Blocking MinerBlock

4 minute read Published

How to cloak your Webminer from the MinerBlock browser extension.

MinerBlock is a browser extension which alters the content of a webpage in an attempt to prevent a handful of crypto miners from running.

To function MinerBlock must be installed and left running in the browser while a user surfs and it must be trusted even though extensions can get you hacked.

And if that sounds like fear mongering, I assure you it’s not.1 The barrier to getting on the Chrome Store is approximately $5 USD and a good faith agreement with a company that covered up a massive data breach just late last year.

MinerBlock works by watching your surfing behavior and attempts to prevent external requests using a filters.txt file in addition to content sniffing.

Given the blacklist approach is untenable I won’t discuss it any further here. But I would like to touch on MinerBlock’s content sniffing and how to stop it.

Why stop a Mining blocker?

Now where were we? Oh yes…

MinerBlock injects a script tag into the page which it relies on to sniff the DOM for well-known cryptocurrency miners such as:

  • CoinHive-like miners
  • Mineralt miners
  • Webminerpool miners like Toxic Swamp

Here’s a more detailed look at exactly how this is accomplished:

  1. Runs initmKiller function on window.load event.
  2. Checks if it has already run for this host.
  3. Injects a script called minerkill.js into the user’s page otherwise.
  4. Script injected sniffs page for the three miners noted above.
  5. If miner found it is stopped gracefully to avoid causing problems.
  6. Extension is notified via the minerBlocked event.

Given an extension of this kind could cause problems if it did not correctly identify, and attempt to gracefully shut down, miners a simple approach to stop it is to monkey patch the names of the stop methods of each miner sniffed.

A change in the stop method name of any of the three miners changes its identifiable signature. As a result, not only will MinerBlock no longer be able to stop expected mining behavior it – and tools like it – will no longer be able to detect and potentially blacklist the miners either.

Here’s how MinerBlock sniffs for miner stop methods in version 1.2.16:

typeof this[name].stop === 'function' // Check CoinHive like miners
typeof this[name].stop === 'function' // Check Mineralt miners
typeof this[name].stopMining === 'function' // Check Webminerpool miners

And here’s a simple technique you can adapt to monkey patch your code:

]).then(() => {
  window.stopMinerBlock = window.stopMining;
  window.stopMining = null;
  // ... later ...
  window.stopMining = window.stopMinerBlock;
  window.startMining(); // calls stopMining() as a safety check
  window.stopMining = null;

The above leverages Fetch Injection to modify the the miner API surface the instant the miner is added to the page using promises from ES2015/ES6.

Therefore, unless MinerBlock uses a DOM MutationObserver, it won’t be fast enough to detect the miner with its current setTimeout approach.

Of course you could get fancy and wrap up the public miner API in a closure, or even modify the miner source itself, but what would be the fun in that?

Profit: Interested in monetizing your content with Web mining? Check out the Toxic Swamp add-on module for the After Dark website design system for Hugo.

MinerBlock out!

  1. Lawrence Abrams (2018-09-05). MEGA Chrome Extension Hacked To Steal Login Credentials and CryptoCurrency. Bleeping Computer. Retrieved 2019-03-13. ↩︎

Ledger Nano X - The secure hardware wallet