ABSTRACT
Mining for crypto currencies is usually performed on high-performance single purpose hardware or GPUs. However, mining can be easily parallelized and distributed over many less powerful systems. Cryptojacking is a new threat on the Internet and describes code included in websites that uses a visitor's CPU to mine for crypto currencies without the their consent. This paper introduces MiningHunter, a novel web crawling framework which is able to detect mining scripts even if they obfuscate their malicious activities. We scanned the Alexa Top 1 million websites for cryptojacking, collected more than 13,400,000 unique JavaScript files with a total size of 246 GB and found that 3,178 websites perform cryptocurrency mining without their visitors' consent. Furthermore, MiningHunter can be used to provide an in-depth analysis of cryptojacking campaigns. To show the feasibility of the proposed framework, three of such campaigns are examined in detail. Our results provide the most comprehensive analysis to date of the spread of cryptojacking on the Internet.
- Alexa Top 1 Million Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.Google Scholar
- Belkacim, I. MinerBlock Browser Extension. https://github.com/xd4rker/MinerBlock.Google Scholar
- Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J. A., and Felten, E. W. Sok: Research perspectives and challenges for bitcoin and cryptocurrencies. In Security and Privacy (SP), 2015 IEEE Symposium on (2015), IEEE, pp. 104--121. Google ScholarDigital Library
- Check Point Research Team. December's Most Wanted Malware: Crypto-Miners Affect 55% of Businesses Worldwide, 2018. https://blog.checkpoint.com/2018/01/15/decembers-wanted-malware-crypto-miners-affect-55-businesses-worldwide/.Google Scholar
- Coinhive. First week status report, 2017. https://coinhive.com/blog/status-report.Google Scholar
- Davidi, A. Don't Mine Me Coinhive, 2017. https://www.trustwave.com/Resources/SpiderLabs-Blog/%E2%80%9CDon-t-Mine-Me%E2%80%9D-%E2%80%93-Coinhive/.Google Scholar
- European Union Agency for Network and Information Security (ENISA). Cryptojacking -- Cryptomining in the browser, 2017. https://www.enisa.europa.eu/publications/info-notes/cryptojacking-cryptomining-in-the-browser.Google Scholar
- Hidayat, A. Phantomjs: headless webkit with javascript api. WSEAS Trans. Commun (2013), 457--477.Google Scholar
- Hill, R. ublock Origin Browser Extension. https://github.com/gorhill/uBlock/.Google Scholar
- Huang, D. Y., Dharmdasani, H., Meiklejohn, S., Dave, V., Crier, C., McCoy, D., Savage, S., Weaver, N., Snoeren, A. C., and Levchenko, K. Botcoin: Monetizing stolen cycles. In NDSS (2014).Google ScholarCross Ref
- Keramidas, R. NoCoin Browser Extension. https://github.com/keraf/NoCoin.Google Scholar
- Lau, H. Browser-based cryptocurrency mining makes unexpected return from the dead, 2017. https://www.symantec.com/blogs/threat-intelligence/browser-mining-cryptocurrency.Google Scholar
- Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Félegyházi, M., Crier, C, Halvorson, T., Kanich, C, Kreibich, C, Liu, H., et al. Click trajectories: End-to-end analysis of the spam value chain. In Security and Privacy (SP), 2011 IEEE Symposium on (2011), IEEE, pp. 431--446. Google ScholarDigital Library
- Lewenberg, Y., Bachrach, Y., Sompolinsky, Y., Zohar, A., and Rosenschein, J. S. Bitcoin mining pools: A cooperative game theoretic analysis. In Proceedings of the 2015 International Conference on Autonomous Agents and Multiagent Systems (2015), International Foundation for Autonomous Agents and Multiagent Systems, pp. 919---927. Google ScholarDigital Library
- Li, Z., Zhang, K., Xie, Y., Yu, F., and Wang, X. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM conference on Computer and communications security (2012), ACM, pp. 674--686. Google ScholarDigital Library
- Meshkov, A. Cryptocurrency mining affects over 500 million people. And they have no idea it is happening., 2017. https://blog.adguard.com/en/crypto-mining-fever/.Google Scholar
- Meshkov, A. Cryptojacking surges in popularity growing by 31% over the past month, 2017. https://blog.adguard.com/en/november_mining_stats/.Google Scholar
- Nakamoto, S. Bitcoin: A peer-to-peer electronic cash system, 2008.Google Scholar
- Plohmann, D., and Gerhards-Padilla, E. Case study of the miner botnet. In Cyber Conflict (CYCON), 2012 4th International Conference on (2012), IEEE, pp. 1---16.Google Scholar
- Segura, J. A look into the global drive-by cryptocurrency mining phenomenon, 2017. https://go.malwarebytes.com/rs/805-USG-300/images/Drive-by_Mining_FINAL.pdf.Google Scholar
- Seigen, Jameson, M., Nieminen, T., Neocortex, and Juarez, A. M. CryptoNight Hash Function, 2013. https://cryptonote.org/cns/cns008.txt.Google Scholar
- Sun, S.-F., Au, M. H., Liu, J. K., and Yuen, T. H. Ringct 2.0: A compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency monero. In European Symposium on Research in Computer Security (2017), Springer, pp. 456---474.Google ScholarCross Ref
- Van Saberhagen, N. Cryptonote v 2. 0, 2013. https://cryptonote.org/whitepaper.pdf.Google Scholar
- Wood, G. Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper 151 (2014), 1--32.Google Scholar
- Wyke, J. The zeroaccess botnet---mining and fraud for massive financial gain. Sophos Technical Paper (2012).Google Scholar
- Zarras, A., Kapravelos, A., Stringhini, C, Holz, T., Kruegel, C., and Vigna, G. The dark alleys of madison avenue: Understanding malicious advertisements. In Proceedings of the 2014 Conference on Internet Measurement Conference (New York, NY, USA, 2014), IMC '14, ACM, pp. 373--380. Google ScholarDigital Library
Recommendations
Filtering False Positives Based on Server-Side Behaviors
Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a ...
Safe side effects commitment for OS-level virtualization
ICAC '11: Proceedings of the 8th ACM international conference on Autonomic computingA common application of virtual machines (VM) is to use and then throw away, basically treating a VM like a completely isolated and disposable entity. The disadvantage of this approach is that if there is no malicious activity, the user has to re-do all ...
Server-side detection of malware infection
NSPW '09: Proceedings of the 2009 workshop on New security paradigms workshopWe review the intertwined problems of malware and online fraud, and argue that the fact that service providers often are nancially responsible for fraud causes a relative lack of incentives for clients to manage their own security well. This suggests ...
Comments