Bitcoin: Monetizing Stolen Cycles Presented by: Natalie Pollard and - - PowerPoint PPT Presentation

▶

Oct 31, 2022 12 likes •245 views

Bitcoin: Monetizing Stolen Cycles Presented by: Natalie Pollard and Derek Roetzel UC San Diego George Mason University International Computer Institute Paper by: Danny Yuxing Huang, Hitesh Dharmdasani, Vacha Dave, Chris Grier, Damon McCoy,

SLIDE 1

Bitcoin: Monetizing Stolen Cycles

Presented by: Natalie Pollard and Derek Roetzel

UC San Diego George Mason University International Computer Institute Paper by: Danny Yuxing Huang, Hitesh Dharmdasani, Vacha Dave, Chris Grier, Damon McCoy, Alex C. Snoeren and Kirill Levchenko, Sarah Meiklejohn, Stefan Savage, Nicholas Weaver

SLIDE 2

There are several established ways to make money with a Botnet.

Stealing Bank Accounts Denial of Service Attack Sending Spam Messages Stealing Intangible Goods

SLIDE 3

Mining bitcoin is a new way that botmasters are attempting to profit. Mining Cryptocurrency

SLIDE 4

As infected computers become more valuable, more malware is created and distributed.

Your Computer

=

SLIDE 5

Agenda

Background on Bitcoin
Related Work
Contributions
Methods
Findings
Summary

SLIDE 6

Some background on bitcoin is helpful in understanding this research.

Currency Pools Miners Block Chain

SLIDE 7

Some background on bitcoin is helpful in understanding this research.

Currency Miners

Currency
Conduct transactions
Group together recent transactions into a

block

Add header containing nonce value and

perform cryptographic hash algorithm

If result contains the correct number of

leading zeros they receive a payout

Otherwise they guess a different nonce
Effectively a state-space search

SLIDE 8

Some background on bitcoin is helpful in understanding this research.

Block Chain

Public record made of successfully

hashed blocks containing all bitcoin transactions from the beginning of time

Since the block chain is public, all

transactions are public

Guessing right nonce is like winning a

lottery

Miners group together to hash blocks

and share their profits

Pools

SLIDE 9

Related Work

There are three papers concerning the anonymity of bitcoin as a currency.

How the Bitcoin Economy Can be Manipulated by a Powerful Adversary
Majority is Not Enough: Bitcoin Mining is Vulnerable
Bitcoin in the Presence of Adversaries

There are four papers concerning monetization of botnets.

What’s Clicking What? Techniques and Innovations of Today’s Click Bots
Measuring Pay-per-install: The Commoditization of Malware Distribution
The Underground Economy of Fake Antivirus Software
Show Me the Money: Characterizing Spam-advertised Revenue

This is the first research released on the use of botnets to mine bitcoin.

SLIDE 10

There are four major questions addressed by this research.

“Understanding the balance of added cost and risk versus potential revenue from Bitcoin mining is the motivation for our work.”

What malware is being used? How much profit is being made? What is the infrastructure and scope? How much bitcoin are they mining?

SLIDE 11

Researchers identified malware that has been used to mine bitcoins.

Goals:

Examine mining malware to learn about the botnet’s

infrastructure and the botmaster’s credentials Sources of Information:

Malware in repositories that utilize the getwork protocol (a

clear sign that the malware is mining)

SLIDE 12

Researchers found botmaster’s mining credentials and learned about infrastructure.

Goals:

Find botmasters’ wallet addresses
Learn about the infrastructure botmasters use to mine

Sources of Information:

Malware binaries
Network communications

○ Messages sent by bot to the pool or proxy servers

Command and control channel

○ Messages sent by the botmaster to bots

Pool operators

○ Credentials of suspicious miners

Anti-virus vendors

○ Information on proliferation of mining malware that researchers identified

SLIDE 13

We have to understand botnet infrastructure to find which pools are being used.

Level of Effort

Once we understand which pools are being used, we can learn more about how much money the botmaster earned.

SLIDE 14

For bots using a proxy, researchers determined where the work was being sent.

Researchers used two techniques:

HTTP Cross Login Test

○ Create accounts at major pools and attempt to log in by sending messages to an HTTP proxy

Block reversal

○ Pools often use specific range of nonce values - determined by sending getwork requests to the pool server ○ If bots only receive nonce values in a specific range we can predict which pool the bot is working for

SLIDE 15

Using wallet addresses, researchers determined the revenue of specific botmasters

Goal:

Understand the revenue collected by botmasters

Sources of Information:

Since all transactions are public, researchers identified the

cash inflows for each botmaster's wallet

Researchers can find the exchange rate at the time the

botmaster “cashed out” (converted the bitcoins to USD)

Other sources include publicly available pool leaderboards

and data voluntarily provided by pool operators

SLIDE 16

All of the pieces come together in a simple equation for total earnings per day.

USD Day Seconds Day MH Second BTC MH USD BTC

= x x x

Power: Millions of Hashes performed each second Difficulty: Expected Revenue per million SHA-256 computations Exchange Rate: In US Dollars

SLIDE 17

Botnets mining bitcoin have varying degrees of success.

SLIDE 18

In 2012, botmasters could earn high profit margins on mining activities

Costs

Bots purchased on the black market cost only $5 per 1000
An average bot was infected for one week
Therefore: One bot cost on average $.25 per year
Mining infrastructure is very easy to establish
Mining does not interfere with other activities, but could

make the malware more noticeable Profits

An average bot could complete 10 million hashes per

second and earned $.01 per day

SLIDE 19

Since 2014, margins have decreased quickly, and mining has become far less promising.

Since the publication of this research, bitcoin mining has become much less

profitable. Many botnets, including one of the world’s largest has stopped

mining altogether. Others have switched to lightcoin mining.

SLIDE 20

Bitcoin: Monetizing Stolen Cycles

Presented by: Natalie Pollard and Derek Roetzel

Paper by: Danny Yuxing Huang, Hitesh Dharmdasani, Vacha Dave, Chris Grier, Damon McCoy, Alex C. Snoeren and Kirill Levchenko, Sarah Meiklejohn, Stefan Savage, Nicholas Weaver

SLIDE 21

Appendix I: Revenue per MH/s per day over time

SLIDE 22

Appendix II: Minimum earnings of various mining botnets.

SLIDE 23

Bitcoin: Monetizing Stolen Cycles

There are several established ways to make money with a Botnet.

Stealing Bank Accounts Denial of Service Attack Sending Spam Messages Stealing Intangible Goods

Mining bitcoin is a new way that botmasters are attempting to profit. Mining Cryptocurrency

As infected computers become more valuable, more malware is created and distributed.

Your Computer

=

Agenda

Some background on bitcoin is helpful in understanding this research.

Currency Pools Miners Block Chain

Some background on bitcoin is helpful in understanding this research.

Currency Miners

Some background on bitcoin is helpful in understanding this research.

Block Chain

Pools

Related Work

This is the first research released on the use of botnets to mine bitcoin.

There are four major questions addressed by this research.

“Understanding the balance of added cost and risk versus potential revenue from Bitcoin mining is the motivation for our work.”

What malware is being used? How much profit is being made? What is the infrastructure and scope? How much bitcoin are they mining?

Researchers identified malware that has been used to mine bitcoins.

Goals:

infrastructure and the botmaster’s credentials Sources of Information:

clear sign that the malware is mining)

Researchers found botmaster’s mining credentials and learned about infrastructure.

We have to understand botnet infrastructure to find which pools are being used.

Once we understand which pools are being used, we can learn more about how much money the botmaster earned.

For bots using a proxy, researchers determined where the work was being sent.

Researchers used two techniques:

○ Create accounts at major pools and attempt to log in by sending messages to an HTTP proxy

○ Pools often use specific range of nonce values - determined by sending getwork requests to the pool server ○ If bots only receive nonce values in a specific range we can predict which pool the bot is working for

Using wallet addresses, researchers determined the revenue of specific botmasters

Goal:

Sources of Information:

cash inflows for each botmaster's wallet

botmaster “cashed out” (converted the bitcoins to USD)

and data voluntarily provided by pool operators

All of the pieces come together in a simple equation for total earnings per day.

USD Day Seconds Day MH Second BTC MH USD BTC

Botnets mining bitcoin have varying degrees of success.

In 2012, botmasters could earn high profit margins on mining activities

Costs

make the malware more noticeable Profits

second and earned $.01 per day

Since 2014, margins have decreased quickly, and mining has become far less promising.

Bitcoin: Monetizing Stolen Cycles

Appendix I: Revenue per MH/s per day over time

Appendix II: Minimum earnings of various mining botnets.

Appendix III: What’s in the block chain? See all transactions: blockchain.info