20

So, me and a network administrator friend were discussing about bitcoin mining. With so many portable bitcoin mining software, we wanted to find the different ways to detect them in the network.

How can we detect if a certain host is running a bitcoin mining software? All the different miners I tried are portables. They can be saved and executed independent of their path, ruling out the Program Files, bin folder.

Any more ideas as to how do we detect bitcoin mining?

techraf
  • 9,141
  • 11
  • 44
  • 62
Metahuman
  • 493
  • 1
  • 5
  • 12
  • 6
    Do you actually care about bitcoin mining? Or do you care about computers burning unnecessary electricity? Perhaps you could check CPU/GPU load if you're actually interested in the latter. – CodesInChaos Feb 14 '13 at 17:26
  • 1
    if you see some of your coworkers suddenly driving arround in a Porsche than it is time to check if he is mining, otherwise why would it bother you anyway, jelousy or greed? I would check the consumption of electricity to fetch a miner. –  Feb 15 '13 at 06:35
  • 2
    @times - not sure bitcoin mining can make you rich. Trading, possibly. Mining, not so much. – Rory Alsop Feb 15 '13 at 13:20
  • 1
    You could use a thermometer. Anything running at over 150C is suspect. – tylerl Feb 15 '13 at 19:36
  • @CodesInChaos I was looking to conserve electricity. – Metahuman Feb 18 '13 at 09:13
  • 2
    @RoryAlsop And with mining on general purpose hardware not specifically designed for bitcoin it is even less likely to become rich. – kasperd Jan 13 '16 at 17:57

4 Answers4

13

You can look for traffic patterns and the like, but there's significant crossover between the crowd that mines bitcoins, the crowd that knows how Tor works and the crowd that goes to amazing lengths to protect their privacy. That means: detection on the network isn't all that reliable. That it doesn't use a whole lot of bandwidth makes it especially hard.

What they likely can't hide is CPU and GPU usage. If you have access to the machine via SNMP, you can remotely watch for CPU spikes, or you can use the Get-Process PowerShell cmdlet against the machines on your network to look for things running up CPU time. For GPU time; you're not that likely to be able to actually spot the usage unless you can somehow monitor power draw.

Unfortunately, since you allow people to install software they want to arbitrary paths, you're not likely to be able to come up with a reliable, repeatable method - the people you're looking for could change miner, change path, etc. to change their signature.

techraf
  • 9,141
  • 11
  • 44
  • 62
Bob Watson
  • 2,856
  • 17
  • 29
  • CPU/GPU usage is unreliable. If they have a screensaver running BOINC the load is always 100% –  Feb 15 '13 at 08:17
  • 3
    I'm guessing in an environment where mining is frowned upon, BOINC is in a similar basket. – Bob Watson Feb 15 '13 at 08:39
  • @BobWatson, unfortunately, SNMP had been disabled in our environment for its obvious security issues. I agree with your software installation rights. Any other way you could think of? – Metahuman Feb 18 '13 at 09:14
8

Packet Inspection: getwork is the main, official protocol for mining. One might be able to create an l7 filter pattern to mark the packets and drop them. I also wouldn't be surprised if the big-$ bandwidth management devices like Sandvine can detect getwork.

However, most mining is pooled. It seems that the ways this is accomplished are pretty diverse. Some pools even have their own custom clients. They probably use a wide variety of different network protocols.

Additionally, the mining malware could just tunnel through SSH, TOR, etc. to bypass this sort of strategy.

AV: In my experience, AV products at least make an effort to maintain signatures for different mining software: example

Cory J
  • 370
  • 1
  • 2
  • 8
6
  1. Look for connections to bitcoin servers. The applications have to phone home, look for connections to the servers and the source IP will lead you to the system running the software
  2. Put together a list of bitcoin miners' executable names, and scan systems for those names.
GdD
  • 17,291
  • 2
  • 41
  • 63
  • What if the servers have independent connection to the bitcoin servers, ie. they do not use a corporate proxy? Also, the executables can be renamed and still will work. – Metahuman Feb 14 '13 at 11:34
  • @Metahuman, that's what firewall logs are for. Or a router ACL that logs web traffic. – GdD Feb 14 '13 at 12:13
  • Exactly! But what if there is no firewall, no router and hence no ACL? – Metahuman Feb 14 '13 at 12:13
  • 1
    In order for your server to have internet access there must be a network device for it to connect to. That network device has routing capability. Therefore it is a router. If there is no firewall and no router there is no internet access, so no bitcoin. – GdD Feb 14 '13 at 12:18
  • 1
    IF you don't have firewall logs, capture packets. There is a Wireshark dissector for bitcoin. – g3k Feb 14 '13 at 14:59
0

Well there's a semi-reasonable $$$ way; add a meter for each cubicle/outlet and see who's using too much and investigate. They could easily defeat any static tool but defeating manual investigation to why this machine is drawing too much power is hard (if you find nothing you keep looking of course).

Joshua
  • 1,090
  • 7
  • 11