Bitcoin: Monetizing Stolen Cycles Presented by: Natalie Pollard and Derek Roetzel UC San Diego George Mason University International Computer Institute Paper by: Danny Yuxing Huang, Hitesh Dharmdasani, Vacha Dave, Chris Grier, Damon McCoy, Alex C. Snoeren and Kirill Levchenko, Sarah Meiklejohn, Stefan Savage, Nicholas Weaver
There are several established ways to make money with a Botnet. Stealing Bank Sending Spam Accounts Messages Denial of Service Stealing Intangible Attack Goods
Mining bitcoin is a new way that botmasters are attempting to profit. Mining Cryptocurrency
As infected computers become more valuable, more malware is created and distributed. Your = Computer
Agenda ● Background on Bitcoin ● Related Work ● Contributions ● Methods ● Findings ● Summary
Some background on bitcoin is helpful in understanding this research. Currency Miners Pools Block Chain
Some background on bitcoin is helpful in understanding this research. Currency ● Currency Conduct transactions ● Group together recent transactions into a ● block Add header containing nonce value and ● perform cryptographic hash algorithm Miners If result contains the correct number of ● leading zeros they receive a payout Otherwise they guess a different nonce ● Effectively a state-space search ●
Some background on bitcoin is helpful in understanding this research. Public record made of successfully ● hashed blocks containing all bitcoin Block Chain transactions from the beginning of time Since the block chain is public, all ● transactions are public Guessing right nonce is like winning a ● lottery Pools Miners group together to hash blocks ● and share their profits
Related Work There are three papers concerning the anonymity of bitcoin as a currency. How the Bitcoin Economy Can be Manipulated by a Powerful Adversary ● Majority is Not Enough: Bitcoin Mining is Vulnerable ● Bitcoin in the Presence of Adversaries ● There are four papers concerning monetization of botnets. What’s Clicking What? Techniques and Innovations of Today’s Click Bots ● Measuring Pay-per-install: The Commoditization of Malware Distribution ● The Underground Economy of Fake Antivirus Software ● Show Me the Money: Characterizing Spam-advertised Revenue ● This is the first research released on the use of botnets to mine bitcoin.
There are four major questions addressed by this research. What malware is How much bitcoin being used? are they mining? What is the How much profit is infrastructure and being made? scope? “Understanding the balance of added cost and risk versus potential revenue from Bitcoin mining is the motivation for our work.”
Researchers identified malware that has been used to mine bitcoins. Goals: Examine mining malware to learn about the botnet’s ● infrastructure and the botmaster’s credentials Sources of Information: Malware in repositories that utilize the getwork protocol (a ● clear sign that the malware is mining)
Researchers found botmaster’s mining credentials and learned about infrastructure. Goals: Find botmasters’ wallet addresses ● Learn about the infrastructure botmasters use to mine ● Sources of Information: Malware binaries ● Network communications ● Messages sent by bot to the pool or proxy servers ○ Command and control channel ● Messages sent by the botmaster to bots ○ Pool operators ● Credentials of suspicious miners ○ Anti-virus vendors ● Information on proliferation of mining malware that ○ researchers identified
We have to understand botnet infrastructure to find which pools are being used. Level of Effort Once we understand which pools are being used, we can learn more about how much money the botmaster earned.
For bots using a proxy, researchers determined where the work was being sent. Researchers used two techniques: HTTP Cross Login Test ● Create accounts at major pools and attempt to log ○ in by sending messages to an HTTP proxy Block reversal ● Pools often use specific range of nonce values - ○ determined by sending getwork requests to the pool server If bots only receive nonce values in a specific range ○ we can predict which pool the bot is working for
Using wallet addresses, researchers determined the revenue of specific botmasters Goal: Understand the revenue collected by botmasters ● Sources of Information: Since all transactions are public, researchers identified the ● cash inflows for each botmaster's wallet Researchers can find the exchange rate at the time the ● botmaster “cashed out” (converted the bitcoins to USD) Other sources include publicly available pool leaderboards ● and data voluntarily provided by pool operators
All of the pieces come together in a simple equation for total earnings per day. USD Seconds MH BTC USD = x x x Day Day Second MH BTC Power: Exchange Difficulty: Millions of Rate: Expected Hashes In US Revenue per performed each Dollars million SHA-256 second computations
Botnets mining bitcoin have varying degrees of success.
In 2012, botmasters could earn high profit margins on mining activities Costs Bots purchased on the black market cost only $5 per 1000 ● An average bot was infected for one week ● Therefore: One bot cost on average $.25 per year ● Mining infrastructure is very easy to establish ● Mining does not interfere with other activities, but could ● make the malware more noticeable Profits An average bot could complete 10 million hashes per ● second and earned $.01 per day
Since 2014, margins have decreased quickly, and mining has become far less promising. Since the publication of this research, bitcoin mining has become much less profitable. Many botnets, including one of the world’s largest has stopped mining altogether. Others have switched to lightcoin mining.
Bitcoin: Monetizing Stolen Cycles Presented by: Natalie Pollard and Derek Roetzel Paper by: Danny Yuxing Huang, Hitesh Dharmdasani, Vacha Dave, Chris Grier, Damon McCoy, Alex C. Snoeren and Kirill Levchenko, Sarah Meiklejohn, Stefan Savage, Nicholas Weaver
Appendix I: Revenue per MH/s per day over time
Appendix II: Minimum earnings of various mining botnets.
Appendix III: What’s in the block chain? See all transactions: blockchain.info
Recommend
More recommend
