CSO Online has a good primer on how to detect and prevent crypto mining malware:
Unfortunately, crypto mining traffic can be very difficult to distinguish from other types of communications. The actual messages are very short, and malware writers use a variety of techniques to obfuscate them. “It’s extremely difficult to write a rule for something like this,” Vaystikh says. “So not many companies can detect it. Pretty much every organization above 5,000 employees has the data already — the only problem is that it is very, very hard to go over the huge amounts of data that they have.”
SecBI’s Autonomous Investigation technology deals with this issue by using machine learning to look for suspicious patterns in the vast sea of data that come through corporate networks. There are thousands of factors that SecBI looks at, Vaystikh says. For example, crypto mining traffic is periodic, though malware writers will try to disguise the regular nature of the communication by, for example, randomizing the intervals.
Crypto mining also has an unusual message length. Incoming traffic, the hash, is short. The outgoing results are slightly longer. By comparison, with normal internet traffic, the initial request is short and the response is long. “In Bitcoin mining, I actually upload a little bit more than I download,” Vaystikh says. “That is something that we look for.” The technology can be applied to public cloud infrastructure like Amazon as well as to on-premises networks, he says.
Even if the traffic is encrypted — and 60 percent of all network traffic now is — the periodicity of the communications, the lengths of the messages, and other subtle indicators combine to help the system spot the infections. In fact, when crypto mining first showed up, SecBI’s platform flagged it as possibly malicious before it even knew what it was. “Now, after our users looked at it, they say, ‘Ah, it’s crypto mining!’ and the software now correctly classifies it as well,” Vaystikh says.
The entire article is a valuable resource for those unfamiliar with cryptocurrency and the mining malware actors and criminals are using these days. Outside of endpoint security technologies using signatures, sandboxing, machine learning, or behavioral analytic techniques, network-based detection may be difficult but also may be the best option.