Windows: This sneaky cryptominer hides behind taskbar even after you exit browser

Closing your browser won't stop this JavaScript cryptocurrency miner.
Written by Liam Tung, Contributing Writer

Video: Here's everything you need to know about Bitcoin cash

JavaScript-based in-browser cryptocurrency miners are now borrowing loathed online ad techniques to covertly harvest power from PCs after visiting a site.

Most of the browser-based miners on sites that use the Monero-mining Coinhive service can be stopped simply by closing the browser, which stops them chewing up your CPU.

However, security firm Malwarebytes has discovered a new case where the page will continue mining even after the browser is closed.

The technique relies on a tiny 'pop-under' window, which is sometimes used to load hidden ads. For extra cover, the window is designed to sit behind the Windows taskbar, making it hard to spot.

"The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock," wrote Malwarebytes researcher Jerome Segura.

In-browser cryptominers have grown in popularity, partly in response to the rise of ad-blockers. Coinhive was proposed as a legitimate alternative to advertising. The Pirate Bay, for example, recently integrated Coinhive in its site for this reason, but annoyed some users by apparently accidentally setting it to use 100 percent of a visitor's CPU. It later dialed it back.

However, JavaScript coin miners are now also being used on compromised sites and sites that continue to serve ads.

The chief problem is that the sites often use visitors' hardware without permission. So while these miners aren't technically malware, Malwarebytes and other security firms recently began blocking Coinhive sites. And there are now plenty of Coinhive clones.

The web miner Malwarebytes found tries to fly under the radar by limiting CPU usage to around 50 percent. Segura notes the pop-under technique also allows it to bypass adblockers.

See also: Executive's guide to implementing blockchain technology

Users who believe their PC is being abused for someone else's mining profits have a few options to detect and stop the activity.

Segura notes that users can open Task Manager and kill intensive browser processes being used by the miner. If the taskbar is set to transparent, the pop-under can be seen. Additionally, resizing the task bar will reveal the hidden window.

Segura predicts "drive-by mining" will continue to remain popular for all the wrong reasons.

"Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement," he wrote.

"Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves. If malvertising wasn't bad enough as is, now it has a new weapon that works on all platforms and browsers."


Users can run Task Manager to spot any remnant running browser processes and terminate them.

Image: Malwarebytes Labs

Previous and related coverage

Android security: Coin miners show up in apps and sites to wear out your CPU

Expect to see more miners silently chewing up CPU resources through your browser.

Windows security: Cryptocurrency miner malware is enslaving PCs with EternalBlue

Stealthy and persistent cryptocurrency-mining malware is hitting Windows machines.

IT leader's guide to the blockchain [Tech Pro Research]

The blockchain may hold significant opportunities for the enterprise, from financial services to IP protection to job documentation. This ebook looks at what the blockchain is and how it could affect your business.

Bitcoin blasts past $10,000 mark amid bubble concerns [CNET]

The cryptocurrency's value has risen nine-fold since the beginning of the year.

Editorial standards