crypto mining - ucy...bitcoin mining (cont.) •difficulty of earning bitcoins is to achieve the...

Crypto Mining

C H R I S TO S H A D J I S T Y L L I S

E P L 6 8 2 - A D VA N C E D S E C U R I T Y TO P I C S , S P R I N G 2 0 1 8 / 2 0 1 9

U N I V E R S I T Y O F C Y P R U S

Introduction•Cryptocurrency: virtual currency usually not controlled by any government or physical entity• Examples: Bitcoin, Litecoin, Etherium and many more

•Crypto Mining: earning cryptocurrency by offering computing resources to process transactions

•Security issue: cybercriminals use malware to gain access to our hardware and use it to mine Cryptocurrency• Degrades system’s performance and increases power consumption

2CRYPTOCURRENCY MINING

Botcoin: Monetizing Stolen Cycles

(Executable-based mining)

CRYPTOCURRENCY MINING 3

Huang, D.Y. et al, February 2014.

Executable-based mining•Take advantage of compromised computers (bots) to join or establish bitcoin mining pools

•Native executable botnet malware is installed• Via: drive-by downloads, pirated software, etc

•Research goal: identify malware, infrastructure, earnings and infected population of such operations

•Paper importance: • First to focus exclusively on crypto mining via compromised hosts (bots)

• Rest focused on mining process manipulation for more revenue by colluding

• Some deal with general monetary uses of malware


Bitcoin Mining – Bitcoin basics•Bitcoin is a peer-to-peer decentralized currency proposed in a paper in 2008 by “Satoshi Nakamoto”

•Bitcoin is a global public ledger of balances per wallet address• Wallet address: hash between 1 public key and 1 private key used to sign transactions

•All transactions are written in the Blockchain• Peer-to-Peer append-only ledger for valid transactions (signed & sufficient balance)

• Supports only transfers out of one wallet to another


Bitcoin Mining•Dual role• Maintain blockchain integrity - confirms transactions and protects from future modification

• Control Bitcoin issuing rate: miners execute a (computationally challenging) proof-of-work algorithm

•Miners are rewarded for discovering new “blocks”• Block is a SHA-256 hash consisting of• Group of new valid transactions

• Nonce: (random/arbitrary) value

• Coinbase: transaction for miner reward + comment

• Previous block hash

• If SHA-256 (binary) hash has a minimum number of leading zeros:• Miner sends new block to P2P network for validation by peers

• Else, repeat using a new nonce value


New Transactions

Coinbase+ Comments

Nonce e.g. 1234

SHA-256

0000110001010101100011100101

Previous Block Hash

Bitcoin Mining (cont.)•Difficulty of earning Bitcoins is to achieve the minimum number of leading zeros in SHA-256 hash fast

•Average desktop PC can do 2 - 10 MH/s, Dedicated mining system (ASIC) can do > 500 GH/s

•November 30, 2013 • Bitcoin network’s rate: approximately 6,000 TH/s

• Which means that 10-MH/s PC would make less than 0.0000002% of all Bitcoins during mining period


MH/s, GH/s, TH/s = millions, billions, trillions of hashes per second

Pooled Mining•Mining pools (e.g. Eligius, 50 BTC) allow miners to join together and get small portion of money made by the whole based on relative contribution

•Pool servers manage all pending transactions and assign workers (miners) hash computations

•Most popular pools use cleartext TCP/IP communication protocols • getwork - HTTP RPC based

• Stratum - JSON RPC based

•Most pools require username, password and wallet address for payout


Mining Pool

PC 1 PC 2 PC N

Bitcoin

[SHA-256 hash]

SHA-256 hash

[SHA-256 hash]

Pooled Botnet Mining•Direct (a)• Attacker maliciously installs a regular executable on bot machine

• Executable connects directly to public pool using attacker credentials

• Easily detected: many low-powered clients with same credentials

•Proxied (b, c) – (e.g. DLoad.asia, ZeroAccess)• Use proxy server for requests between bots and pool

• Hides bots IP, allows flexibility to change pools and credentials upon detection

• Smart: more sophisticated work allocation to bots, appear as single machine

•Dark (Private) (d) – (e.g. Fareit)• Self-created and operated by attacker

• Less income (smaller pool), more costs (infrastructure)


Identifying Mining Malware•Collected 2000 malware from various sources

•Identification via binary execution to detect getwork protocol messages (cleartext HTTP)

•Identification from sandbox data from virus DBs such as • ThreatExpert (http://www.threatexpert.com)

• Emerging Threats (http://www.emergingthreats.net)

CRYPTOCURRENCY MINING10

Extracting Mining Credentials•Malware usually embed generic, off-the-shelf clients for mining• Needs a way to store/retrieve credentials -> can extract them

•1. Extraction from malware’s Command-line arguments: • Sometimes part of the packaged binary

• Sometimes we can extract them from the execution environment (e.g. memory dump: BMControl’s)

•2. Extraction from HTTP basic authentication:• Getwork uses basic HTTP authentication

• In basic HTTP authentication, username – password is included in HTTP Header (Base64 encoded)

• Can easily extract them via a network trace


Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

Base64(Username:Password)

Extracting Mining Credentials (cont.)•3. Extraction from Command-and-control channel:• Some malware use a C&C channel (e.g. ZeroAccess) to distribute credentials and configuration to bots• Sometimes Dropbox and Pastebin Web services

• The data are usually obfuscated (scrambled) via algorithms (e.g. Base64 encoding)

• Try to reverse-engineer and extract credentials via de-obfuscation or memory snapshots

•4. Info from Pool operators: usernames and wallet of suspected botnet accounts


Calculating Attacker Earnings•Mapping attackers to wallet addresses• This could only be done via contacting pool operators who provided lists of suspected botnets

•Earnings calculation sources:• Publicly-visible pool statistics• Public leader board with total user earnings and contribution (e.g. Bitclockers)

• Named/pseudonymous statistics (e.g. Eligius, Fareit dark pool)

• Blockchain transactions analysis• By knowing miners’ wallet addresses, study transactions to identify payouts by pools

• Assumption: wallet addresses are only used for illegal activity i.e. no income from legal activity

•Clustered wallet addresses based on blockchain transaction activity


Estimating Infected Population•Used following formula for estimation of bot population

• Ii = number of infections in country i (data from top anti-virus software vendor)

• Mi = number of machines with anti-virus in country i

• Ti = number of internet users in country i (data from CIA Factbook 2009)

• CIA Factbook: total Internet users = 1.8 billion


Identifying Pool Proxies / Dark Pools•Need to find attackers not using direct pool mining or dark pool

•Hardest to identify and monitor

•1. Cross-login test technique• Simple case: transparent HTTP proxy – HTTP headers remain unchanged

• Researchers setup accounts with mining pools and tried to pass requests via suspected proxy

• One success: domain-crawlers.com

•2. Passive DNS technique• Detect dark pools by using historical DNS A-Records

• Domains used by old malware uncovered IP’s of current operations


SuspectedProxy

Mining Pool

Legit user

Identifying Pool Proxies (cont.)•3. Block Reversal Technique• Capture getwork outward block publishing requests by malware

• Identify blocks published by mining pools in the same period

• Brute-force compare hashes of malware captured requests vs identified blocks

• If match found: destination address of malware requests is proxy between malware – pool(s)

•4. Leaked data: leaks about botnet operations has helped researchers uncover botnets (e.g. FeodalCash)


Operations Costs & Profitability


•Costs• Cost of acquiring bots (Asia: $5 to $10 per 1000)

• Cost of scheme: Infrastructure (e.g. proxies), development (e.g malware), and day-to-day operations (no info found)

•Profitability• In general it seems to be marginally profitable to do crypto mining• Botnet of 10,000 low-end PCs could generate about $31 per day *

• Not as high as spamming and click fraud (millions of US dollars)

• But, low cost operation: bots can be also used for other tasks

(spam, DDoS attacks, click fraud)

*

Identified Bitcoin Mining Operations


Population

124700

17517

204400

-

-

181600

-

36800

-

-

MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining

and Its Defense


Konoth, R.K et al, October 2018.

Drive-by Mining (Cryptojacking)•Mining using website visitor’s web browser (without consent)

•Rise of new cryptocurrencies minable by ordinary PCs (e.g. litecoin)• Coinhive: popular mining pool for in-browser mining (not necessarily malicious)

•Improvement in performance of browser client-side scripting• Wasm (WebAssembly) – precompiled VM code with almost native speeds

• asm.js – JavaScript annotations compiled to native code at runtime

•Paper Importance: • Focuses on Drive-By as opposed to older papers that focus on executable malware (first paper)

• Similar Drive-By papers focused only on Coinhive pool, paper tried to detect all


Mining Code Injection Methods & Campaigns•Compromised webservers / websites

•Compromised third-party libraries used in websites

•Embedded miner code in advertisements

•Rogue WiFi hotspots and compromised routers - large scale distribution

•Organized in campaigns: group of infected sites belonging to one attacker (site key)


Identified Campaigns and Profit


•Drive-by mining can provide a steady income stream for attackers

Drive-by Mining (Cryptojacking) Components


•Orchestrator Script (usually JavaScript): • Loads with page and reports CPU cores count to server

• Downloads highly-optimized cryptomining payload (as either Wasm or asm.js) from the website or an external server

• Sets up number of web workers based on CPU cores

• Sets up the connection with the mining pool server via WebSocket proxy server

•Mining Payload (usually Wasm)• The actual mining code implementing CryptoNight

algorithm that is run on victim’s browser

Detecting Drive-by Mining in a Web Page•Researchers crawled and visited Alexa’s Top 1 Million websites

•Detect orchestrator script using related keywords (e.g. “CoinHive.Anonymous” or “coinhive.min.js”) in page source code (index & internal pages)

•Detect mining payload• Related keywords in JS code (e.g. “hash_cn”, “cryptonight”): Module is in text format and compiled at runtime

• Log and analyse network requests-responses from/to browser: Compiled/precompiled module downloading from external location

•Monitor CPU usage to catch above certain threshold (e.g. above 25%)

•Monitor HTTP requests to detect Stratum protocol commands

•Filter out possible legal mining by detecting consent notification to user• Search for mining-related keywords (such as CPU, XMR, Coinhive, Crypto and Monero) in HTML content


Detection Evasion Techniques•Code Obfuscation (JavaScript)• Packed code, CharCode, Name obfuscation, Dead code injection, Filename and URL randomization

•Obfuscation in Stratum communication• Encode the request as Hex code or salted Base64 encoding before transmitting it through the

WebSocket

• Evasion by automated obfuscation tools

•Anti-debugging tricks• Mining client checks if user has developer tools open in browser and stops executing if he does


Extracting Attacker Credentials•Look for keywords in each request / response in communication between a cryptominer and the proxy server to detect• Proxy server address (request receiver)

• Mining client identifier

• Public mining pool name & Wallet address (sometimes)


Drive-By Mining Detection and Defense•Current techniques• Block sites using a blacklist of mining pools and proxy servers

• Detect potential mining code from CPU utilization (e.g. > 25%)

• Both fail: URL randomization & obfuscation, CPU throttling (e.g. to 25%)

•Paper Proposal: MineSweeper - technique for drive-by mining detection which doesn’t rely on blacklists and/or CPU usage heuristics• Targets properties of the mining code impossible or very painful for the miners to remove

• Identify measurable properties of mining algorithms which effectively detects them even if they are obfuscated


Common Drive-by Mining Characteristics•CryptoNight-based cryptomining implementations• Memory-hard hashing-based algorithm introduced in 2013

• Designed for mining by ordinary CPUs, Inefficient on special purpose devices (mining hardware, ASIC)

•Highly-optimized Wasm implementation of the CryptoNight algorithm

•Name Obfuscation is used in Wasm modules

•They communicate with the mining pool through a WebSocket proxy server


CryptoNight Algorithm•Series of cryptographic operations in 3 steps• XOR

• Shifts (left, right)

• Encryption algorithms (AES)

• Hashing algorithms (Keccak, BLAKE-256, Groestl-256, Skein-256)

•High repetition (loops) of operations


CryptoNight Detection Based on Primitive Identification•Idea: Detect 5 basic primitives via fingerprinting

1. Keccak (Keccak 1600-512 and Keccak-f 1600)

2. AES

3. BLAKE-256

4. Groestl-256

5. Skein-256

•Fingerprints consist of the count of cryptographic operations enclosed in loops inside functions

•Compare functions with fingerprints and calculate a “similarity” and “difference” scores• Identify function with highest similarity score or lowest difference (in ties)


BLAKE-25680 XOR

85 left shift32 right shift

foo()86 XOR

85 left shift33 right shift

Similarity = 3 (all operations present)Difference = 2 (XOR, right shift have different count)

CryptoNight Generic Cryptographic Function Detection•Count the number of cryptographic operations (XOR, shift, and rotate operations) inside loops of each function of the Wasm module

• Flag a function as a cryptographic if this number exceeds a certain threshold

•Useful for detecting new CryptoNight variants and/or other hashing algorithms


CryptoNight Detection Based on CPU Cache Events•Previously mentioned techniques do not work well for obfuscated code

•Detection technique based on facts:• For efficient mining, the algorithm requires about 2MB of fast memory per instance

• 2MB only fits in L3 (also L2, L1) cache present usually in ordinary CPUs

• ASICs (special mining systems) and GPUs do not offer more than 1MB of fast memory access

•Idea: identify CryptoNight based on its CPU cache usage (used linux perf tool)• Attackers could try to evade detection, but this would cripple performance of algorithm


MineSweeper Deployment Considerations•Profiling of websites in large-scale (input: website URL)

•Notify users about a potential drive-by mining attack while browsing

•Integration with browsers easy for Primitive Identification and Generic Detection• CPU caches monitoring requires root privileges now available to OS, not to browsers


Evaluation of Cryptographic Primitive Identification•40 unique Wasm modules discovered by researchers’ crawl

•36 detected successfully with Primitive Identification (identified at least 1 primitive)


Evaluation of CPU Cache Event Monitoring

•L1 and L3 data cache for miners and other web applications on two different machines (# of operations per 10 seconds, M=million)


Papers[1] Huang, D.Y., Dharmdasani, H., Meiklejohn, S., Dave, V., Grier, C., McCoy, D., Savage, S., Weaver, N., Snoeren, A.C. and Levchenko, K., “Botcoin: Monetizing Stolen Cycles”, NDSS, February 2014.

[2] Konoth, R.K., Vineti, E., Moonsamy, V., Lindorfer, M., Kruegel, C., Bos, H. and Vigna, G., “MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense”, Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1714-1730, October 2018.


crypto mining - ucy...bitcoin mining (cont.) •difficulty of earning bitcoins is to achieve the...

Documents