86 research outputs found
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth
Illicit crypto-mining leverages resources stolen from victims to mine
cryptocurrencies on behalf of criminals. While recent works have analyzed one
side of this threat, i.e.: web-browser cryptojacking, only commercial reports
have partially covered binary-based crypto-mining malware. In this paper, we
conduct the largest measurement of crypto-mining malware to date, analyzing
approximately 4.5 million malware samples (1.2 million malicious miners), over
a period of twelve years from 2007 to 2019. Our analysis pipeline applies both
static and dynamic analysis to extract information from the samples, such as
wallet identifiers and mining pools. Together with OSINT data, this information
is used to group samples into campaigns. We then analyze publicly-available
payments sent to the wallets from mining-pools as a reward for mining, and
estimate profits for the different campaigns. All this together is is done in a
fully automated fashion, which enables us to leverage measurement-based
findings of illicit crypto-mining at scale. Our profit analysis reveals
campaigns with multi-million earnings, associating over 4.4% of Monero with
illicit mining. We analyze the infrastructure related with the different
campaigns, showing that a high proportion of this ecosystem is supported by
underground economies such as Pay-Per-Install services. We also uncover novel
techniques that allow criminals to run successful campaigns.Comment: A shorter version of this paper appears in the Proceedings of 19th
ACM Internet Measurement Conference (IMC 2019). This is the full versio
A Deep-Learning Based Robust Framework Against Adversarial P.E. and Cryptojacking Malware
This graduate thesis introduces novel, deep-learning based frameworks that are resilient to adversarial P.E. and cryptojacking malware. We propose a method that uses a convolutional neural network (CNN) to classify image representations of malware, that provides robustness against numerous adversarial attacks. Our evaluation concludes that the image-based malware classifier is significantly more robust to adversarial attacks than a state-of-the-art ML-based malware classifier, and remarkably drops the evasion rate of adversarial samples to 0% in certain attacks. Further, we develop MINOS, a novel, lightweight cryptojacking detection system that accurately detects the presence of unwarranted mining activity in real-time. MINOS can detect mining activity with a low TNR and FPR, in an average of 25.9 milliseconds while using a maximum of 4% of CPU and 6.5% of RAM. Therefore, it can be concluded that the frameworks presented in this thesis attain high accuracy, are computationally inexpensive, and are resistant to adversarial perturbations
WebAssembly Diversification for Malware Evasion
WebAssembly has become a crucial part of the modern web, offering a faster
alternative to JavaScript in browsers. While boosting rich applications in
browser, this technology is also very efficient to develop cryptojacking
malware. This has triggered the development of several methods to detect
cryptojacking malware. However, these defenses have not considered the
possibility of attackers using evasion techniques. This paper explores how
automatic binary diversification can support the evasion of WebAssembly
cryptojacking detectors. We experiment with a dataset of 33 WebAssembly
cryptojacking binaries and evaluate our evasion technique against two malware
detectors: VirusTotal, a general-purpose detector, and MINOS, a
WebAssembly-specific detector. Our results demonstrate that our technique can
automatically generate variants of WebAssembly cryptojacking that evade the
detectors in 90% of cases for VirusTotal and 100% for MINOS. Our results
emphasize the importance of meta-antiviruses and diverse detection techniques,
and provide new insights into which WebAssembly code transformations are best
suited for malware evasion. We also show that the variants introduce limited
performance overhead, making binary diversification an effective technique for
evasion
- …