Jon Cooper, senior incident response and forensic consultant at cyber security firm SecureWorks, was responding to queries from iTWire in the wake of reports that many sites are quietly placing scripts in pages and using the computing power from visitors' computers to mine for currencies like bitcoin.
A recent report from security firm Palo Alto Networks pointed out that miners like Coinhive were being increasingly placed on websites.
"Recently, browser coin mining has taken off, for a lot of different reasons. Although the computing power (per instance) is much less than dedicated hardware, being able to exploit many users on various sites more than make up for it," the company's researchers Yuchen Zhou, Wei Xu, Jun Wang and Wayne Xin wrote.
"As a result, responsiveness of applications is impacted, generally to a point that is noticeable; effectively a user will feel as though something is wrong with their computer. When the user closes the browser, the system functionality returns to a nominal state," he explained.
On Linux systems, the top command lists CPU usage apart from lots of other information.
Some websites used such miners in a legitimate fashion by advertising it somewhere on the site.
"A user may be prompted to allow a 'script' to run while visiting the site, or provided a notification pop-up. Most users will simply click 'ok' to retrieve the content they wish to view, unknowingly authorising the use of such services," Cooper said.
"Obviously, it is pertinent to actually read what you are allowing when a website requests to do something other than showing you the content you requested."
He said more malicious approaches may not include a notification to the user, or attempt to circumvent notifications. These could be a little harder to detect. "However, using correctly configured security controls can force a website to inform the end user that a script is required to run."
For those who wished to adopt a safety first approach, he said, "browsers such as Chrome and Firefox had third-party extension repositories that allow the installation of plugins which allow users to notify or block the use of malicious scripts (as well as non-malicious scripts). These had demonstrated a high level of success in blocking browser based crypto-coin mining (Firefox: NoScript, Chrome: ScriptSafe)".
The Windows Resource Monitor.
Apart from this, Cooper said identifying if something was using excessive CPU cycles could be done using applications installed on standard installations of Microsoft Windows, macOS and Linux.
"Each operating system has the inbuilt ability to report on system statistics, including CPU usage. In Windows, you can use the inbuilt 'Resource Monitor' (Start Bar/Cortana, Resource Monitor) to view the current CPU usage.
"An idle corporate system will likely use in the vicinity of 25%-35% of the CPU (Window OS, host agents, Outlook, Skype etc.). A sign that something is using the CPU excessively is when the usage is in excess of 50%, when nothing that is knowingly resource intensive running (games, photo/video editing etc).
"Inside Resource Monitor, you can view how much CPU usage each process is consuming. If for instance, Firefox is using 30% or more of the CPU load (and staying in that vicinity), it is a strong indication something is occurring that shouldn't be. CPU spikes will occur when you load a page. However, once the page has finished loading the content you requested, that should drop dramatically."
He said a very simple way to test if a user suspected that a website was covertly mining bitcoins or other crypto-coins without his/her knowledge was by closing the browser, opening Resource Monitor and viewing the CPU usage for a minute or two.
"If you then open the browser and load a website such as Google, you will have an idea of what a baseline reading for your system CPU usage is while your browser is open. If you then browse back to the page you were on and the CPU usage by your browser rises significantly and doesn't drop, even though the page is loaded, then there is a strong chance there is something occurring which shouldn't be - it is important to note that any website which plays embedded videos will place load on the CPU attributed to the browser, though as the system buffers the video it should drop, though it may not drop to zero," Cooper explained.
On the Mac, the inbuilt tool "Activity Monitor" (located in the Utilities folder), had the same functionality as Resource Monitor, while in Linux running "top" from the command line or "System Monitor" in the desktop variants of Ubuntu had the same functionality.
"Other signs include physical aspects of the system changing. Cooling fans spinning up to a highly audible level and increases in the physical temperature of a system is a sign of heavy CPU load," Cooper said. "Heat can be extremely obvious when we take examples such as alloy body laptops into account. In those instances, it is worth identifying what is placing the load on the system using the aforementioned technique."
Screenshots: Linux top command taken from the writer's PC; Windows Resource Monitor courtesy Microsoft