Jump to content
961Host

AdBlocker Ultimate Inject Coinhive miner script into browser

Recommended Posts

after doing some research i ended up on this conclusion:

some companies using CoinHive to mine in your browser without your knowledge, how i knew it ?

https://github.com/AliasIO/Wappalyzer/issues/1807

i have an addon called WAPPALYZER it shows what tech your site is made, i noticed something is confusing all websites have CoinHive plugin, EVEN GOOGLE i was WHAT! no way its a bug i went there to GITHUB i opened an issue someone told me maybe iam infected somehow with it, i was hmm that seems logic

 

on my computer i have those antiviruses:(both are paid licenses)

  • Malwarebyte
  • ESET Smart Security

iam reporting that neither anyone noticed it but this is a big malware issue they are using COINHIVE API to USE your CPU to MINE!

i scanned many times i disabled all my plugins nothing!!!

2017-11-07_14-59-27.png

2017-11-07_14-59-39.png

firefox_2017-11-07_15-00-20.png

firefox_2017-11-07_15-49-05.png

Edited by 961Host

Share this post


Link to post
Share on other sites

Hi 961Host :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt). You can attach them in your next post, or copy/paste their content.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Share this post


Link to post
Share on other sites

I'm curious, if you install Wappalyzer in Google Chrome, do you get the same CoinHive detection(s)?

Share this post


Link to post
Share on other sites

after long investigations on my browser, i come to a conclusion the infection is from this addon when i enable it! it injects coin hive into my browser ,i know it is strange to believe it this particular addon causing all these problems, maybe none will notice it, but thanks to WAPPALYZER i discovered it

AdBlocker Ultimate

https://adblockultimate.net/

when i disabled this addon and i kept all other add-ons ON Coin Hive script was gone 

after reporting this bug to Wappalyzer GitHub repo, they had some problems: https://github.com/AliasIO/Wappalyzer/pull/1777#issuecomment-342202690

i think in my guess that ADDON is for free! and alot of people and me trusted them, maybe this is one of the reasons, why Wappalyzer added alot of sites false positive

 

Share this post


Link to post
Share on other sites

firefox_2017-11-08_02-16-51.thumb.png.ba9c77e9d355f007b410bed0e8562d83.pngfirefox_2017-11-08_02-17-39.thumb.png.d10d8135a65cc1ae7b7ac18ebef42fe0.png

this two screenshot one before disabling the addon and the  other after (you can see the add-blocker icon in browser)

Edited by 961Host

Share this post


Link to post
Share on other sites

Nice find! :)

To be honest, the only "adblocker" I trust is uBlock Origin, so I would suggest that you switch to it instead. Also, I'm going to boot up a VM real quick and see if I can reproduce the issue with Adblock Ultimate and Wappalyzer.

Share this post


Link to post
Share on other sites

i can now be 100% that, this plugin causing the problem i did the same thing on my chrome browser (after installing it i updated some filters and restarted the browser)and look, i don't know if someone need to worn them or i don't know it seems a huge amount of people are infected 80K! this is catastrophic ! Malwarebytes should do something 

chrome_2017-11-08_07-14-48.png

Share this post


Link to post
Share on other sites

i have reported to firefox and chrome community about this, and Malwarebytes should take this into consideration, 80K people infected with coinhive script

 

I tried to track and read all plugin code but they did a good job by hiding it alot of API's are being used to get filters and things like data and JS files to load

 

Share this post


Link to post
Share on other sites

One of my colleague tried to reproduce your issue, but couldn't. My VMs are also down at the moment, and I didn't have the time to fix them yesterday (on both my home desktop and work laptop), so I cannot test it either. As soon as I get them fixed (tonight hopefully) I'll work on reproducing your issue.

Share this post


Link to post
Share on other sites

Hi 961Host,

Since this is a false positive on Wappalyzer's side, I guess we can consider this issue solved?

Share this post


Link to post
Share on other sites

Good :)

Good job on reporting that issue to the right places as well too! Hopefully the false positive will get fixed soon.

Stay safe!

Share this post


Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.