anti-mining malware measures

A recent article on heise (https://www.heise.de/ratgeber/Mining-Parasiten-erkennen-und-loswerden-4198965.html) outlined how one can investigate a possible infection of a mining trojan on one’s computer. Typical symptoms of such an infection include a high CPU usage (usually resulting in the fan spinning despite running no high-load applications).

The general way to go on about this is to identify the process causing the high load and terminating it. On Windows, the OS-included application to use for that is TaskManager, on MacOS it’s Activity Monitor. On Windows platform, one other freely available tool is ProcessExplorer by Sysinternals.
Using those tools, it’s easy to list the running processes, sort them by CPU percentage and terminating them.

There is a serious limiting factor to this solution, however.

As malware creators are also getting more proficient, some of them include checks in the malware binaries which terminate the mining processes as soon as tools resp. their process names such as Taskmgr.exe, Activity Monitor or procexp64.exe are detected running.

The article therefor recommends to rename the binaries and running them again. This way, the malware will not suspend its activity and can easily be identified and subsequently be terminated.

On earlier Windows platforms, copying taskmgr.exe and renaming it was straightforward. On Windows 10 however, a renamed Task Manager binary does not display any data – I’m still trying to figure this one out.

Renaming procexp64.exe however is straight-forward. Extract the binary from the downloaded zip file, rename it and off you go.

On macOS Mojave (10.14.x) and High Sierra (10.13.x), Activiy Monitor can be renamed as follows:
Open the Utilities folder
Copy and paste Activity Monitor (provide an administrator password if asked)
From the context menu of the copied item, select “Rename”
From the context menu of the renamed item, select “Show Package Contents”
In the subfolder MacOS, rename Activity Monitor
In the Contents folder, open Info.plist
Change the following strings to the name you chose: Executable file, Bundle name, Bundle display name

Run the renamed Activity Monitor binary by running the Unix executable in the folder MacOS

Tags: , , , ,

Comments are closed.