MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis:...
Transcript of MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis:...
![Page 1: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/1.jpg)
MineSweeper: An In-depth Look into Drive-byMining and its Defense
Veelasha MoonsamyUtrecht University, The Netherlands
28 August 2018University of Adelaide, Australia
![Page 2: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/2.jpg)
Utrecht University, The Netherlands
2
![Page 4: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/4.jpg)
Cryptocurrency: the rise of decentralized money
I A cryptocurrency:- is a digital asset designed to work as a medium of exchange
I In 2009, the first cryptocurrency, ‘Bitcoin’, was introducedI Fast forward to 2018, about 1600 cryptocurrencies are in existence,
out of which more than 600 still see an active tradeI An overall surge in market value across cryptocurrencies has renewed
interest in cryptominersI ... which in turn led to the proliferation of cryptomining services,
such as Coinhive - introduced in September 2017
4
![Page 5: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/5.jpg)
Cryptocurrency: the rise of decentralized money
I A cryptocurrency:- is a digital asset designed to work as a medium of exchange- uses cryptography to secure financial transactions, control thecreation of additional units, and verify the transfer of assets
I In 2009, the first cryptocurrency, ‘Bitcoin’, was introducedI Fast forward to 2018, about 1600 cryptocurrencies are in existence,
out of which more than 600 still see an active tradeI An overall surge in market value across cryptocurrencies has renewed
interest in cryptominersI ... which in turn led to the proliferation of cryptomining services,
such as Coinhive - introduced in September 2017
4
![Page 6: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/6.jpg)
Cryptocurrency: the rise of decentralized money
I A cryptocurrency:- is a digital asset designed to work as a medium of exchange- uses cryptography to secure financial transactions, control thecreation of additional units, and verify the transfer of assets
I In 2009, the first cryptocurrency, ‘Bitcoin’, was introduced
I Fast forward to 2018, about 1600 cryptocurrencies are in existence,out of which more than 600 still see an active trade
I An overall surge in market value across cryptocurrencies has renewedinterest in cryptominers
I ... which in turn led to the proliferation of cryptomining services,such as Coinhive - introduced in September 2017
4
![Page 7: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/7.jpg)
Cryptocurrency: the rise of decentralized money
I A cryptocurrency:- is a digital asset designed to work as a medium of exchange- uses cryptography to secure financial transactions, control thecreation of additional units, and verify the transfer of assets
I In 2009, the first cryptocurrency, ‘Bitcoin’, was introducedI Fast forward to 2018, about 1600 cryptocurrencies are in existence,
out of which more than 600 still see an active trade
I An overall surge in market value across cryptocurrencies has renewedinterest in cryptominers
I ... which in turn led to the proliferation of cryptomining services,such as Coinhive - introduced in September 2017
4
![Page 8: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/8.jpg)
Cryptocurrency: the rise of decentralized money
I A cryptocurrency:- is a digital asset designed to work as a medium of exchange- uses cryptography to secure financial transactions, control thecreation of additional units, and verify the transfer of assets
I In 2009, the first cryptocurrency, ‘Bitcoin’, was introducedI Fast forward to 2018, about 1600 cryptocurrencies are in existence,
out of which more than 600 still see an active tradeI An overall surge in market value across cryptocurrencies has renewed
interest in cryptominers
I ... which in turn led to the proliferation of cryptomining services,such as Coinhive - introduced in September 2017
4
![Page 9: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/9.jpg)
Cryptocurrency: the rise of decentralized money
I A cryptocurrency:- is a digital asset designed to work as a medium of exchange- uses cryptography to secure financial transactions, control thecreation of additional units, and verify the transfer of assets
I In 2009, the first cryptocurrency, ‘Bitcoin’, was introducedI Fast forward to 2018, about 1600 cryptocurrencies are in existence,
out of which more than 600 still see an active tradeI An overall surge in market value across cryptocurrencies has renewed
interest in cryptominersI ... which in turn led to the proliferation of cryptomining services,
such as Coinhive - introduced in September 2017
4
![Page 10: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/10.jpg)
From September 2017 onwards ...
It started with:
5
![Page 11: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/11.jpg)
From September 2017 onwards ...
And things went downhill very quickly:
6
![Page 12: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/12.jpg)
Drive-by mining aka Cryptojacking
I Is a web-based attackI An infected website secretly executes a mining script (Javascript
code and/or WebAssembly module) in user’s browser to minecryptocurrencies
I Is considered malicious only when user does not explicitly give theirconsent
I In this work: we study the prevalence of drive-by mining attacks onAlexa’s Top 1 million websites
7
![Page 13: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/13.jpg)
Drive-by mining aka Cryptojacking
I Is a web-based attackI An infected website secretly executes a mining script (Javascript
code and/or WebAssembly module) in user’s browser to minecryptocurrencies
I Is considered malicious only when user does not explicitly give theirconsent
I In this work: we study the prevalence of drive-by mining attacks onAlexa’s Top 1 million websites
7
![Page 14: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/14.jpg)
Threat Model
User Webserver
Webserver/ External Server
WebSocket Proxy
Mining Pool
HTTP Request
HTTP Response(Orchestrator Code)
Fetch Mining Payload
Relay Communication
Mining Pool Communication
1
2
3
4
5
8
![Page 15: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/15.jpg)
Current detection methods
Two main approaches have been used:1. Blacklist-based approach
I Not scalableI Prone to high false negativesI Easily defeated by URL randomization and domain generation
algorithms
2. High CPU-based approach
I False positives, as there might exist other CPU-intensive use casesI False negatives, as cryptominers have started to throttle their CPU
usage to evade detection
9
![Page 16: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/16.jpg)
Current detection methods
Two main approaches have been used:1. Blacklist-based approach
I Not scalable
I Prone to high false negativesI Easily defeated by URL randomization and domain generation
algorithms
2. High CPU-based approach
I False positives, as there might exist other CPU-intensive use casesI False negatives, as cryptominers have started to throttle their CPU
usage to evade detection
9
![Page 17: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/17.jpg)
Current detection methods
Two main approaches have been used:1. Blacklist-based approach
I Not scalableI Prone to high false negatives
I Easily defeated by URL randomization and domain generationalgorithms
2. High CPU-based approach
I False positives, as there might exist other CPU-intensive use casesI False negatives, as cryptominers have started to throttle their CPU
usage to evade detection
9
![Page 18: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/18.jpg)
Current detection methods
Two main approaches have been used:1. Blacklist-based approach
I Not scalableI Prone to high false negativesI Easily defeated by URL randomization and domain generation
algorithms
2. High CPU-based approach
I False positives, as there might exist other CPU-intensive use casesI False negatives, as cryptominers have started to throttle their CPU
usage to evade detection
9
![Page 19: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/19.jpg)
Current detection methods
Two main approaches have been used:1. Blacklist-based approach
I Not scalableI Prone to high false negativesI Easily defeated by URL randomization and domain generation
algorithms
2. High CPU-based approach
I False positives, as there might exist other CPU-intensive use casesI False negatives, as cryptominers have started to throttle their CPU
usage to evade detection
9
![Page 20: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/20.jpg)
Current detection methods
Two main approaches have been used:1. Blacklist-based approach
I Not scalableI Prone to high false negativesI Easily defeated by URL randomization and domain generation
algorithms
2. High CPU-based approachI False positives, as there might exist other CPU-intensive use cases
I False negatives, as cryptominers have started to throttle their CPUusage to evade detection
9
![Page 21: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/21.jpg)
Current detection methods
Two main approaches have been used:1. Blacklist-based approach
I Not scalableI Prone to high false negativesI Easily defeated by URL randomization and domain generation
algorithms
2. High CPU-based approachI False positives, as there might exist other CPU-intensive use casesI False negatives, as cryptominers have started to throttle their CPU
usage to evade detection
9
![Page 22: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/22.jpg)
Contributions
I Perform first in-depth assessment of drive-by mining
I Discuss why current defenses based on blacklisting and CPU usageare ineffective
I Propose MineSweeper, a novel detection approach based on theidentification of the cryptographic functions (static analysis) andcache events (during run-time)
10
![Page 23: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/23.jpg)
Contributions
I Perform first in-depth assessment of drive-by miningI Discuss why current defenses based on blacklisting and CPU usage
are ineffective
I Propose MineSweeper, a novel detection approach based on theidentification of the cryptographic functions (static analysis) andcache events (during run-time)
10
![Page 24: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/24.jpg)
Contributions
I Perform first in-depth assessment of drive-by miningI Discuss why current defenses based on blacklisting and CPU usage
are ineffectiveI Propose MineSweeper, a novel detection approach based on the
identification of the cryptographic functions (static analysis) andcache events (during run-time)
10
![Page 25: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/25.jpg)
Drive-by mining in the wild
I Conducted a large-scale analysis with the aim to answer thefollowing questions:1. How prevalent is drive-by mining in the wild?2. How many different drive-by mining services exist currently?3. Which evasion tactics do drive-by mining services employ?4. What is the modus operandi of different types of campaign?5. How much profit do these campaigns make?6. What are the common characteristics across different drive-by mining
services that can be used for their detection?
11
![Page 26: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/26.jpg)
Large-scale Analysis: experiment set-up
12
![Page 27: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/27.jpg)
Data collection
I Over a period of one week in mid-March 2018
I CrawlerI Crawled landing page and 3 internal pagesI Stayed on each visited page for 4 secondsI No simulated interacted, i.e. the crawler did not give any consent for
cryptominingI Crawled 991,513 websites; 4.6 TB raw data and 550 MB data
profiles
13
![Page 28: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/28.jpg)
Data collection
I Over a period of one week in mid-March 2018I Crawler
I Crawled landing page and 3 internal pagesI Stayed on each visited page for 4 secondsI No simulated interacted, i.e. the crawler did not give any consent for
cryptomining
I Crawled 991,513 websites; 4.6 TB raw data and 550 MB dataprofiles
13
![Page 29: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/29.jpg)
Data collection
I Over a period of one week in mid-March 2018I Crawler
I Crawled landing page and 3 internal pagesI Stayed on each visited page for 4 secondsI No simulated interacted, i.e. the crawler did not give any consent for
cryptominingI Crawled 991,513 websites; 4.6 TB raw data and 550 MB data
profiles
13
![Page 30: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/30.jpg)
Preliminary results: Cryptomining code (1/2)
I Recall: cryptomining code consists of orchestrator code and miningpayload
I Identification of orchestrator code
I Websites embed the orchestrator script in the main pageI Can be detected by looking for specific string patternsI Keywords: CoinHive.Anonymous or coinhive.min.js
14
![Page 31: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/31.jpg)
Preliminary results: Cryptomining code (1/2)
I Recall: cryptomining code consists of orchestrator code and miningpayload
I Identification of orchestrator code
I Websites embed the orchestrator script in the main pageI Can be detected by looking for specific string patternsI Keywords: CoinHive.Anonymous or coinhive.min.js
14
![Page 32: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/32.jpg)
Preliminary results: Cryptomining code (1/2)
I Recall: cryptomining code consists of orchestrator code and miningpayload
I Identification of orchestrator codeI Websites embed the orchestrator script in the main page
I Can be detected by looking for specific string patternsI Keywords: CoinHive.Anonymous or coinhive.min.js
14
![Page 33: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/33.jpg)
Preliminary results: Cryptomining code (1/2)
I Recall: cryptomining code consists of orchestrator code and miningpayload
I Identification of orchestrator codeI Websites embed the orchestrator script in the main pageI Can be detected by looking for specific string patterns
I Keywords: CoinHive.Anonymous or coinhive.min.js
14
![Page 34: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/34.jpg)
Preliminary results: Cryptomining code (1/2)
I Recall: cryptomining code consists of orchestrator code and miningpayload
I Identification of orchestrator codeI Websites embed the orchestrator script in the main pageI Can be detected by looking for specific string patterns
I Keywords: CoinHive.Anonymous or coinhive.min.js
14
![Page 35: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/35.jpg)
Preliminary results: Cryptomining code (1/2)
I Recall: cryptomining code consists of orchestrator code and miningpayload
I Identification of orchestrator codeI Websites embed the orchestrator script in the main pageI Can be detected by looking for specific string patterns
I Keywords: CoinHive.Anonymous or coinhive.min.js
14
![Page 36: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/36.jpg)
Preliminary results: Cryptomining code (2/2)
I Identification of mining payloadI Dump the Wasm (WebAssembly) payloadI –dump-wasm- module flag in Chrome dumps the loaded Wasm
modulesI Keyword-based search: cryptonight_hash and
CryptonightWasmWrapper
15
![Page 37: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/37.jpg)
Effectiveness of fingerprint-based detection
I Detected 866 websites; 59.35% used Coinhive cryptomining servicesI Issues: code obfuscation and manual effort of updating signatures
16
![Page 38: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/38.jpg)
Effectiveness of fingerprint-based detection
I Detected 866 websites; 59.35% used Coinhive cryptomining services
I Issues: code obfuscation and manual effort of updating signatures
16
![Page 39: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/39.jpg)
Effectiveness of fingerprint-based detection
I Detected 866 websites; 59.35% used Coinhive cryptomining servicesI Issues: code obfuscation and manual effort of updating signatures
16
![Page 40: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/40.jpg)
Preliminary results: Mining pool communication (1/2)
I Miners use the Stratum protocol to communicate with the miningpool
I Use of WebSockets to allow full-duplex, asynchronouscommunication between code running on a webpage and servers
I Search in WebSocket frames for keywords related to Stratumprotocol
I
17
![Page 41: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/41.jpg)
Preliminary results: Mining pool communication (2/2)
I 59,319 (5.39%) websites use WebSocketsI 1,008 websites use Stratum protocol for communicationI 2,377 websites encode the data (Hex code or salted Base64)
18
![Page 42: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/42.jpg)
Summary of key findings
I Identified 1,735 websites as mining cryptocurrency, out of which1,627 (93.78%) could be identified based on keywords in thecryptomining code
I 1,008 (58.10%) use the Stratum protocol in plaintext, 174 (10.03%)obfuscate the communication protocol
I All the websites (100.00%) use Wasm for the cryptomining payloadand open a WebSocket
I At least 197 (11.36%) websites throttle their CPU usage to less than50%, while for only 12 (0.69%) mining websites we observed a CPUload of less than 25%.
19
![Page 43: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/43.jpg)
In-depth analysis: evasion techniques (1/2)
We identified three evasion techniques, which are widely used by thedrive-by mining services in our dataset
I Code obfuscationI Packed code: The compressed and encoded orchestrator script is
decoded using a chain of decoding functions at run time.I PCharCode: The orchestrator script is converted to charCode and
embedded in the webpage. At run time, it is converted back to astring and executed using JavaScript’s eval() function.
I Name obfuscation: Variable names and functions names are replacedwith random strings.
I Dead code injection: Random blocks of code, which are neverexecuted, are added to the script to make reverse engineering moredifficult.
I Filename and URL randomization: The name of the JavaScript file israndomized or the URL it is loaded from is shortened to avoiddetection based on pattern matching.
I Mainly applied to orchestrator code, only obfuscation on miningpayload is name obfuscation
20
![Page 44: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/44.jpg)
In-depth analysis: evasion techniques (1/2)
We identified three evasion techniques, which are widely used by thedrive-by mining services in our dataset
I Code obfuscationI Packed code: The compressed and encoded orchestrator script is
decoded using a chain of decoding functions at run time.I PCharCode: The orchestrator script is converted to charCode and
embedded in the webpage. At run time, it is converted back to astring and executed using JavaScript’s eval() function.
I Name obfuscation: Variable names and functions names are replacedwith random strings.
I Dead code injection: Random blocks of code, which are neverexecuted, are added to the script to make reverse engineering moredifficult.
I Filename and URL randomization: The name of the JavaScript file israndomized or the URL it is loaded from is shortened to avoiddetection based on pattern matching.
I Mainly applied to orchestrator code, only obfuscation on miningpayload is name obfuscation
20
![Page 45: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/45.jpg)
In-depth analysis: evasion techniques (2/2)
I Identified the Stratum protocol in plaintext for 1,008 websitesI Manually analyzed the WebSocket communication for the remaining
727 websites and found the following:I Obfuscate by encoding the request, either as Hex code, or with
salted Base64 encoding before transmitting it through theWebSocket
I Could not identify any pool communication for the remaining 553websites, either due to other encodings, or due to slow serverconnections
Finally, anti-debugging tricks (139 websites): code periodically checkswhether the user is analyzing the code served by the webpage usingdeveloper tools. If the developer tools are open in the browser, it stopsexecuting any further code
21
![Page 46: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/46.jpg)
MineSweeper
I MineSweeper employs multiples stages in order to detect awebminer:
22
![Page 47: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/47.jpg)
CryptoNight algorithm (1/2)
I CryptoNight was proposed in 2013 and popularly used by Monero(XMR)
I We exploit two fundamental characteristics:I It makes use of several cryptographic primitivesI A memory hard algorithm
I High-performances on ordinary CPUsI Inefficient on today’s special purpose devices (ASICs)I Internal memory-hard loop: alternate reads and writes to the Last
Level Cache (LLC)
23
![Page 48: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/48.jpg)
CryptoNight algorithm (1/2)
I CryptoNight was proposed in 2013 and popularly used by Monero(XMR)
I We exploit two fundamental characteristics:
I It makes use of several cryptographic primitivesI A memory hard algorithm
I High-performances on ordinary CPUsI Inefficient on today’s special purpose devices (ASICs)I Internal memory-hard loop: alternate reads and writes to the Last
Level Cache (LLC)
23
![Page 49: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/49.jpg)
CryptoNight algorithm (1/2)
I CryptoNight was proposed in 2013 and popularly used by Monero(XMR)
I We exploit two fundamental characteristics:I It makes use of several cryptographic primitives
- Keccak 1600-516, Keccak-f 1600, AES, BLAKE-256, Groestl-256,and Skein-256
I A memory hard algorithmI High-performances on ordinary CPUsI Inefficient on today’s special purpose devices (ASICs)I Internal memory-hard loop: alternate reads and writes to the Last
Level Cache (LLC)
23
![Page 50: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/50.jpg)
CryptoNight algorithm (1/2)
I CryptoNight was proposed in 2013 and popularly used by Monero(XMR)
I We exploit two fundamental characteristics:I It makes use of several cryptographic primitives
- Keccak 1600-516, Keccak-f 1600, AES, BLAKE-256, Groestl-256,and Skein-256
I A memory hard algorithmI High-performances on ordinary CPUsI Inefficient on today’s special purpose devices (ASICs)I Internal memory-hard loop: alternate reads and writes to the Last
Level Cache (LLC)
23
![Page 51: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/51.jpg)
CryptoNight algorithm (2/2)
Scratchpad Initialization
Memory-hardloop
Final result calculation
Keccak 1600-512
Key expansion + 10 AES rounds
Keccak-f 1600
Loop preparation
524.288 Iterations
AES
XOR
8bt_ADD
8bt_MUL
XOR
S c r a t c h p a d
BLAKE-Groestl-Skein hash-select
S c r a t c h p a d
8 rounds
AES Write
Key expansion + 10 AES rounds
8 roundsAES
XORRead
Write
Write
Read
I CryptoNight allocates a scratchpad of 2MB in memoryI On modern processors ends up in the LLC
24
![Page 52: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/52.jpg)
Wasm analysis
I Linear assembly bytecode translation using the WebAssembly BinaryToolkit (WABT) debugger
I Functions identification - to create an internal representation of thecode for each function
I Cryptographic operation count - track the control flow and cryptooperands
I Static call graph construction, including identification of loops
25
![Page 53: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/53.jpg)
CryptoNight detection
I MineSweeper is given as input a CryptoNight fingerprintI We created a fingerprint for each of CryptoNight’s cryptographic
primitives based on operands counts and flow structureI If 3 out of the 5 cryptographic primitives are good matches, then the
miner is identified
26
![Page 54: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/54.jpg)
CryptoNight detection - example
I Assume the fingerprint for BLAKE-256 has 80 XOR, 85 left shift,and 32 right shift instructions
I Function foo(), which is an implementation of BLAKE-256, thatwe want to match against this fingerprint, contains 86 XOR, 85 leftshift, and 33 right shift instructions
I In this case, the similarity score is 3 and difference score is 2I all three types of instructions are present in foo(); foo() contains
extra XOR and an extra shift instruction
27
![Page 55: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/55.jpg)
CPU cache events monitoring
I What if an attack would sacrifice part of the profits for obfuscatedWasm?
I Solution: CPU cache events monitoringI MineSweeper monitors the L1 and L3 for load and store events
caused by the CryptoNight algorithmI Also detects a fundamental characteristic of the CryptoNight
algorithm: the memory-hard loop!
28
![Page 56: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/56.jpg)
Evaluation of blacklisting approaches
I For comparison, we evaluate MineSweeper against Dr. MineI Dr. Mine uses CoinBlockerLists as the basis to detect mining
websitesI Visited the 1,735 websites that were mining during our first crawl for
the large-scale analysis with both toolsI Dr. Mine could only find 272 websites, while MineSweeper found
785 websites that were still actively mining cryptocurrency
29
![Page 57: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/57.jpg)
Evaluation of cryptofunction detection
I Identified 38 unique samples among the 748 collected Wasm samplesI Applied the cryptofunction detection routine of MineSweeper on
them
30
![Page 58: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/58.jpg)
Evaluation of CPU cache events monitoring (1/2)
I We visited 7 pages for the following categories of applications:I CryptominersI VideoplayersI Wasm-based gamesI JavaScript (JS) games
31
![Page 59: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/59.jpg)
Evaluation of CPU cache events monitoring (2/2)
Our tests confirm us the effectiveness of this detection method onCryptoNight-based algorithms
Performance counter statistics forthe L1 cache for different types of
web applications (logscale)
Performance counter statistics forthe L3 cache for different types of
web applications (logscale)
32
![Page 60: MineSweeper: AnIn-depthLookintoDrive-by MininganditsDefense · In-depthanalysis: evasiontechniques(1/2) Weidentifiedthreeevasiontechniques,whicharewidelyusedbythe drive-byminingservicesinourdataset](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46f4009075754c27540962/html5/thumbnails/60.jpg)
Conclusion
I Drive-by mining is real and can be very profitable for high trafficwebsites
I Current defenses are not sufficient to stop malicious miningI To severely impact their profitability, we need to aim at the core
properties of the miners code: cryptographic functions andmemory behaviors
33