A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth

Illicit crypto-mining leverages resources stolen from victims to mine cryptocurrencies on behalf of criminals. While recent works have analyzed one side of this threat, i.e.: web-browser cryptojacking, only commercial reports have partially covered binary-based crypto-mining malware. In this paper, we conduct the largest measurement of crypto-mining malware to date, analyzing approximately 4.5 million malware samples (1.2 million malicious miners), over a period of twelve years from 2007 to 2019. Our analysis pipeline applies both static and dynamic analysis to extract information from the samples, such as wallet identifiers and mining pools. Together with OSINT data, this information is used to group samples into campaigns. We then analyze publicly-available payments sent to the wallets from mining-pools as a reward for mining, and estimate profits for the different campaigns. All this together is is done in a fully automated fashion, which enables us to leverage measurement-based findings of illicit crypto-mining at scale. Our profit analysis reveals campaigns with multi-million earnings, associating over 4.4% of Monero with illicit mining. We analyze the infrastructure related with the different campaigns, showing that a high proportion of this ecosystem is supported by underground economies such as Pay-Per-Install services. We also uncover novel techniques that allow criminals to run successful campaigns.Comment: A shorter version of this paper appears in the Proceedings of 19th ACM Internet Measurement Conference (IMC 2019). This is the full versio

A Retrospective Analysis of User Exposure to (Illicit) Cryptocurrency Mining on the Web

In late 2017, a sudden proliferation of malicious JavaScript was reported on the Web: browser-based mining exploited the CPU time of website visitors to mine the cryptocurrency Monero. Several studies measured the deployment of such code and developed defenses. However, previous work did not establish how many users were really exposed to the identified mining sites and whether there was a real risk given common user browsing behavior. In this paper, we present a retroactive analysis to close this research gap. We pool large-scale, longitudinal data from several vantage points, gathered during the prime time of illicit cryptomining, to measure the impact on web users. We leverage data from passive traffic monitoring of university networks and a large European ISP, with suspected mining sites identified in previous active scans. We corroborate our results with data from a browser extension with a large user base that tracks site visits. We also monitor open HTTP proxies and the Tor network for malicious injection of code. We find that the risk for most Web users was always very low, much lower than what deployment scans suggested. Any exposure period was also very brief. However, we also identify a previously unknown and exploited attack vector on mobile devices

Crypto-Conspicuousness: A Scale Proposal for Consumers\u27 Cryptocurrency Buying Behavior within the Scope of Conspicuous Consumption

Cryptocurrencies have met with a great deal of interest since they first appeared. It is not just because it is a new technology. At the same time, the fact that these instruments provide very high returns in specific periods has made them attractive as an investment tool. This research questioned whether there is a different message that individuals who buy cryptocurrencies want to give to their social environment under this behavior. In other words, this study aims to develop a scale to measure the tendency of individuals to buy cryptocurrencies for conspicuous reasons. In order to reach the goal, the quantitative method was preferred, and data were collected from 400 people. As a result, a valid and reliable scale consisting of fourteen items and three dimensions was obtained. This scale will likely be used by researchers who want to investigate the purchasing behavior of cryptocurrencies in more detail in different studies in the future

Web-based volunteer distributed computing for handling time-critical urgent workloads

Urgent computing workloads are time critical, unpredictable, and highly dynamic. Whilst efforts are on-going to run these on traditional HPC machines, another option is to leverage the computing power donated by volunteers. Volunteer computing, where members of the public donate some of their CPU time to large scale projects has been popular for many years because it is a powerful way of delivering compute for specific problems, with the public often eager to contribute to a good cause with societal benefits. However, traditional volunteer computing has required user installation of specialist software which is a barrier to entry, and the development of the software itself by the projects, even on-top of existing frameworks, is non-trivial. As such, the number of users donating CPU time to these volunteer computing projects has decreased in recent years, and this comes at a time when the frequency of disasters, often driven by climate change, are rising fast. We believe that an alternative approach, where visitors to websites donate some of their CPU time whilst they are browsing, has the potential to address these issues. However, web-based distributed computing is an immature field and there are numerous questions that must be answered to fully understand the viability of leveraging the large scale parallelism that website visitors represent. In this paper we describe our web-based distributed computing framework, Panther, and perform in-depth performance experiments for two benchmarks using real world hardware and real world browsing habits for the first time. By exploring the performance characteristics of our approach we demonstrate that this is viable for urgent workloads, but there are numerous caveats, not least the most appropriate visitor patterns to a website, that must be considered.Comment: Accepted version of paper presented at 2022 First Combined International Workshop on Interactive Urgent Supercomputing (CIW-IUS

Kryptokaappaus ja sen torjunta

Tämän diplomityön tavoitteena oli selvittää kryptokaappausten eri variaatioiden toimintamallit ja miten näiltä variaatioilta suojaudutaan. Työ tehtiin kirjallisuuskatsauksena. Pääsääntöisesti tietoa haettiin Tampereen yliopiston tarjoamalla Andor-hakupalvelulla. Lähteiksi valikoitui tieteellisiä artikkeleita ja tutkimuksia. Muutama lähde haettiin eri tietoturvayhtiöiden nettisivuilta. Nämä lähteet olivat esimerkiksi tietoturvayhtiöiden koostamia vuosiraportteja haittaohjelmista. Tiedonhakumenetelmänä käytettiin helmenkasvatusmenetelmää. Kryptokaappaus tarkoittaa tilannetta, jossa hyökkääjä ottaa luvattomasti uhrinsa laitteen haltuunsa ja alkaa louhia valitsemaansa kryptovaluuttaa alustalla ilman laitteen omistajan lupaa. Kryptokaappauksissa suositaan yleensä kryptovaluutta Moneroa sen tarjoaman vahvan anonymiteetin takia. Kryptokaappauksen yhteydessä hyökkääjän on mahdollista asentaa kaapatulle alustalle muitakin haittaohjelmia, asentaa takaovi myöhempää käyttöä varten ja varastaa tietoa. Varsinkin yrityskohteissa tiedon joutuminen vääriin käsiin on vaarallista. Kryptokaappaukset voidaan jakaa kahteen kategoriaan: tiedostopohjaisiin ja selainpohjaisiin. Tiedostopohjaisessa kryptokaappauksessa uhri huijataan asentamaan kryptolouhijan sisältävä tiedosto tai tiedosto ujutetaan uhrin laitteelle jotakin tietoturva-aukkoa hyödyntäen. Selainpohjainen kryptokaappaus tapahtuu nimensä mukaisesti nettiselaimessa. Selainpohjainen kryptokaappaus tapahtuu, kun uhri vierailee kryptolouhijan sisältävällä nettisivulla. Kryptokaappauksista aiheutuvia haittoja ovat prosessorin kulutus, laitteiston mahdollinen hajoaminen, kaappauksen yhteydessä tulevat muut haittaohjelmat ja tiedon varastaminen. Prosessorin kulutus ilmenee siten, että laite toimii hitaasti tai pahimmassa tapauksessa laitteen suorituskyky romahtaa ja tekee laitteen käyttökelvottomaksi. Laitteiston hajoaminen koskee lähinnä älypuhelimia, jotka ovat haavoittuvaisia selainpohjaisille kryptokaappauksille. Tiedostopohjaisissa kryptokaappauksissa on helppo ujuttaa muita haittaohjelmia kryptolouhijan lisäksi. Kryptokaappauksilta suojautumiseen on useita tapoja. Tärkein tapa on tietoturvavalppaus, jolla estetään hyökkäystä tapahtumasta. Tehokkainkaan suojautumismekanismi ei estä kryptokaappauksia ja muita haittaohjelmia, jos laitteen käyttäjän tietoturvavalppaus ei ole ajan tasalla. Kryptokaappauksen tapahduttua tarvitaan muita suojautumiskeinoja, kuten esimerkiksi mustalistaukseen perustuva havainnointi, jota voidaan hyödyntää myös nettiselainten selainlaajennuksissa. Laitteen verkkoliikennettä ja suorituskykyä voidaan myös analysoida ja tutkia kryptokaappausten havainnoimiseksi. Pilvipalveluille, jotka ovat otollisia kohteita kryptokaappauksille niiden lähes rajattomien resurssien takia, on olemassa nimenomaan pilvipalveluille suunniteltuja suojausmekanismeja ja -työkaluja. Tällaisia työkaluja ovat esimerkiksi RADS ja MineGuard. Yksityishenkilöiden laitteita voidaan suojata joissakin määrin perinteisillä virustentorjuntaohjelmistoilla, mutta niillä on omat rajoitteensa kryptolouhijoiden ja muiden haittaohjelmien käyttämän hämäännyttämisen takia. Työn tuloksena huomattiin, että kryptokaappaukset ovat jatkuvasti kehittyvä uhka ja että ne aiheuttavat huomattavia kuluja varastaessaan kaappaamansa alustan laskentatehoa. Kulut nousevat isoiksi varsinkin pilvipalvelualustoilla. Yrityskohteissa tiedon varastaminen kryptokaappauksen ohella on myös iso riski