Most malware is all about money, and last year’s rise in the value of cryptocurrencies created an incredible opportunity for malware authors.
Rather than build botnet armies that they hoped to rent to spammers or DDoS networks, they could build them to directly generate real money and cut out the middleman.
So, that’s what happened. Starting around the first of the year, global spam volumes dropped by nearly 50% as botnets around the world were repurposed as cryptominers.
Sometimes this comes with an appeal to the web site user: “support this site by sharing your computer;” much more often, not, Jerome Segura, head of investigations at Malware Intelligence writes in a blog post.
Here are three actionable tips for handling this newest menace.
1. Everything You Already Know Still Mostly Applies
Cryptomining is just another kind of malware, which means that the normal tools you deploy to block and cleanup malware infections are still helpful. However, in-browser cryptomining presents some new challenges because not every anti-malware tool is able to detect and block in-browser attacks.
K–12 IT managers should review their anti-malware tool lists and work with software authors to be sure that their preferred products are offering the coverage they need for both traditional malware and in-browser mining tools.
Another gut punch for K–12 managers: in-browser mining is cross-platform, which means that Mac OS X and Linux users are just as much at risk. The combination of a high non-Windows population along with a cultural bias against installing anti-malware tools on those platforms adds up to a big security hole.
K–12 IT managers need to revisit their non-Windows anti-malware strategy to be sure that Mac and Linux users are properly protected. If protection is mandatory, then auditing is in order; if protection is optional for student computers, then this may be the time to launch a user education campaign about the dangers of malware.
2. Network-based Protections Help, but Don’t Solve the Problem
Because cryptominers need to communicate with each other and a Command and Control (C&C) center in order to mine effectively, network-level protections disrupt the chain and block the conversion of electricity to cash. The traditional approach is to use network-based Intrusion Prevention Systems (IPSes) to identify outbound connects to cryptomining domains and block or alert on that traffic.
That approach still works—if the network IPS has added the approximately 2000+ browser-based cryptomining C&C domains and associated applications to their signature database. K–12 IT managers should review their network-based IPS protections and verify that in-browser mining C&C is being properly detected.
However, remember that simply blocking access to the C&C domains doesn’t actually solve the malware problem—systems are still infected and users are still engaging in risky behaviors. An IPS block on C&C needs to be accompanied by some action, such as a notification or in-person visit (for smaller schools) to help the user clean up their infected system.
In the case of intentional mining, notifications can help students understand the negative consequences to the school caused by their actions. K–12 teams should regularly review IPS logs and combine the review with end-user notification about when and why a block occurred. This is the only way to actually change user behaviors, help users understand what’s wrong with their personal computers, and give them the information they need to solve the problem.
3. DNS-based Protections May be a Good Addition
DNS-based filtering services, such as OpenDNS and Quad9, advertise their ability to block connections to malicious domains. To use them, IT managers configure the public resolvers into their DHCP servers, possibly backed up with some firewall rules to redirect non-compliant users who want to override the DHCP default DNS service.
In theory, these types of services would be perfect complements to network-based IPS, working in concert to block lookups of known cryptomining domains and malware sources.
In practice, there’s a lack of efficacy data and third-party testing showing coverage in areas such as cryptomining. DNS filtering has also been criticized by organizations such as ISOC for creating collateral damage and fragmentation of the Internet. In environments such as K–12, DNS filtering can be a difficult tool to wield.
K–12 IT managers who have already chosen to implement DNS-based filtering should enable cryptomining categories for their school. Where DNS filtering services are not already in place, local modifications, including adding known cryptomining domains to a local DNS block list in school DNS resolvers, will help to reduce the impact of this malware.