Chasing Down Drive-by Mining - Large-scale analysis and advanced detection methods

From Master Projects
Jump to: navigation, search

has title::Chasing Down Drive-by Mining - Large-scale analysis and advanced detection methods
status: ongoing
Master: project within::Computer Systems and Security
Student name: student name::Emanuele Vineti
Start start date:=01 January 2018
End end date:=31 June 2018
Supervisor: Herbert Bos
Second supervisor: Cristiano Giuffrida
Second reader: has second reader::Radhesh Krishnan K
Poster: has poster::Media:Poster.jpg

Signature supervisor



|free text=}} |free text=}} In the second half of 2017, the prices of cryptocurrency skyrocketed reaching in January 2018 a global markets volume of $550 billion. Among all the 1500 cryptocurrencies available, many are now employing new CPU friendly algorithms which to be mined don’t require any specialized hardware. In this landscape, cryptocurrency mining services, such as Coinhive, allow a website to monetize using the computational power of their visitors. In the shadow, a service of which initial purpose was legitimate, is now also used by cybercriminals to secretly profit from oblivious webmasters and their pages’ visitors. Drive-by mining (also known as cryptojacking) is a new web-based attack, in which an attacker injects in a website a JavaScript code with a WebAssembly module to mine cryptocurrencies in users’ browser without their consent. To understand the impact and the profitability of this phenomenon we have performed a complete analysis of Alexa’s Top 1 Million websites. From our results, we also studied which evasion techniques are used, which technologies are used to maximize the mining earnings and which are the factors that show the presence of a webminer. We have found 20 active drive-by mining campaigns and 15 Coinhive-like services not present in our initial providers set. We discuss how the current detection approaches based on blacklisting and high CPU usage are not reliable enough and present MineSweeper, a detection tool which employs two novel obfuscation resilient techniques to expose the presence of a cryptominer on a website accurately. This approach could be integrated into browsers to warn users about a silent cryptominer and enable them to block this activity.