right place for downloading. Let's focus to the main question:

Version 2.70 doesn't show viruses but all after that are marked as malware? Why?
Could you share with us which piece of code  is the difference between the versiona and is the reason to be detected as a virus?

I canīt confirm this.

Virustotal say:
2.74 = 17 security vendors flagged this file as malicious
2.70 = 24 security vendors flagged this file as malicious
2.66 = 24 security vendors flagged this file as malicious

So it is normal i think.

Results for the lolminer 1.38 for example show me 29 security vendors and 1 sandbox flagged this file as malicious.

What is the software used for your tests?? I was talking about checking the gminer with Virustotal - check that 2.70 doesn't show viruses but 2.74 shows - this is on Virustotal - that's why I was asked to show the code that make this difference between 2 versions

You read my post? I checked it with Virustotal. All versions a flagged as malicious. You can test every miner and you will get a malicious flag.
Phoenixminer are flagged by 43 security vendors XD

Gminer 2.70 results




here is my result! The difference is because you are using windows version of gminer - I use the linux one! In linux there is difference in version 2.74 and 2.70 ( the first one is flages as virus, 2.70 is clean - check the link). The last Phoenixminer version under linux also doesn't show viruses! I don't care about Windows ( the empire of evil ) it is viruses by default .


Gminer 2.70 results


The point is, the malicious detection can change with every version, because new code inside. T-Rex miner linux version also shows malicious.
You must see the overall point, and not starting Linux and Windows bashing, it is senseless.
Why should they do other stuff in the Linux version than in the Windows version? But you say you don't care about the Windows version, so you don't care about anyone - Selfish?
Virustotal cannot scan the Linux miner file complete by the way  Wink only 56 of 65 security vendors
Linux donīt care me, but i am here to discuss about it. If you have problems with the malicious detection, use other miner or go back to 2.70.

Donīt spread fud, this will help no one.



I just took a quick look at it, it does look suspicious.

It use anti-debugging techniques and parts of the binary is packed.
Just like it's trying to hide something...  Question is why, it's open source so why try to evade debuggers and pack the binary?
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!