Crypto Mining CHRISTOS HADJISTYLLIS EPL682 - ADVANCED SECURITY - - PowerPoint PPT Presentation

Crypto Mining

CHRISTOS HADJISTYLLIS EPL682 - ADVANCED SECURITY TOPICS, SPRING 2018/2019 UNIVERSITY OF CYPRUS

Introduction

• Cryptocurrency: virtual currency usually not controlled by any government or physical entity
• Examples: Bitcoin, Litecoin, Etherium and many more
• Crypto Mining: earning cryptocurrency by offering computing resources to process transactions
• Security issue: cybercriminals use malware to gain access to our hardware and use it to mine

Cryptocurrency

• Degrades system’s performance and increases power consumption

2

Botcoin: Monetizing Stolen Cycles (Executable-based mining)

3

Huang, D.Y. et al, February 2014.

Executable-based mining

• Take advantage of compromised computers (bots) to join or establish bitcoin mining pools
• Native executable botnet malware is installed
• Via: drive-by downloads, pirated software, etc
• Research goal: identify malware, infrastructure, earnings and infected population of such
• perations
• Paper importance:
• First to focus exclusively on crypto mining via compromised hosts (bots)
• Rest focused on mining process manipulation for more revenue by colluding
• Some deal with general monetary uses of malware

4

Bitcoin Mining – Bitcoin basics

• Bitcoin is a peer-to-peer decentralized currency proposed in a paper in 2008 by “Satoshi

Nakamoto”

• Bitcoin is a global public ledger of balances per wallet address
• Wallet address: hash between 1 public key and 1 private key used to sign transactions
• All transactions are written in the Blockchain
• Peer-to-Peer append-only ledger for valid transactions (signed & sufficient balance)
• Supports only transfers out of one wallet to another

5

Bitcoin Mining

• Dual role
• Maintain blockchain integrity - confirms transactions and protects from future modification
• Control Bitcoin issuing rate: miners execute a (computationally challenging) proof-of-work algorithm
• Miners are rewarded for discovering new “blocks”
• Block is a SHA-256 hash consisting of
• Group of new valid transactions
• Nonce: (random/arbitrary) value
• Coinbase: transaction for miner reward + comment
• Previous block hash
• If SHA-256 (binary) hash has a minimum number of leading zeros:
• Miner sends new block to P2P network for validation by peers
• Else, repeat using a new nonce value

6

New Transactions Coinbase + Comments

Nonce e.g. 1234

SHA-256

0000110001010101100011100101

Previous Block Hash

Bitcoin Mining (cont.)

• Difficulty of earning Bitcoins is to achieve the minimum number of leading zeros in SHA-256 hash

fast

• Average desktop PC can do 2 - 10 MH/s, Dedicated mining system (ASIC) can do > 500 GH/s
• November 30, 2013
• Bitcoin network’s rate: approximately 6,000 TH/s
• Which means that 10-MH/s PC would make less than 0.0000002% of all Bitcoins during mining period

7

MH/s, GH/s, TH/s = millions, billions, trillions of hashes per second

Pooled Mining

• Mining pools (e.g. Eligius, 50 BTC) allow miners to join together and get small portion of money

made by the whole based on relative contribution

• Pool servers manage all pending transactions and assign workers (miners) hash computations
• Most popular pools use cleartext TCP/IP communication protocols
• getwork - HTTP RPC based
• Stratum - JSON RPC based
• Most pools require username, password and wallet address for payout

8

Mining Pool PC 1 PC 2 PC N Bitcoin

[SHA-256 hash] SHA-256 hash [SHA-256 hash]

Pooled Botnet Mining

• Direct (a)
• Attacker maliciously installs a regular executable on bot machine
• Executable connects directly to public pool using attacker credentials
• Easily detected: many low-powered clients with same credentials
• Proxied (b, c) – (e.g. DLoad.asia, ZeroAccess)
• Use proxy server for requests between bots and pool
• Hides bots IP, allows flexibility to change pools and credentials upon detection
• Smart: more sophisticated work allocation to bots, appear as single machine
• Dark (Private) (d) – (e.g. Fareit)
• Self-created and operated by attacker
• Less income (smaller pool), more costs (infrastructure)

9

Identifying Mining Malware

• Collected 2000 malware from various sources
• Identification via binary execution to detect getwork protocol messages (cleartext HTTP)
• Identification from sandbox data from virus DBs such as
• ThreatExpert (http://www.threatexpert.com)
• Emerging Threats (http://www.emergingthreats.net)

10

Extracting Mining Credentials

• Malware usually embed generic, off-the-shelf clients for mining
• Needs a way to store/retrieve credentials -> can extract them
• 1. Extraction from malware’s Command-line arguments:
• Sometimes part of the packaged binary
• Sometimes we can extract them from the execution environment (e.g. memory dump: BMControl’s)
• 2. Extraction from HTTP basic authentication:
• Getwork uses basic HTTP authentication
• In basic HTTP authentication, username – password is included in HTTP Header (Base64 encoded)
• Can easily extract them via a network trace

11

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

Base64(Username:Password)

Extracting Mining Credentials (cont.)

• 3. Extraction from Command-and-control channel:
• Some malware use a C&C channel (e.g. ZeroAccess) to distribute credentials and configuration to bots
• Sometimes Dropbox and Pastebin Web services
• The data are usually obfuscated (scrambled) via algorithms (e.g. Base64 encoding)
• Try to reverse-engineer and extract credentials via de-obfuscation or memory snapshots
• 4. Info from Pool operators: usernames and wallet of suspected botnet accounts

12

Calculating Attacker Earnings

• Mapping attackers to wallet addresses
• This could only be done via contacting pool operators who provided lists of suspected botnets
• Earnings calculation sources:
• Publicly-visible pool statistics
• Public leader board with total user earnings and contribution (e.g. Bitclockers)
• Named/pseudonymous statistics (e.g. Eligius, Fareit dark pool)
• Blockchain transactions analysis
• By knowing miners’ wallet addresses, study transactions to identify payouts by pools
• Assumption: wallet addresses are only used for illegal activity i.e. no income from legal activity
• Clustered wallet addresses based on blockchain transaction activity

13

Estimating Infected Population

• Used following formula for estimation of bot population
• Ii = number of infections in country i (data from top anti-virus

software vendor)

• Mi = number of machines with anti-virus in country i
• Ti = number of internet users in country i (data from CIA Factbook

2009)

• CIA Factbook: total Internet users = 1.8 billion

14

Identifying Pool Proxies / Dark Pools

• Need to find attackers not using direct pool mining or dark pool
• Hardest to identify and monitor
• 1. Cross-login test technique
• Simple case: transparent HTTP proxy – HTTP headers remain unchanged
• Researchers setup accounts with mining pools and tried to pass requests via suspected proxy
• One success: domain-crawlers.com
• 2. Passive DNS technique
• Detect dark pools by using historical DNS A-Records
• Domains used by old malware uncovered IP’s of current operations

15

Suspected Proxy Mining Pool Legit user

Identifying Pool Proxies (cont.)

• 3. Block Reversal Technique
• Capture getwork outward block publishing requests by malware
• Identify blocks published by mining pools in the same period
• Brute-force compare hashes of malware captured requests vs identified blocks
• If match found: destination address of malware requests is proxy between malware – pool(s)
• 4. Leaked data: leaks about botnet operations has helped researchers uncover botnets (e.g.

FeodalCash)

16

Operations Costs & Profitability

17

• Costs
• Cost of acquiring bots (Asia: $5 to $10 per 1000)
• Cost of scheme: Infrastructure (e.g. proxies), development (e.g malware), and day-to-day operations

(no info found)

• Profitability
• In general it seems to be marginally profitable to do crypto mining
• Botnet of 10,000 low-end PCs could generate about $31 per day *
• Not as high as spamming and click fraud (millions of US dollars)
• But, low cost operation: bots can be also used for other tasks

(spam, DDoS attacks, click fraud) *

Identified Bitcoin Mining Operations

18

Population 124700 17517 204400

• 181600
• 36800

MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense

19

Konoth, R.K et al, October 2018.

Drive-by Mining (Cryptojacking)

• Mining using website visitor’s web browser (without consent)
• Rise of new cryptocurrencies minable by ordinary PCs (e.g. litecoin)
• Coinhive: popular mining pool for in-browser mining (not necessarily malicious)
• Improvement in performance of browser client-side scripting
• Wasm (WebAssembly) – precompiled VM code with almost native speeds
• asm.js – JavaScript annotations compiled to native code at runtime
• Paper Importance:
• Focuses on Drive-By as opposed to older papers that focus on executable malware (first paper)
• Similar Drive-By papers focused only on Coinhive pool, paper tried to detect all

20

Mining Code Injection Methods & Campaigns

• Compromised webservers / websites
• Compromised third-party libraries used in websites
• Embedded miner code in advertisements
• Rogue WiFi hotspots and compromised routers - large scale distribution
• Organized in campaigns: group of infected sites belonging to one attacker (site key)

21

Identified Campaigns and Profit

22

• Drive-by mining can provide a steady income stream for attackers

Drive-by Mining (Cryptojacking) Components

23

• Orchestrator Script (usually JavaScript):
• Loads with page and reports CPU cores count to server
• Downloads highly-optimized cryptomining payload (as

either Wasm or asm.js) from the website or an external server

• Sets up number of web workers based on CPU cores
• Sets up the connection with the mining pool server via

WebSocket proxy server

• Mining Payload (usually Wasm)
• The actual mining code implementing CryptoNight

algorithm that is run on victim’s browser

Detecting Drive-by Mining in a Web Page

• Researchers crawled and visited Alexa’s Top 1 Million websites
• Detect orchestrator script using related keywords (e.g. “CoinHive.Anonymous” or “coinhive.min.js”) in

page source code (index & internal pages)

• Detect mining payload
• Related keywords in JS code (e.g. “hash_cn”, “cryptonight”): Module is in text format and compiled at runtime
• Log and analyse network requests-responses from/to browser: Compiled/precompiled module downloading

from external location

• Monitor CPU usage to catch above certain threshold (e.g. above 25%)
• Monitor HTTP requests to detect Stratum protocol commands
• Filter out possible legal mining by detecting consent notification to user
• Search for mining-related keywords (such as CPU, XMR, Coinhive, Crypto and Monero) in HTML content

24

Detection Evasion Techniques

• Code Obfuscation (JavaScript)
• Packed code, CharCode, Name obfuscation, Dead code injection, Filename and URL randomization
• Obfuscation in Stratum communication
• Encode the request as Hex code or salted Base64 encoding before transmitting it through the

WebSocket

• Evasion by automated obfuscation tools
• Anti-debugging tricks
• Mining client checks if user has developer tools open in browser and stops executing if he does

25

Extracting Attacker Credentials

• Look for keywords in each request / response in

communication between a cryptominer and the proxy server to detect

• Proxy server address (request receiver)
• Mining client identifier
• Public mining pool name & Wallet address

(sometimes)

26

Drive-By Mining Detection and Defense

• Current techniques
• Block sites using a blacklist of mining pools and proxy servers
• Detect potential mining code from CPU utilization (e.g. > 25%)
• Both fail: URL randomization & obfuscation, CPU throttling (e.g. to 25%)
• Paper Proposal: MineSweeper - technique for drive-by mining detection which doesn’t rely on

blacklists and/or CPU usage heuristics

• Targets properties of the mining code impossible or very painful for the miners to remove
• Identify measurable properties of mining algorithms which effectively detects them even if they are
• bfuscated

27

Common Drive-by Mining Characteristics

• CryptoNight-based cryptomining implementations
• Memory-hard hashing-based algorithm introduced in 2013
• Designed for mining by ordinary CPUs, Inefficient on special purpose devices (mining hardware, ASIC)
• Highly-optimized Wasm implementation of the CryptoNight algorithm
• Name Obfuscation is used in Wasm modules
• They communicate with the mining pool through a WebSocket proxy server

28

CryptoNight Algorithm

• Series of cryptographic operations in 3 steps
• XOR
• Shifts (left, right)
• Encryption algorithms (AES)
• Hashing algorithms (Keccak, BLAKE-256, Groestl-256,

Skein-256)

• High repetition (loops) of operations

29

CryptoNight Detection Based on Primitive Identification

• Idea: Detect 5 basic primitives via fingerprinting
• 1. Keccak (Keccak 1600-512 and Keccak-f 1600)
• 2. AES
• 3. BLAKE-256
• 4. Groestl-256
• 5. Skein-256
• Fingerprints consist of the count of cryptographic operations

enclosed in loops inside functions

• Compare functions with fingerprints and calculate a “similarity” and “difference” scores
• Identify function with highest similarity score or lowest difference (in ties)

30

BLAKE-256 80 XOR 85 left shift 32 right shift foo() 86 XOR 85 left shift 33 right shift

Similarity = 3 (all operations present) Difference = 2 (XOR, right shift have different count)

CryptoNight Generic Cryptographic Function Detection

• Count the number of cryptographic operations (XOR, shift, and rotate operations) inside loops of

each function of the Wasm module

• Flag a function as a cryptographic if this number exceeds a certain threshold
• Useful for detecting new CryptoNight variants and/or other hashing algorithms

31

CryptoNight Detection Based on CPU Cache Events

• Previously mentioned techniques do not work well for obfuscated code
• Detection technique based on facts:
• For efficient mining, the algorithm requires about 2MB of fast memory per instance
• 2MB only fits in L3 (also L2, L1) cache present usually in ordinary CPUs
• ASICs (special mining systems) and GPUs do not offer more than 1MB of fast memory access
• Idea: identify CryptoNight based on its CPU cache usage (used linux perf tool)
• Attackers could try to evade detection, but this would cripple performance of algorithm

32

MineSweeper Deployment Considerations

• Profiling of websites in large-scale (input: website URL)
• Notify users about a potential drive-by mining attack while browsing
• Integration with browsers easy for Primitive Identification and Generic Detection
• CPU caches monitoring requires root privileges now available to OS, not to browsers

33

Evaluation of Cryptographic Primitive Identification

• 40 unique Wasm modules

discovered by researchers’ crawl

• 36 detected successfully

with Primitive Identification (identified at least 1 primitive)

34

Evaluation of CPU Cache Event Monitoring

• L1 and L3 data cache for miners and other web applications on two different machines (# of operations per 10

seconds, M=million)

35

Papers

[1] Huang, D.Y., Dharmdasani, H., Meiklejohn, S., Dave, V., Grier, C., McCoy, D., Savage, S., Weaver, N., Snoeren, A.C. and Levchenko, K., “Botcoin: Monetizing Stolen Cycles”, NDSS, February 2014. [2] Konoth, R.K., Vineti, E., Moonsamy, V., Lindorfer, M., Kruegel, C., Bos, H. and Vigna, G., “MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense”, Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1714-1730, October 2018.

36