Another Plugin Removed from WordPress Repository: Monero Miners

November 11, 2017 Arrunadayy Koul 1 comment

Do not have time to read full article and want this article in PDF format in your email.

Enter your Email Address

WordPress recently removed a plugin known as “Animated Weather Widget by weatherfor.us.” from plugin repository. It appears that the plugin was removed for including JavaScript code that would mine cryptocurrency using the CPU resources of site visitors.

How It Worked:

  • A WordPress site owner installs the “Animated Weather” plugin.
  • The plugin loads an iframe. This allows the owner to include any code they want in visitors’ browsers, and to change the code at any time.
  • The iframe loads code from CoinHive that mines the Monero The mining activity uses significant site visitor CPU resources.
  • Earnings are sent back to CoinHive and aggregated into the account owner’s bank account. Presumably, the account owner in this case is the owner of the “Animated weather” plugin. CoinHive keep 30% of the profits.

This allows the plugin owner to earn money by using the CPU resources of visitors to sites using the “Animated weather” plugin.

Below is a screen capture from a debugger showing an iframe that loads from the weatherfor.us domain. In this, the JavaScript that loads the CoinHive code that actually does the mining can be seen.

weather crypto mining debugger image

Wordfence found that visiting a site that includes this plugin’s CoinHive Monero mining code generates a huge amount of CPU usage. This becomes audible when your CPU fans all increase their RPMs. Wordfence founder Mark recorded a short cellphone video below to show the effect.

Couple of months back, few websites were found mining cryptocurrency. It is still unclear whether they were hacked, or if they placed the code there voluntarily. Other websites like The Pirate Bay have added the CoinHive Monero mining code to try to earn additional revenue. Earlier this month, CoinHive mining code was discovered on the UFC website UFC.tv. It is unclear whether they were hacked or if they placed the code on the site themselves.

Wordfence reached out to the WordPress.org plugin repository maintainers, and this is what they have to say regarding this plugin:

“Yes, the plugin was removed because the site it connected to, weatherfor.us, started putting hidden mining code in their widgets. The plugin itself was not altered in any way, it was the site which it gets the widget from that had this code added.

Currently, we treat hidden insertion of any undisclosed code as potentially malicious, and crypto-mining is not an exception to this general principle. If a plugin that is unrelated to such activities is modified to include that code, then we will remove the plugin and potentially remove the offending code ourselves, to protect users.

In the same way that plugins are not allowed to, say, insert hidden advertising on sites in a way that benefits the plugin author, plugins are not allowed to insert hidden code in a way that benefits the plugin author. Which is to say that plugins are not allowed to include any form of crypto-mining code which pays back to the plugin author.

That said, a plugin that is explicitly intended for a site admin to include a crypto-miner on their site is allowed, and there’s a few of them in the directory already. The important difference is that these are not hidden, and do not pay the plugin author. The site owner is the one operating the miner, not a plugin author doing it on their behalf.”

What has become clear during past two years is that WordPress plugin authors experiment with a wide range of business models. This leads to plugin authors embedding code that may produce spam on websites, selling their plugins to shady individuals, and in this case, using web browser resources to earn income.

If we provide clear rules and mentoring for plugin authors on how to earn a living from their plugins, this issue would not be as prevalent. Think of the Apple App Store and similar models, where a clear business model with clear guidance has created a healthy ecosystem and funding to root out bad actors.

You would have also faced this issue when you visit any Cryto currency mining websites you will find that the fan of the CPU runs faster and the CPU usage is higher and when we leave the website the CPU usage comes down. Have you experimented with putting CoinHive mining code on your site? Or have you visited a site that was mining? What was your experience? I’d also like to see views on plugin business models.

 

Did you enjoy this post? Share it!

If you liked this post, you might enjoy our newsletter. Receive new articles directly in your inbox:

Yes I agree to receive emails from Defenx Solution

Subscribe our Youtube Channel

1 Comment on “Another Plugin Removed from WordPress Repository: Monero Miners

  1. Thanks for sharing this information. It is really scary now a days that you are not able to understand what to install and what not. Previously also fake WhatsApp update was there in Play Store.

    We need to be really alert what we are installing and from where.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.