ABSTRACT
Direct access to the system's resources such as the GPU, persistent storage and networking has enabled in-browser crypto-mining. Thus, there has been a massive response by rogue actors who abuse browsers for mining without the user's consent. This trend has grown steadily for the last months until this practice, i.e., CryptoJacking, has been acknowledged as the number one security threat by several antivirus companies.
Considering this, and the fact that these attacks do not behave as JavaScript malware or other Web attacks, we propose and evaluate several approaches to detect in-browser mining. To this end, we collect information from the top 330.500 Alexa sites. Mainly, we used real-life browsers to visit sites while monitoring resourcerelated API calls and the browser's resource consumption, e.g., CPU.
Our detection mechanisms are based on dynamic monitoring, so they are resistant to JavaScript obfuscation. Furthermore, our detection techniques can generalize well and classify previously unseen samples with up to 99.99% precision and recall for the benign class and up to 96% precision and recall for the mining class. These results demonstrate the applicability of detection mechanisms as a server-side approach, e.g., to support the enhancement of existing blacklists.
Last but not least, we evaluated the feasibility of deploying prototypical implementations of some detection mechanisms directly on the browser. Specifically, we measured the impact of in-browser API monitoring on page-loading time and performed micro-benchmarks for the execution of some classifiers directly within the browser. In this regard, we ascertain that, even though there are engineering challenges to overcome, it is feasible and bene!cial for users to bring the mining detection to the browser.
- Bitcoinplus. 2011. Bitcoinplus. https://web.archive.org/web/20170103133312/http://www.bitcoinplus.com/miner/embeddable. Accessed: 2018-04-06.Google Scholar
- Gavin C. Cawley and Nicola L.C. Talbot. 2010. On Over-fitting in Model Selection and Subsequent Selection Bias in Performance Evaluation. J. Mach. Learn. Res. 11 (Aug. 2010), 2079--2107. http://dl.acm.org/citation.cfm?id=1756006.1859921 Google ScholarDigital Library
- Chih-Chung Chang and Chih-Jen Lin. 2011. LIBSVM: A Library for Support Vector Machines. ACM Trans. Intell. Syst. Technol. 2, 3, Article 27 (May 2011), 27 pages. Google ScholarDigital Library
- Kevin Zhijie Chen, Guofei Gu, Jianwei Zhuge, Jose Nazario, and Xinhui Han. 2011. WebPatrol: Automated Collection and Replay of Web-based Malware Scenarios. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS '11). ACM, New York, NY, USA, 186--195. Google ScholarDigital Library
- Content Scripts-Google Chrome. 2018. Work in Isolated Worlds. https://developer.chrome.com/extensions/content_scripts#isolated_world. Accessed: 2018-06-02.Google Scholar
- Catalin Cimpanu. 2018. In-Browser Cryptojacking Is Getting Harder to Detect. https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/. Accessed: 2018-06-02.Google Scholar
- Clicktale. 2013. ClickTale's 2013 Web Analytics Benchmarks Report. https://research.clicktale.com/web_analytics_benchmarks.html. Accessed: 2018-04-06.Google Scholar
- Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2010. Detection and Analysis of Drive-by-download Attacks and Malicious JavaScript Code. In Proceedings of the 19th International Conference on World Wide Web (WWW '10). ACM, New York, NY, USA, 281--290. Google ScholarDigital Library
- Charlie Curtsinger, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. 2011. ZOZZLE: Fast and Precise In-browser JavaScript Malware Detection. In Proceedings of the 20th USENIX Conference on Security (SEC' 11). USENIX Association, Berkeley, CA, USA, 3--3. http://dl.acm.org/citation.cfm?id=2028067.2028070 Google ScholarDigital Library
- Andreas Dewald, Thorsten Holz, and Felix C. Freiling. 2010. ADSandbox: Sandboxing JavaScript to Fight Malicious Websites. In Proceedings of the 2010 ACM Symposium on Applied Computing (SAC '10). ACM, New York, NY, USA, 1859--1864. Google ScholarDigital Library
- WebPagetest Documentation. 2017. WebPagetest Documentation: Speed Index. https://sites.google.com/a/webpagetest.org/docs/using-webpagetest/metrics/speed-index. Accessed: 2018-06-10.Google Scholar
- Manuel Egele, Peter Wurzinger, Christopher Kruegel, and Engin Kirda. 2009. Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, Ulrich Flegel and Danilo Bruschi (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 88--106. Google ScholarDigital Library
- [email protected]. 2018. Please consider intervention for high cpu usage js. https://bugs.chromium.org/p/chromium/issues/detail?id=766068.Google Scholar
- Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 1388--1401. Google ScholarDigital Library
- Steven Englehardt and Arvind Narayanan. 2018. Open WPM Firefox extension Instrumenting JavaScript Code. https://github.com/citp/OpenWPM/blob/f3fc7884fd93a31c689a2228c21865003749cf27/automation/Extension/firefox/data/content.js#L480. Accessed: 2018-01-15.Google Scholar
- Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W. Felten. 2015. Cookies That Give You Away: The Surveillance Implications of Web Tracking. In Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 289--299. Google ScholarDigital Library
- Eset. 2018. Wayback Machine: Eset Virus Radar. https://web.archive.org/web/20180126135759/www.virusradar.com/en/statistics. Accessed: 2018-06-02.Google Scholar
- Shayan Eskandari, Andreas Leoutsarakos, Troy Mursch, and Jeremy Clark. 2018. A first look at browser-based Cryptojacking. Technical Report. Bad Packets.Google Scholar
- Mario Heiderich, Tilman Frosch, and Thorsten Holz. 2011. IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM. In Recent Advances in Intrusion Detection, Robin Sommer, Davide Balzarotti, and Gregor Maier (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 281--300. Google ScholarDigital Library
- Paul Irish. 2016. Speedline. https://github.com/paulirish/speedline Accessed: 2018-06-10.Google Scholar
- Paul Irish. 2017. Debugging Protocol: Does 'Page.addScriptToEvaluateOnLoad' execute before the "load" event? https://groups.google.com/a/chromium.org/forum/#!topic/headless-dev/cD0iF2lpHeA. Accessed: 2018-01-15.Google Scholar
- Rafael K. 2017. NoCoin: blacklist.txt. https://raw.githubusercontent.com/keraf/NoCoin/master/src/blacklist.txt. Accessed: 2017-10-15.Google Scholar
- Alexandros Kapravelos, Yan Shoshitaishvili, Santa Barbara, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2013. Revolver: An Automated Approach to the Detection of Evasive Web-based Malware. In Usenix security. USENIX, Washington, D.C., 637--652. https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/kapravelos Google ScholarDigital Library
- Daniel Kostro. 2017. LIBSVM for the browser and nodejs. https://github.com/mljs/libsvm. Accessed: 2018-06-02.Google Scholar
- Chaoying Liu and Joseph C. Chen. 2018. Malvertising Campaign Abuses Google's DoubleClick to Deliver Cryptocurrency Miners. https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-abuses-googles-doubleclick-to-deliver-cryptocurrency-miners/Google Scholar
- Mark Maunder. 2018. WordPress Plugin Banned for Crypto Mining. https://www.wordfence.com/blog/2017/11/wordpress-plugin-banned-crypto-mining/. Accessed: 2018-01-15.Google Scholar
- Jose Nazario. 2009. PhoneyC: A Virtual Client Honeypot. In Proceedings of the 2Nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09). USENIX Association, Berkeley, CA, USA, 6--6. http://dl.acm.org/citation.cfm?id=1855676.1855682 Google ScholarDigital Library
- Shaun Nichols. 2018. Guys, you're killing us! LA Times homicide site hacked to mine crypto-coins on netizens' PCs. https://www.theregister.co.uk/2018/02/22/la_times_amazon_aws_s3/.Google Scholar
- N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In 2013 IEEE Symposium on Security and Privacy. IEEE, Berkley, CA, USA, 541--555. Google ScholarDigital Library
- Scipy Lecture Notes. 2018. Coordinate Format (COO). http://www.scipy-lectures.org/advanced/scipy_sparse/coo_matrix.html. Accessed: 2018-06-02.Google Scholar
- Mark O'Neill, Scott Ruoti, Kent Seamons, and Daniel Zappala. 2016. TLS Proxies: Friend or Foe?. In Proceedings of the 2016 Internet Measurement Conference (IMC '16). ACM, New York, NY, USA, 551--557. Google ScholarDigital Library
- Fabian Pedregosa, Gaël Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, Jake Vanderplas, Alexandre Passos, David Cournapeau, Matthieu Brucher, Matthieu Perrot, and Édouard Duchesnay. 2011. Scikit-learn: Machine Learning in Python. J. Mach. Learn. Res. 12 (Nov. 2011), 2825--2830. http://dl.acm.org/citation.cfm?id=1953048.2078195 Google ScholarDigital Library
- [email protected]. 2017. Chromium Source Code Comment on DBUS Bug and Xvfb. https://chromium.googlesource.com/chromium/src.git/+/2fc330d 0b93d4bfd7bd04b9fdd3102e529901f91/services/service_manager/embedder/ma in.cc#352. Accessed: 2018-01-15.Google Scholar
- [email protected]. 2017. dbus autolaunch causes chrome to hang. https://bugs.chromium.org/p/chromium/issues/detail?id=715658. Accessed: 2018-01-15.Google Scholar
- Niels Provos, Panayiotis Mavrommatis, Moheeb Abu Rajab, and Fabian Monrose. 2008. All Your iFRAMEs Point to Us. In Proceedings of the 17th Conference on Security Symposium (SS'08). USENIX Association, Berkeley, CA, USA, 1--15. http://dl.acm.org/citation.cfm?id=1496711.1496712 Google ScholarDigital Library
- Paruj Ratanaworabhan, Benjamin Livshits, and Benjamin Zorn. 2009. NOZZLE: A Defense Against Heap-spraying Code Injection Attacks. In Proceedings of the 18th Conference on USENIX Security Symposium (SSYM'09). USENIX Association, Berkeley, CA, USA, 169--186. http://dl.acm.org/citation.cfm?id=1855768.1855779 Google ScholarDigital Library
- Reddit. 2016. Why are Chinese sites slow/inaccessible from outside China? https://www.reddit.com/r/China/comments/4pfhv5/why_are_chinese_sites_slowinaccessible_from/?st=j7rp5ul3&sh=ec919f8d. Accessed: 2016-09-15.Google Scholar
- Konrad Rieck, Tammo Krueger, and Andreas Dewald. 2010. Cujo: Efficient Detection and Prevention of Drive-by-download Attacks. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC '10). ACM, New York, NY, USA, 31--39. Google ScholarDigital Library
- Stuart Russell and Peter Norvig. 2009. Artificial Intelligence: A Modern Approach (3rd ed.). Prentice Hall Press, Upper Saddle River, NJ, USA. 744--746 pages. Google ScholarDigital Library
- Kristof Schütt, Marius Kloft, Alexander Bikadorov, and Konrad Rieck. 2012. Early Detection of Malicious Behavior in JavaScript Code. In Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence (AISec '12). ACM, Raileigh, North Carolina, USA, 15--24. Google ScholarDigital Library
- Christian Seifert and Ramon Steenson. 2006. Capture - Honeypot Client (Capture-HPC). Available from https://projects.honeynet.org/capture-hpc; accessed on 22 September 2008 pages.Google Scholar
- Chengyu Song, Jianwei Zhuge, Xinhui Han, and Zhiyuan Ye. 2010. Preventing Drive-by Download via Inter-module Communication Monitoring. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS '10). ACM, New York, NY, USA, 124--134. Google ScholarDigital Library
- Symantec. 2018. Internet Security Threat Report. Technical Report 23. Symantec. Available at http://resource.symantec.com/LP=5538?cid=70138000000rm1eAAA, Accessed: 2018-06-02.Google Scholar
- Coinhive Team. 2017. Coinhive Blog: First Week Status Report. https://coinhive.com/blog/status-report. Accessed: 2018-06-02.Google Scholar
- TeleGeography. 2018. Submarine Cable Map. https://www.submarinecablemap.com/. Accessed: 2018-06-02.Google Scholar
- The Telegraph. 2018. YouTube shuts down hidden cryptojacking adverts. http://www.telegraph.co.uk/technology/2018/01/29/youtube-shuts-hidden-crypto-jacking-adverts/Google Scholar
- K. Thomas, E. Bursztein, C. Grier, G. Ho, N. Jagpal, A. Kapravelos, D. Mccoy, A. Nappa, V. Paxson, P. Pearce, N. Provos, and M. A. Rajab. 2015. Ad Injection at Scale: Assessing Deceptive Advertisement Modifications. In 2015 IEEE Symposium on Security and Privacy. IEEE, San Jose, CA, USA, 151--167. Google ScholarDigital Library
- Yi-Min Wang, Doug Beck, Xuxian Jiang, and Roussi Roussev. 2005. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. Technical Report. Microsoft Research. 12 pages. https://www.mi crosoft.com/en-us/research/publication/automated-web-patrol-with-strider-honeymonkeys-finding-websites-that-exploit-browser-vulnerabilities/Google Scholar
- x25. 2017. CoinHive Stratum Mining Proxy. https://github.com/x25/coinhive-stratum-mining-proxy. Accessed: 2018-06-02.Google Scholar
- xd4rker. 2017. MinerBlock: filters.txt. https://github.com/xd4rker/MinerBlock/blob/master/assets/filters.txt. Accessed: 2017-10-15.Google Scholar
Index Terms
- RAPID: Resource and API-Based Detection Against In-Browser Miners
Recommendations
How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityAs a new mechanism to monetize web content, cryptocurrency mining is becoming increasingly popular. The idea is simple: a webpage delivers extra workload (JavaScript) that consumes computational resources on the client machine to solve cryptographic ...
MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityA wave of alternative coins that can be effectively mined without specialized hardware, and a surge in cryptocurrencies' market value has led to the development of cryptocurrency mining ( cryptomining ) services, such as Coinhive, which can be easily ...
MineThrottle: Defending against Wasm In-Browser Cryptojacking
WWW '20: Proceedings of The Web Conference 2020In-browser cryptojacking is an urgent threat to web users, where an attacker abuses the users’ computing resources without obtaining their consent. In-browser mining programs are usually developed in WebAssembly (Wasm) for its great performance. Several ...
Comments