How to identify a bitcoin-miner trojan?

Status
Not open for further replies.

VulkanDX

Prominent
Jul 22, 2017
1
0
510
0
Hello, i hope this is the right section, today with the raise of bitcoin a particular variant of Trojans starting to appear often which mine bitcoin, ofcourse, the real threat comes with these Trojans injecting themselves into another process, and running very stealthy (not using too much resources, not running 24/7, and completely marked safe by pretty much every anti-virus), and my question is, how may one identify a bitcoin Trojan running? it will most likely use the GPU , are there tools to inspect GPUs to tell which process is controlling it for example?
 
Most of the available anti-malware/anti-virus apps will detect and remove these threats. Even if using the GPU, these protection apps can detect them.

Another tell-tale sign of a hi-jacked GPU is high use/heat when it should be idle. You can see this via Task Manager, HWMointor, and Speccy, to name a few ways to assess.
 
Most of the available anti-malware/anti-virus apps will detect and remove these threats. Even if using the GPU, these protection apps can detect them.

Another tell-tale sign of a hi-jacked GPU is high use/heat when it should be idle. You can see this via Task Manager, HWMointor, and Speccy, to name a few ways to assess.
 

Avast-Team

Respectable
Mar 3, 2017
225
0
2,160
52
Can confirm that AV/anti-malware can be an effective method to prevent and detect these threats. Our threat labs has been aware of several mining schemes that we have been blocking, here's more information on them that might help you to spot miners:

https://blog.avast.com/arenavision-mines-cryptocurrency-monero-using-visitors-browsers-without-their-knowledge

https://blog.avast.com/ladies-and-gentlemen-prepare-your-cpu-web-browser-mining-is-coming

(On a side note, Avast has several methods that can help detect this kind of unwanted behavior, including CyberCapture and Behavior Shield, in real-time. I can fill you in or provide a link if you are curious.)
 
Jun 15, 2018
1
0
10
0
I use Autoruns from Microsoft.

I found that dllhost.exe was being used to piggy-back a file called MicrosoftRuntimeUpdate.vbe ,
This file was the guilty crypto mining trojan.

My Solution was to end the task running.
Open the .vbe file in notepad
Added a few digits and letters in the code to render it useless.
Saved the file without changing the filename.
Marked file as 'read-only'
Restart.

Result: positive. the file is no longer running at startup
My Reason for using this bizarre method: the .vbe file cannot be overwritten with an identical filename from the web.
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
C Antivirus / Security / Privacy 1
L Antivirus / Security / Privacy 1
R Antivirus / Security / Privacy 1
K Antivirus / Security / Privacy 2
i-am-L Antivirus / Security / Privacy 1
G Antivirus / Security / Privacy 0
A Antivirus / Security / Privacy 13
W Antivirus / Security / Privacy 2
PamyW2 Antivirus / Security / Privacy 1
T Antivirus / Security / Privacy 1
G Antivirus / Security / Privacy 5
T Antivirus / Security / Privacy 1
I Antivirus / Security / Privacy 4
7 Antivirus / Security / Privacy 8
I Antivirus / Security / Privacy 1
5hadowking115 Antivirus / Security / Privacy 3
5hadowking115 Antivirus / Security / Privacy 3
5hadowking115 Antivirus / Security / Privacy 8
sadab0 Antivirus / Security / Privacy 3
S Antivirus / Security / Privacy 14

ASK THE COMMUNITY