Skip to content

Files

Latest commit

 

History

History

detect-monero-demo

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
detectrandomx.bt
detectrandomx.bt
 
 
detectrandomx.pxl
detectrandomx.pxl
 
 
xmrig_deployment.yaml
xmrig_deployment.yaml
 
 

README.md

Detect Monero Miners with bpftrace

This demo accompanies the Detect Monero Miners with bpftrace blogpost.

Prereqs

  1. (Optional) Deploy k0s Cloud Providers have strict policies around cryptomining. We strongly recommend not deploying to a cloud provider or you will risk account deactivation. One option is to deploy k0s, exposing the cri to your local docker instance
# Download k0s
curl -sSLf https://get.k0s.sh | sudo sh
# Install the controll
sudo k0s install controller --single --enable-worker --cri-socket docker:unix:///var/run/docker.sock
# Start k0s
sudo k0s start
#$ Copy the kube config over 
sudo cp /var/lib/k0s/pki/admin.conf admin.conf


# Before you run kubectl commands
export KUBECONFIG=admin.conf
kubectl apply -f mydeployment.yaml
  1. Deploy Pixie

Deploying xmrig to your cluster

Cloud Providers have strict policies around cryptomining. We strongly recommend not deploying to a cloud provider or you will risk account deactivation. For this demo, we deployed the popular open source Monero miner, XMRig. I built the docker image locally. I couldn't find a reliable looking public image.

  1. git clone this repo and cd into this direcory.
cd ./detect-monero-demo
  1. Download xmrig and verify the sha256sum.
# Download the xmrig binary and verify the sha256sum from
# https://github.com/xmrig/xmrig/releases
# Instructions added for convenience, but please double check shas and download paths.
curl -LO https://github.com/xmrig/xmrig/releases/download/v6.16.4/xmrig-6.16.4-linux-static-x64.tar.gz
# Make sure the grep matches. Double check the sum with the release page.
sha256sum xmrig-6.16.4-linux-static-x64.tar.gz  | grep bf1e10f389d119fe4f72950a6a59bc6a74ba99faa48e5c959edabcdc234ac457
  1. Unpack the tar file and move the xmrig binary out to this directory.
tar -xzvf xmrig-6.16.4-linux-static-x64.tar.gz
# Move the binary out of the directory
mv xmrig-6.16.4/xmrig .
  1. Create a config file using https://xmrig.com/wizard and paste it in config.json
  2. Build the docker image and apply the kubernetes yamls
# You might have to change your docker-env to push to your local environment 
docker build . -t xmrig
kubectl apply -f xmrig_deployment.yaml

Running the bpftrace script

Pixie CLI

px run -f detectrandomx.pxl

Pixie UI

Copy and paste the contents of detectrandomx.pxl into the scratchpad.

bpftrace CLI

bpftrace install guide

sudo bpftrace detectrandomx.bt

Caveats

  1. This script only works for x86 processors. There is probably a similar detection opportunity on ARM processors.
  2. The script was tested on Linux Kernel version 5.13. You'll have to update this for Linux kernel >=5.16 changed the structure.
  3. Minikube virtualizes the CPU so this script won't work inside Pixie running on Minikube. I used k0s.