Crypto Mining CHRISTOS HADJISTYLLIS EPL682 - ADVANCED SECURITY - PowerPoint PPT Presentation

Crypto Mining CHRISTOS HADJISTYLLIS EPL682 - ADVANCED SECURITY TOPICS, SPRING 2018/2019 UNIVERSITY OF CYPRUS

Introduction • Cryptocurrency: virtual currency usually not controlled by any government or physical entity • Examples: Bitcoin, Litecoin, Etherium and many more • Crypto Mining: earning cryptocurrency by offering computing resources to process transactions • Security issue: cybercriminals use malware to gain access to our hardware and use it to mine Cryptocurrency • Degrades system’s performance and increases power consumption 2 CRYPTOCURRENCY MINING

Botcoin: Monetizing Stolen Cycles (Executable-based mining) Huang, D.Y. et al, February 2014. 3 CRYPTOCURRENCY MINING

Executable-based mining • Take advantage of compromised computers (bots) to join or establish bitcoin mining pools • Native executable botnet malware is installed • Via: drive-by downloads, pirated software, etc • Research goal: identify malware, infrastructure, earnings and infected population of such operations • Paper importance: • First to focus exclusively on crypto mining via compromised hosts (bots) • Rest focused on mining process manipulation for more revenue by colluding • Some deal with general monetary uses of malware 4 CRYPTOCURRENCY MINING

Bitcoin Mining – Bitcoin basics • Bitcoin is a peer-to- peer decentralized currency proposed in a paper in 2008 by “Satoshi Nakamoto” • Bitcoin is a global public ledger of balances per wallet address • Wallet address: hash between 1 public key and 1 private key used to sign transactions • All transactions are written in the Blockchain • Peer-to-Peer append-only ledger for valid transactions (signed & sufficient balance) • Supports only transfers out of one wallet to another 5 CRYPTOCURRENCY MINING

Bitcoin Mining • Dual role • Maintain blockchain integrity - confirms transactions and protects from future modification • Control Bitcoin issuing rate: miners execute a (computationally challenging) proof-of-work algorithm • Miners are rewarded for discovering new “blocks” Previous Coinbase Nonce Block Hash New • Block is a SHA-256 hash consisting of + Comments e.g. 1234 Transactions • Group of new valid transactions • Nonce: (random/arbitrary) value • Coinbase : transaction for miner reward + comment SHA-256 • Previous block hash • If SHA-256 (binary) hash has a minimum number of leading zeros: • Miner sends new block to P2P network for validation by peers • Else, repeat using a new nonce value 0000110001010101100011100101 6 CRYPTOCURRENCY MINING

Bitcoin Mining (cont.) • Difficulty of earning Bitcoins is to achieve the minimum number of leading zeros in SHA-256 hash fast • Average desktop PC can do 2 - 10 MH/s, Dedicated mining system (ASIC) can do > 500 GH/s • November 30, 2013 • Bitcoin network’s rate: approximately 6,000 TH/s • Which means that 10-MH/s PC would make less than 0.0000002% of all Bitcoins during mining period MH/s, GH/s, TH/s = millions, billions, trillions of hashes per second 7 CRYPTOCURRENCY MINING

Pooled Mining • Mining pools (e.g. Eligius, 50 BTC) allow miners to join together and get small portion of money made by the whole based on relative contribution • Pool servers manage all pending transactions and assign workers (miners) hash computations • Most popular pools use cleartext TCP/IP communication protocols Bitcoin • getwork - HTTP RPC based • Stratum - JSON RPC based SHA-256 hash • Most pools require username, password and wallet address for payout Mining Pool [SHA-256 hash] [SHA-256 hash] PC 1 PC 2 PC N 8 CRYPTOCURRENCY MINING

Pooled Botnet Mining • Direct (a) • Attacker maliciously installs a regular executable on bot machine • Executable connects directly to public pool using attacker credentials • Easily detected: many low-powered clients with same credentials • Proxied (b, c) – (e.g. DLoad.asia, ZeroAccess) • Use proxy server for requests between bots and pool • Hides bots IP, allows flexibility to change pools and credentials upon detection • Smart: more sophisticated work allocation to bots, appear as single machine • Dark (Private) (d) – (e.g. Fareit) • Self-created and operated by attacker • Less income (smaller pool), more costs (infrastructure) 9 CRYPTOCURRENCY MINING

Identifying Mining Malware • Collected 2000 malware from various sources • Identification via binary execution to detect getwork protocol messages (cleartext HTTP) • Identification from sandbox data from virus DBs such as • ThreatExpert (http://www.threatexpert.com) • Emerging Threats (http://www.emergingthreats.net) CRYPTOCURRENCY MINING 10

Extracting Mining Credentials • Malware usually embed generic, off-the-shelf clients for mining • Needs a way to store/retrieve credentials -> can extract them • 1. Extraction from malware’s Command -line arguments: • Sometimes part of the packaged binary • Sometimes we can extract them from the execution environment (e.g. memory dump: BMControl’s ) • 2. Extraction from HTTP basic authentication: • Getwork uses basic HTTP authentication • In basic HTTP authentication, username – password is included in HTTP Header (Base64 encoded) • Can easily extract them via a network trace Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l Base64(Username:Password) 11 CRYPTOCURRENCY MINING

Extracting Mining Credentials (cont.) • 3. Extraction from Command-and-control channel: • Some malware use a C&C channel (e.g. ZeroAccess) to distribute credentials and configuration to bots • Sometimes Dropbox and Pastebin Web services • The data are usually obfuscated (scrambled) via algorithms (e.g. Base64 encoding) • Try to reverse-engineer and extract credentials via de-obfuscation or memory snapshots • 4. Info from Pool operators: usernames and wallet of suspected botnet accounts 12 CRYPTOCURRENCY MINING

Calculating Attacker Earnings • Mapping attackers to wallet addresses • This could only be done via contacting pool operators who provided lists of suspected botnets • Earnings calculation sources: • Publicly-visible pool statistics • Public leader board with total user earnings and contribution (e.g. Bitclockers) • Named/pseudonymous statistics (e.g. Eligius, Fareit dark pool) • Blockchain transactions analysis • By knowing miners’ wallet addresses, study transactions to identify payouts by pools • Assumption: wallet addresses are only used for illegal activity i.e. no income from legal activity • Clustered wallet addresses based on blockchain transaction activity 13 CRYPTOCURRENCY MINING

Estimating Infected Population • Used following formula for estimation of bot population • Ii = number of infections in country i (data from top anti-virus software vendor) • Mi = number of machines with anti-virus in country i • Ti = number of internet users in country i (data from CIA Factbook 2009) • CIA Factbook: total Internet users = 1.8 billion 14 CRYPTOCURRENCY MINING

Identifying Pool Proxies / Dark Pools • Need to find attackers not using direct pool mining or dark pool • Hardest to identify and monitor Legit • 1. Cross-login test technique user • Simple case: transparent HTTP proxy – HTTP headers remain unchanged Suspected Mining • Researchers setup accounts with mining pools and tried to pass requests via suspected proxy Proxy Pool • One success: domain-crawlers.com • 2. Passive DNS technique • Detect dark pools by using historical DNS A-Records • Domains used by old malware uncovered IP’s of current operations 15 CRYPTOCURRENCY MINING

Identifying Pool Proxies (cont.) • 3. Block Reversal Technique • Capture getwork outward block publishing requests by malware • Identify blocks published by mining pools in the same period • Brute-force compare hashes of malware captured requests vs identified blocks • If match found: destination address of malware requests is proxy between malware – pool(s) • 4. Leaked data: leaks about botnet operations has helped researchers uncover botnets (e.g. FeodalCash) 16 CRYPTOCURRENCY MINING

Operations Costs & Profitability • Costs • Cost of acquiring bots (Asia: $5 to $10 per 1000) • Cost of scheme: Infrastructure (e.g. proxies), development (e.g malware), and day-to-day operations (no info found) • Profitability • In general it seems to be marginally profitable to do crypto mining * • Botnet of 10,000 low-end PCs could generate about $31 per day * • Not as high as spamming and click fraud (millions of US dollars) • But, low cost operation: bots can be also used for other tasks (spam, DDoS attacks, click fraud) 17 CRYPTOCURRENCY MINING

Identified Bitcoin Mining Operations Population 124700 17517 204400 - - 181600 - 36800 - - 18 CRYPTOCURRENCY MINING

MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense Konoth, R.K et al, October 2018. 19 CRYPTOCURRENCY MINING