You probably know me already as a developer of Excavator and QuickMiner, but let me also explain some things around PhoenixMiner that will hopefully answer most of your questions. The most important information that you are seeking now is probably what kind of damage this has caused you. The short answer is: if you did not notice anything yet, then most likely NO damage and you can still react quickly enough to make yourself completely immune and have a peace of mind regarding this incident. But read carefully and do what I tell you to do to be on the safe side.
What happened?
PhoenixMiner online repository got deleted due to violation of TOS (Mega.nz). We don't know why it was deleted and it probably isn't important. But there are other facts we need to consider. PhoenixMiner as an author of the software, has disappeared more than 1 month ago: https://bitcointalk.org/index.php?action=profile;u=1522040
After yesterdays removal of files several scam attempts appeared - people giving links to (probably) malware. There was as of yet, still no answer from the developer. I will let you be the judge of whether real developer (https://bitcointalk.org/index.php?action=trust;u=1522040) is an honest person or not. This is not the purpose of this text.
So, you have no idea what happened?
Yes, we do not know. There are shady things happening currently and NiceHash is just taking preventive steps, warning all of the customers. Why is it not possible to figure out what exactly is happening, whether PhoenixMiner is malicious miner or not? This is probably one of the main questions you have. I will try to explain it best I can.
Devfee miners - made by anonymous developers
Since the era of Claymore, the most prominent, "imperialists of mining", developers of miners were always anonymous, covered their tracks well and never exposed any private part of their life. This is completely contra-intuitive, because if you have a successful legal business, you want to make it official, so you get "clean" money, you can buy houses, cars, yachts and so on. The only reason to make anonymous business is when doing illegal business - which coding and earning with mining software is NOT. One of the reasons why business would like to stay anonymous is tax evasion. But considering amount of money developers make - we are talking millions yearly. Claymore was making up to 100 million yearly in his golden times. It is completely impractical to do tax evasion for such huge amounts, because money laundering brings you too much hassle plus it is illegal and you are risking a lot for just several million more of cash. And if you are getting eg 50 million yearly you probably don't go underground doing money laundering to get out 40 million instead of 35 million (with taxes fully paid). So, forward thinking... what would be another possible reason to stay anonymous when earning millions? What if your business is created on shoulders of someone else and you would have ti give a large portion of your income to someone else? Licenses! I suspect that all anonymous developers of miners are violating GNU GPL v3 (https://github.com/tpruvot/ccminer/blob/windows/LICENSE.txt) which is a license that requires you to open (show code) your product on request. Developers would lose their devfee in this case, so this is something they simply cannot do. This is the only logical conclusion that I have been able to think of. If they made their business legal, they could have fought AntiVirus companies that are massively blocking miner software thus increasing their reach and profit; they would've been fully trusted in the community, they would've been listed among top Crypto companies. But all of them decide NOT to do this. Only developer of lolminer dares to expose himself - because he made his own miner code base and did not violate GPL. Now you know most likely why these developers are anonymous.
Crime
In most countries, violation of licenses is a criminal act. If they violate GPL, they are performing crime. And because their earnings are in millions, we are talking about biiiig crime. And if they are capable of performing one crime, which is still on-going, what makes you think they wouldn't make other types of crime. Considering amounts of money they get, they do need to make at least one more crime - money laundering - or all of these piles of money are useless.
The scale
According to publicly accessible information from https://www.nicehash.com/algorithm/daggerhashimoto (also other algorithms), NiceHash has more than 600,000 miners. That is roughly ~600.000 computers. NiceHash is not the only mining service. There are pools and other forms of mining applications that all use miners made by anonymous developers. Most of mining rigs are stripped down PCs, that have nothing else on but OS and mining application. These do not contain any information and having full access to them has no real value. This was mining till 2020. But end of 2020 and now in 2021, mining is becoming mainstream. Ask yourself, do you have a special dedicated PC just for mining? Or did you just buy one extra video card and plug it into your existing PC? The majority of you do not have a dedicated mining PC (rig). You are just running miner with everything else - private data, pictures, documents, logins to various services from emails to social networks and a lot of you perform banking or payments via Paypal on your PC. How many of you are playing with fire? I don't know, I would make estimation between 100.000 and 500.000. An unknown anonymous developer not only gets paid with devfee, but he/she potentially gets access to 100.000-500.000 PCs with modern hardware, from developed parts of the world and most likely with powerful internet connection. I wouldn't know but a botnet of this size and quality is worth A LOT, probably much more than what they generate through 1% devfees. Did you think that your PC may become Zombie one day when you turned on miner for the first time?
Anonymity
Now you may say: well, NiceHash already has access to 600.000 PCs, what is the difference? The difference is that you know that. You know that you gave access to NiceHash, you know who you gave access (to NiceHash) and you know how is this going to be used and you know that (by showing NiceHash Miner source code) NiceHash does not search for or copy any private data from any PC. NiceHash uses your PC only for mining and nothing else. No data is being collected and no data will ever be collected. If something goes wrong, then you can hold NiceHash liable for breaking laws. Who are you going to hold liable if miner made by anonymous developer breaks a law? And because these developers know that, that they can escape justice using anonymity, they are more likely to break laws.
How hard is it to copy access to my Bitcoin wallet?
Do you have Bitcoin (or any other crypto) wallet on your PC where you also mine? Your bitcoins can be send by anyone who knows a specially large number (called private key). This number is written in wallet.dat file. Did you encrypt it? It will not help. An attacker would just wait until you enter password to unlock it - using keylogger, he would intercept all the keys you press on the keyboard. Now you are asking yourself, did PhoenixMiner install keylogger on my PC? I don't know. It is possible to figure out but such analyze is very expensive. It is much cheaper to just reinstall Windows. But that is not enough. If an attacker already recorded your private key, he can still steal your bitcoins. If you have any crypto wallet (even online) on the same PC where you mine, THEN YOU HAVE TO SEND YOUR COINS TO A NEW WALLET IMMEDIATELY! You need to generate new seed so that new wallet is not connected with the previous in any way and of course, you need to create this new wallet on a PC that did not run any unsafe miners and is considered clean. This action would prevent anyone from stealing your coins, because the balance of old wallet is then 0 and there is nothing to steal.
Disable AntiVirus
Half of the blame for the current situation regarding unsafety of the miners carry companies making AntiVirus programs. In mining community is now widespread knowledge that you have to disable AntiVirus to be able to mine or you have to make exclusion. The last protection (or obstacle for attackers) is then conveniently disabled by the victim him/herself, because AntiViruses are falsely flagging (almost) all mining software. AntiVirus program becomes completely useless once you know that it is creating so many false positives. On the other side, a real malware will be specially crafted by the attacker in a way, so that no AntiVirus program is going to detect it - because attacker is aware of the AntiVirus program, he can analyze it in advance - he/she is always one step ahead. How is this related to PhoenixMiner? If you analyze PhoenixMiner with any AntiVirus program, the report is completely useless. Because detection is positive in any case, you do not get the answer that you were looking for - is it malware or not? Why are AntiVirus programs so "shitty" you may ask here. Because a real good AntiVirus program would not cost 50 or 100 USD but probably closely to 50 or 100 million USD and if you wanted a feature of real-time scan also, then 50 to 100 billion USD. Making a real analysis of a software to determine whether it is a malware or not is a very complex and hard task.
NiceHash Miner - 3rd party license
NiceHash Miner contain(ed) PhoenixMiner as a 3rd party plugin. Before you were able to use NiceHash Miner, you had to agree to a bunch of licenses. Probably not many of you read carefully what was written there. I have noticed this after extreme indifference towards this problem after mentioning the problem here occasionally and even the behavior of certain individuals trying to convince everyone that this is a marketing stunt to push a new product - NiceHash QuickMiner and that using miners made by anonymous developers is completely 100% safe and can be fully trusted. Once again, nobody is doing real analysis of these miners because it is simply too expensive to do it thus nobody can claim that an unsigned binary from anonymous developer is 100% safe. Our new product - NiceHash QuickMiner - was made for this purpose specifically - all the code is written by us or taken from public repositories which means that we can guarantee being 100% safe, because we have seen all the code that goes into it. Also, it is simply impossible to go mainstream and reach millions of hobby one-PC miners (gamers) with everything based on mining software made by anonymous developers that are most likely performing at least two crimes and their product is most likely creation of at least one crime.
NiceHash Miner - plugin - overreaction?
There are some speculations circulating, that we f*cked up by including the wrong (malware) PhoenixMiner. That is not the case. We have performed double check. Most of you are accusing us of overreacting. Now, let's assume there is really malware in PhoenixMiner and we just say "bah, it is probably nothing, let's just be quiet and not make any panic", and then tomorrow 100.000 NiceHash users' PCs are locked with ransomware. If we released this statement one day before, would it be still considered overreaction? We do care about our users. We don't want to expose them to any harm. We started working on own miner because this is the only way to give hobby/gamers miners non-risky mining solution. Why nobody else overreacted? Who else could say anything? A big pool that is mostly feed by big farms in China? Does it matter if PhoenixMiner is a malware for them? There is no data to be stolen, no harm a malware can do in a farm PC (or a specially dedicated mining rig with no personal data). The most an attacker can count is to change mining address and get some minutes or hours of mining for free until being noticed by farm caretakers.
So, what do I have to do now?
If you started NiceHash Miner or started PhoenixMiner once you could be worried if you care. To get a good night sleep in this case do following:
- Reinstall Windows,
- Change all passwords (remember, the attacker can use keylogger and intercept all your passwords!) and activate 2FA wherever possible and finally
- If you used any cryptocurrency wallets on your PC, move coins out of it - send them to another wallet which you generate AFTER you reinstall Windows; if you used hardware wallets such as Ledger, Trezor, then you don't have to worry about them, these wallets are secure.
- Before you reinstall NiceHash Miner - make sure that you are installing version without PhoenixMiner which should be released shortly (if not already). If you have NVIDIA video cards and you are mining on your regular PC, I strongly suggest you to use NiceHash QuickMiner. You will be on the safe side without any worries about your data and accesses.
But this can happen any time with any other miner now? Is there something that I can do to make this problem go away and never happen again?
Yes, you are right, until there are popular miners that have anonymous authors who do not want to reveal themselves, mining cannot spread to common population but can only stay limited to farms and miners with special dedicated mining PCs (< year 2021). Let's hope that anonymous developers smarten up and perhaps invest part of their income into a new code base for their miner. Maybe they get scared by the idea, but it is not so complicated to make - it took me less than one week to make a modular-multialgorithm-multidevice C++ codebase for Excavator back in 2016 and it is still being used today. There is also one thing each of you can do - through social education. You know how majority of you act now? Like a parent who teaches a kid and tells him/her: if a man with a van stops in front of you and offers you 10 USD to go into a van with him, take the money and do it. Yes, perhaps some devfee miner is maybe 0.01% faster (=10 USD for a kid?), but are you prepared to risk all your private data, logins, documents, etc... (=maybe the kid being sexually exploited). So, what are you doing wrong is when someone new is asking about miners... TELL THIS FIRST - it is from an unknown developer, we don't know what is inside, it can be malware, we cannot rely on AntiVirus program, because we need to turn it off anyway. Tell who made the software. Speed shall not be the only factor to consider. Everyone who runs NiceHash Miner or any other miner from anonymous developer MUST be fully aware what he/she is doing. I see that most of the mining related things you learn from each other. Try to learn good things from each other.
NiceHash QuickMiner
It is a pleasure to see that so many of you like this new product we offer. But always here and there are some individuals who view it as a big threat that is coming to ruin everything even though nobody is forced to use either one. Some individuals see every market activity as a way to push this product further. Yes, there is a lot being done marketing wise regarding NiceHash QuickMiner. But I don't understand the negativity. These individuals sound like our customers are now losing something, like if NiceHash Miner was a software that did not have to be downloaded and installed, but now QuickMiner needs to be installed, which according to their opinion brings something bad for the customers. Or as if NiceHash Miner was free, and we are pushing QuickMiner which isn't free or has higher fees. But in reality, there are only positive features compared to NiceHash Miner, with only one negative: it does not have algorithm switching. Next time you see someone spitting over NiceHash QuickMiner, remember that we went into this project for you - a hobby miner, gamer, you who just joined 4 weeks, 10 days or 5 hours ago. To give you a pleasant mining experience without negative side effects - to turn your PC into a money making machine without risks of getting infected with malware, without days needed spent to learn about mining, algorithms, coins, GPUs and overclocking. We allow you to be lazy, we do everything for you, so you don't lose time. At the end, you don't have to do anything but just click on a few buttons.
Outro
After we made our announcement about security dangers regarding PhoenixMiner. We were immediately targeted on all social platforms with paid shills that were posting various known information from NiceHash history to divert attention and try to discredit us. Let it be clear that we are not claiming that PhoenixMiner does contain malware, we are only claiming that there is a possibility that it has malware and it would be very hard to detect that and very convenient by the developer to hide it and eventually realize that "evil exit plan" especially when going MIA and have no more interest keeping good name for future good business. We suggested to all miners that use their own PCs for mining what they can do to protect themselves in case later it turns out, that there in fact there was a malware hidden inside. Because developer PhoenixMiner still did not respond, we believe that there are some people/organisations with some more knowledge about the matter and our announcement has (partially) violated their plans. What would these plans be is pure speculation as of now but in worst case scenario, there could have been plans on how to tactically empty all acquired cryptocurrency wallets of all miners that have wallet private keys on mining PC or how to tactically hijack all miners to perform 51% attack on Ethereum network thus performing double spend attacks that were never observed before on a blockchain with such a high marketcap. The 51% attack is a real possibility considering some estimates that PhoenixMiner is used by majority of miners. If there is no hidden agenda behind, then we do not understand, why would some people/organisations spend considerable amount of resources to discredit us, because our announcement only affected business of PhoenixMiner and not any other business.
The attack started from the author/owner of minerstat Josip Juhas when he made following post: https://bitcointalk.org/index.php?topic=2647654.msg56509020#msg56509020 This post is full of damaging misinformation. NiceHash DID NOT DISTRIBUTE PhoenixMiner 5.5d It would be fine if this was the end, but unfortunately after initial misinformation from Josip Juhas - who is a well known criminal in Slovenia, convicted for planned murder and convicted extorting women taped while having sex (source: https://old.delo.si/novice/kronika/obsojen-na-kazen-ki-jo-je-ze-prestal.html), Alchemy from redteampanda discord channel made the same false claim and informed many of our users about this misinformation so there may be some pictures circulating around with this false content. Alchemy has by now modified accusations. Josip Juhas did not remove his claims event after it was proven and by now determined, that 5.5d was never distributed by NiceHash. After that, a massive shilling has started on various social channels, especially here on Reddit, we had to ban a lot of users that made long posts either repeating this misinformation or diverting attention to other unrelated matters from history of NiceHash. Additionally to that, we noticed that any positive comment from any user was heavily downvoted (example: https://www.reddit.com/r/NiceHash/comments/lzsheq/phoenixminer_howwhywhat_statement_from_it_expert/gq43fwa/) and misinformation and diversions were upvoted.
I will make no further comment regarding these attacks - I believe every individual is capable to draw conclusions on their own according to the proofs provided.
EDIT: I have added some answers to some common questions here.
Why did you just update Phoenix plugin today to 15.9?
This is an empty plugin - a removal of PhoenixMiner, so it doesn't get downloaded & executed. A NiceHash Miner with this plugin carries less risk, but still no 0 risk, because there are still others 3rd party miners that can go MIA suddenly. If you want 0 risk, then use NiceHash QuickMiner.
Do I have to create new NiceHash account? Are my funds at NiceHash safe?
All you have to do is change password and set 2FA if you haven't already. That is all. Change password after you reformat or change it on another device (such as your phone).
Which files should I delete when reinstalling, which files can I keep and use later then?
Only executable files are problematic. If PhoenixMiner has hidden itself somewhere in your system, then it is in form of .exe, .dll or .sys file. A reinstall of your Windows will be enough. You can use your old files. If there are applications that you used, try to reiinstall them by redownloading and be aware of UAC screens - you want to be running SIGNED applications. If application is SIGNED, then you know that nobody has tampered with it after it was made by original developers. This is general rule you should stick with to keep your system secure.
Could my local network traffic have been sniffed?
Yes, but highly unlikely that any data can be stolen that way. Most of important services use SSL these days (HTTP over SSL, which is HTTPS then) which makes MITM attacks very hard if not impossible. But it is up to you to verify that for example, when you are connecting to certain website, that it has a valid certificate. If certificate is invalid, then someone is performing MITM attack on you (or website admins are lazy to update cert - happens sometimes).
Is older version of PhoenixMiner safe? Which versions are affected? Which versions are bad?
None heavily protected and obfuscated binary of any anonymous developer is ever safe. If PhoenixMiner did exit strategy, it could have been in any version, even 1 year old one. We do not recommend to use ANY version of PhoenixMiner. He/she is MIA thus does not care about reputation anymore so exit strategy is serious threat.
Whats the difference between phoenix miner and excavator regarding security? If you want you can use your excavator miner as a trojan? and what about nbminer?
The difference is that you know who is behind the software. That fact alone prevents company doing stupidity such as inserting malware in own product, because it wouldn't only kill the company but also put people behind bars. But when there is nobody behind the software, nobody can be held responsible, nobody gets sent behind bars, only this anonymous person walks away with a bag of your money. Besides, Excavator is not protected and not obfuscated. You can easily inspect behavior using classic debugger. I believe it would be easy, perhaps even with correct tools, to analyze that it does no harm at all and could be possible to prove through binary that it is harmless.
Now I'm done with nicehash. I am going to ___ or ____ or ____.
Please, try to understand that what we did is actually good for you - we informed you about potential security issue, which is not an issue yet (luckily), but IT MAY BE. We gave you instructions how to fully secure yourself. I believe we acted with the highest possible care for our customers. We have no control over 3rd party miners. You agreed to download/install/use them when signing NiceHash Miner 3rd party EULA. You should not trust a company that gets aware of an issue like this and keeps it silent.
Don't spread out scary news to people. Everything on megaupload is gone not just Phoenixminer.
We gave anonymous developer some time to react. After observing he is MIA, we had to urgently react. It is not the fact that files got deleted, but that the fact that developer is MIA, thus he doesn't care about his name anymore (the only thing that was keeping him/her being honest and not putting malware in). When anonymous developer abandons project, there is no reason for him/her to keep "good name" anymore.
So if I only installed quickminer, then I’m chilling?
Yes. If you did not run NiceHash Miner and only ever used NiceHash QuickMiner then you don't have to do anything. You are on the safe side.
What about NHOS?
NHOS is less problematic, but we can still imagine a scenario where your private data could be stolen if you leave your hard drives with private data connected when mining with NHOS. To be fully sure, unplug your hard drives with important data when running NHOS.
If the last time i used nice hash miner was around a month ago am i compromised ?
Even if you installed NiceHash Miner one year ago, it could be an issue that could be eventually related to you. The problem is, that we don't know. We don't know if there is exit strategy, then if it is, when it is going to be activated and what the exit strategy would do. But if you want to be on the safe side, we wrote down steps that need to be taken.
This might be a dumb question but Is Phoenixminer, the same as Phoenix under the plugins menu? Cause I had that installed but never used it. Only used excavator
Unfortunately, even if you never used it (not even benchmark), it was executed at least once to obtain GPU IDs. So there is risk still and we suggest you to take recommended actions to be on the safe side.
Do we even know what files were affected besides miner directory? Any registry adjustments, DLL changes outside of NHM directory? Suspicious new scheduler tasks? Or all we know is that author has disappeared and thus started panicking? What harm did this plugin done exactly, why all the panic?
We know nothing. We make panic due to unusual behavior of anonymous developer - gone missing. Analysis of heavily protected and obfuscated binary is an expensive task. It can cost several million and takes several months.
So did Nicehash auto update to the compromised version or not?
There is no "compromised" version. It is simply anonymous developer missing which is suspicious because he might have planted an exit strategy now that he doesnt care about reputation anymore. Runnig Phoenixminer is risky as it may not only collect devfee but do something else. In which version malware is, if it is, we don't know. It could have been in the one year old version if developer planned this for a long time.
Would you apologize to PhoenixMiner if it turns out that there was trully just a misunderstanding and some third force made him unable to fix issue with download location?
Yes, we would make public apology to PhoenixMiner if this ever happens and turns out that there was indeed no evil plan behind. But at this moment in time, we had to warn our customers about potential dangers.
No comments:
Post a Comment