Coinhive.com – Malware or not?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L3 Networker

Recently, our colleagues from Unit 42 published some research on Unauthorized Coin Mining in the Browser.  (It’s an interesting read, a bit technical, but I’d recommend taking a look at it.) Essentially, some web sites utilize scripts that can take over some of the processing power on the machines of web site visitors without their permission. These scripts are called cryptominers and the “borrowed” processing power is used to mine for cryptocurrencies. If a significant amount of a visitor’s CPU power is used, it could potentially slow their system down to a crawl.

 

Coinhive.com is a site that offers a javascript tool that web site owners can use for cryptomining. Our URL Filtering service deems this URL as benign within the Computer and Internet Info category, but we’ve heard from many customers who believe this URL to be malware and have requested the URL to be categorized as such.

 

The specific domain of coinhive.com itself is not malicious.  It is in fact providing information on how to mine for coins via browsers.  Therefore, it is simply providing information and tools.  We cannot categorize this as malware for this reason – it is not engaging in any malicious activity.  Could you consider what it does as “suspect” and “shady”?  Yes, you can.  But it is not delivering malware.  Also, there are legitimate reasons why someone would visit coinhive.com.  One is for research purposes, and we have seen multiple change requests coming in from various .edus requesting coinhive.com be marked as benign. 

 

That said, there are subdomains of coinhive.com that we do categorize as malware because cryptominers are active on those URL’s. These include ws008., ws012., and ws016. to name a few. Palo Alto Networks protects against this with our URL Filtering service blocking those sites. We also provide a spyware signature (Threat ID: 11850) enabled through our Threat Prevention service.

 

So while we are not classifying coinhive.com as malware and blocking it, we are doing so with any subdomains where we are seeing dubious activity. We take a similar approach with some of the popular file sharing services available (DropBox, Box, Google Drive, etc). These services are commonly used to deliver malware through the files they store – however that malware comes from very specific URLs. We categorize those specific URLs as malware, but we do not categorize the domain itself as malware. 

 

We hope this offers some good insight into our thinking here, thanks for reading!

 

1 Comment
  • 23768 Views
  • 1 comments
  • 3 Likes
Register or Sign-in
Labels