Geng Hong
ABSTRACT
As a new mechanism to monetize web content, cryptocurrency mining is becoming increasingly popular. The idea is simple: a webpage delivers extra workload (JavaScript) that consumes computational resources on the client machine to solve cryptographic puzzles, typically without notifying users or having explicit user consent. This new mechanism, often heavily abused and thus considered a threat termed "cryptojacking", is estimated to affect over 10 million web users every month; however, only a few anecdotal reports exist so far and little is known about its severeness, infrastructure, and technical characteristics behind the scene. This is likely due to the lack of effective approaches to detect cryptojacking at a large-scale (e.g., VirusTotal). In this paper, we take a first step towards an in-depth study over cryptojacking. By leveraging a set of inherent characteristics of cryptojacking scripts, we build CMTracker, a behavior-based detector with two runtime profilers for automatically tracking Cryptocurrency Mining scripts and their related domains. Surprisingly, our approach successfully discovered 2,770 unique cryptojacking samples from 853,936 popular web pages, including 868 among top 100K in Alexa list. Leveraging these samples, we gain a more comprehensive picture of the cryptojacking attacks, including their impact, distribution mechanisms, obfuscation, and attempts to evade detection. For instance, a diverse set of organizations benefit from cryptojacking based on the unique wallet ids. In addition, to stay under the radar, they frequently update their attack domains (fastflux) on the order of days. Many attackers also apply evasion techniques, including limiting the CPU usage, obfuscating the code, etc.
Supplemental Material
- 360Netlab. 2018. who is stealing my power web mining domains measurement via dnsmon. https://blog.netlab.360.com/who-is-stealing-my-power-web-mining-domains-measurement-via-dnsmon-en/.Google Scholar
- ADGuard. 2018. The State of Cryptojacking. https://crypto.adguard.com/.Google Scholar
- U.S. Energy Information Administration. 2017. How much electricity does an American home use? https://www.eia.gov/tools/faqs/faq.php?id=97&t=3.Google Scholar
- Bitcoin. 2018. bitcoin. https://bitcoin.org/en/.Google Scholar
- bitcoinlion. 2018. Cryptocurrency Mining Hash Algorithms. http://www.bitcoinlion.com/cryptocurrency-mining-hash-algorithms/.Google Scholar
- Nicholas Carlini, Adrienne Porter Felt, and David Wagner. 2012. An Evaluation of the Google Chrome Extension Security Architecture.. In USENIX Security Symposium (USENIX Security). 97--111. Google ScholarDigital Library
- coingecko.com. 2018. Monero Price Chart US Dollar. https://www.coingecko.com/en/price_charts/monero/usd.Google Scholar
- Coinhive. 2018. coinhive. https://coinhive.com/.Google Scholar
- Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2010. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of the 19th international conference on world wide web (WWW). ACM, 281--290. Google ScholarDigital Library
- Charlie Curtsinger, Benjamin Livshits, Benjamin G Zorn, and Christian Seifert. 2011. ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection.. In USENIX Security Symposium (USENIX Security). 33--48. Google ScholarDigital Library
- cyrus and. 2018. chrome-remote-interface. https://github.com/cyrus-and/chrome-remote-interface.Google Scholar
- deepMiner. 2018. deepMiner. https://github.com/deepwn/deepMiner.Google Scholar
- easylist. 2018. EasyList filter subscription. https://github.com/easylist/easylist.Google Scholar
- Shayan Eskandari, Andreas Leoutsarakos, Troy Mursch, and Jeremy Clark. 2018. A first look at browser-based Cryptojacking. IEEE Security & Privacy on the Blockchain (IEEE S&B) (2018).Google ScholarCross Ref
- Ittay Eyal, Adem Efe Gencer, Emin Gün Sirer, and Robbert Van Renesse. 2016. Bitcoin-NG: A Scalable Blockchain Protocol.. In USENIX Symposium on Networked Systems Design and Implementation (NSDI). 45--59. Google ScholarDigital Library
- Ittay Eyal and Emin Gün Sirer. 2014. Majority is not enough: Bitcoin mining is vulnerable. In International conference on financial cryptography and data security. Springer, 436--454.Google ScholarCross Ref
- Dan Goodin. 2017. Cryptojacking craze that drains your CPU now done by 2,500 sites. https://arstechnica.com/information-technology/2017/11/drive-by-cryptomining-that-drains-cpus-picks-up-steam-with-aid-of-2500-sites/.Google Scholar
- Alex Hern. 2017. Ads don't work so websites are using your electricity to pay the bills. https://www.theguardian.com/technology/2017/sep/27/pirate-bay-showtime-ads-websites-electricity-pay-bills-cryptocurrency-bitcoin.Google Scholar
- intel.com. 2017. Intel Core i5--7400 Processor. https://www.intel.com/content/www/us/en/products/processors/core/i5-processors/i5--7400.html.Google Scholar
- Jquery. 2018. jquery. https://jquery.com/.Google Scholar
- Keraf. 2017. Blacklist of NoCoin. History for NoCoin/src/blacklist.txt.Google Scholar
- Keraf. 2017. NoCoin. https://github.com/keraf/NoCoin.Google Scholar
- Eleftherios Kokoris Kogias, Philipp Jovanovic, Nicolas Gailly, Ismail Khoffi, Linus Gasser, and Bryan Ford. 2016. Enhancing bitcoin security and performance with strong consistency via collective signing. In 25th USENIX Security Symposium (USENIX Security 16). 279--296. Google ScholarDigital Library
- Matt Murray. 2017. Firefox Quantum vs. Chrome: Which Is Faster? https://www.laptopmag.com/articles/firefox-quantum-vs-chrome.Google Scholar
- Michael Nadeau. 2018. What is cryptojacking? How to prevent, detect, and recover from it. https://www.csoonline.com/article/3253572/internet/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html.Google Scholar
- Notmining. 2017. notmining. http://notmining.org/.Google Scholar
- Bad Packets. 2017. Cryptojacking: 2017 Year-End Review. https://badpackets.net/cryptojacking-2017-year-end-review/.Google Scholar
- Bad Packets. 2018. How to find cryptojacking malware. https://badpackets.net/how-to-find-cryptojacking-malware/.Google Scholar
- Daniel Plohmann and Elmar Gerhards-Padilla. 2012. Case study of the miner botnet. In 4th International Conference on Cyber Conflict (CYCON). IEEE, 1--16.Google Scholar
- Fergal Reid and Martin Harrigan. 2013. An analysis of anonymity in the bitcoin system. In IEEE International Conference on Privacy, Security, Risk, and Trust. 197--223.Google ScholarCross Ref
- RFC. 2016. The scrypt Password-Based Key Derivation Function. https://tools.ietf.org/html/rfc7914.Google Scholar
- SimilarWeb. 2018. similarWeb. https://www.similarweb.com/.Google Scholar
- Whorunscoinhive. 2018. whorunscoinhive. http://whorunscoinhive.com/.Google Scholar
- Wikipedia. 2018. Page semi-protected Cryptocurrency. https://en.wikipedia.org/wiki/Cryptocurrency.Google Scholar
- xd4rker. 2017. Blacklist of MinerBlock. https://github.com/xd4rker/MinerBlock/commi- ts/master/assets/filters.txt.Google Scholar
- xd4rker. 2017. MinerBlock. https://github.com/xd4rker/MinerBlock.Google Scholar
- Apostolis Zarras, Alexandros Kapravelos, Gianluca Stringhini, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna. 2014. The dark alleys of madison avenue: Understanding malicious advertisements. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC). ACM, 373--380. Google ScholarDigital Library
Index Terms
- How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World
Recommendations
MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityA wave of alternative coins that can be effectively mined without specialized hardware, and a surge in cryptocurrencies' market value has led to the development of cryptocurrency mining ( cryptomining ) services, such as Coinhive, which can be easily ...
MineThrottle: Defending against Wasm In-Browser Cryptojacking
WWW '20: Proceedings of The Web Conference 2020In-browser cryptojacking is an urgent threat to web users, where an attacker abuses the users’ computing resources without obtaining their consent. In-browser mining programs are usually developed in WebAssembly (Wasm) for its great performance. Several ...
JSDES: An Automated De-Obfuscation System for Malicious JavaScript
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityMalicious scripts used in web-based attacks have recently been reported as one of the top internet security threats. However, anti-malware solutions develop and integrate various techniques to defend against malicious scripts, attackers have been ...
Comments