Coin Mining Malware and What Akamai Can do About It

It has been a busy few months for crypto-mining!  The advent of cryptocurrency[1] has resulted in a rollercoaster ride of interest in the last 18 months, with millions of people making and losing millions in physical currency. Through all of this, cryptocurrency has been a heavy target for cybercriminals because there is much money to be made, and it’s not that difficult to exploit the many exchanges that have recently popped up. Hidden within all the excitement though, there are some unwanted side effects of crypto-mining that you and your business should be aware of. I’ll start with simple definitions, lead to how crypto-mining works, and finish out with what these unwanted side effects are, how they may affect you, and what Akamai can do to help.

Stage 1 – Definitions

For those unfamiliar, the baseline definition of cryptocurrency is digital or virtual currency that uses cryptography to secure and verify transactions as well as to control the creation of new units. The most popular type today is Bitcoin, which was created in 2009.

Some benefits of cryptocurrencies are the ease of fund transfer between parties (as it’s all online), and the very low processing fees. For security purposes, the transfers are accomplished through the use of public and private keys.

When you hear about “mining” cryptocurrency, you may envision coins being dug out of the ground. But it isn’t physical, so why is it called mining? The nomenclature comes from gold mining, where one digs for the precious element from the ground to bring into the human world. Coin Mining is similar in principle: the bitcoins exist in the protocol’s design and the miner brings them out – virtually. The bitcoin protocol stipulates that 21 million bitcoins will exist at some point. What “miners” do is bring them out into the light, a few at a time.They get to do this as a reward for creating blocks of validated transactions and including them in the blockchain.

A node is a powerful computer that runs the Bitcoin software and helps to keep Bitcoin running by participating in the relay of information – spreading transactions around the network. Anyone can run a node by downloading the Bitcoin software (free) and leaving a certain port open (the drawback is that it consumes energy and storage space – at time of writing, the network takes up about 145GB). One node will send information to a few nodes that it knows, who will relay the information to nodes that they know, etc. As a result, the message is spread across the whole network fairly quickly.

Some nodes are mining nodes (usually referred to as “miners”). They work by grouping outstanding transactions into blocks and add them to the blockchain. How do they do this? By solving a complex mathematical puzzle that is part of the Bitcoin program, and including the answer in the block. The puzzle is finding the number that, when combined with the data in the block and passed through a hash function, produces a result that is within a certain range. This is much harder than it sounds.

(For trivia lovers, this number is called a “nonce”, which is a concatenation of “number used once.” In the case of Bitcoin, the nonce is an integer between 0 and 4,294,967,296.)

Stage 2 – Mining Explained

How do the miners find the nonce? By guessing at random. The hash function makes it impossible to predict what the output will be. So, they guess the mystery number and apply the hash function to the combination of that guessed number and the data in the block. The resulting hash has to start with a pre-established number of zeroes. There’s no way of knowing which number will work, because two consecutive integers will give wildly varying results. What’s more, there may be several nonces that produce the desired result, or there may be none (in which case the miners keep trying, but with a different block configuration).

The first miner to get a resulting hash within the desired range announces its victory to the rest of the network. All the other miners immediately stop work on that block and start trying to figure out the mystery number for the next one. As a reward for its work, the victorious miner receives new Bitcoin.

The difficulty of the calculation (the required number of zeros at the beginning of the hash string) is adjusted frequently, so that it takes an average of 10 minutes to process a block.

Why 10 minutes? That is the amount of time that the Bitcoin developers think is necessary for a steady and diminishing flow of new coins until the maximum number of 21 million is reached (expected some time in 2140).

At the time of writing, the reward is 12.5 Bitcoins, which (again at time of writing) is worth almost $200,000.

Although, it’s not nearly as cushy a deal as it sounds. There are a lot of mining nodes competing for that reward, and it is a question of luck and computing power (the more guessing calculations you can perform, the luckier you are).

Also, the costs of being a miner are considerable, not only because of the powerful hardware needed (if you have a faster processor than your competitors, you have a better chance of finding the correct number before they do), but also because of the large amounts of electricity that running these processors consumes.

And, the number of Bitcoins awarded as a reward for solving the puzzle will decrease. Again, it’s 12.5 now, but it halves every four years or so (the next one is expected in 2020-21). The value of Bitcoin relative to cost of electricity and hardware could go up over the next few years to partially compensate this reduction, but it’s not certain.

Stage 3 – Side Effects and Your Business

The term “coin-mining malware” is used to refer to malware that malicious actors use to install coin miners onto users’ systems which enables them to utilize the compromised systems’ computing resources for their own financial gain. Coin-mining malware has had a lot of media coverage in recent months, but it has roots dating back to 2011.

It works by infecting computers and using their processing power to mine cryptocurrency tokens. This means that the infected device/computer slows down to the point where it is unusable. There are various malware variants that target end users such as SearchGo Miner[2], Monero Coin Miner[3], and Brocoiner[4], among many others. Most typically, these malware variants are distributed via fake installers, fraudulent processes as well as malicious sites and e-mail attachments. The common thread here is that most, if not all, use DNS as a means to communicate back to a Command & Control Center outside of your network, elsewhere across the Internet.

Point being: the rise of cryptocurrency value has resulted in malicious actors doing whatever it takes to achieve capital gain. Spreading coin-mining malware is one of the ways cybercriminals are trying to gain the system – and your data could be at risk.

At Akamai, we have been developing various forms of threat mitigation over the last several years, and have built out an entire threat research team to study the behavior of these hazards, in addition to take an algorithmic approach to identifying the anomalies in behavior for various DNS lookups. Coin mining malware drop sites domains to Akamai’s threat list and will continue to track new domains as they are uncovered. The intent here is to provide an additional layer of protection against malware such as coin mining. 

However, as with any threat, coin mining malware is constantly evolving as seen by the recent BrowseAloud[5] exploit. As such, our Threat Research team is continuously working to assess and track threats like coin mining to add additional protections to our Enterprise Threat Protector offering. I recommend you drop by our product page to see how Akamai can help you keep your data and networks safe – proactively.

This is a Security Bloggers Network syndicated blog post authored by Randy D'Souza. Read the original post at: The Akamai Blog