 Hello, everyone. I'm excited to introduce Pranshu Bajpai who will be speaking about ransomware versus cryptojacking, latest trends in modern malware. Please give him a hearty round of applause. So welcome in. All right, let's get started. Welcome, everybody. Thank you for being here. Turkan 20. This is my first time attending and speaking at Turkan, and it happened to be Turkan 20. So I'm very excited about that. 20 years of Turkan. That's a lot of hard work. So let's give the organizers a round of applause for doing this for 20 years. It's awesome. All right, so the topic of discussion today is two of the biggest malware threats in 2018, ransomware and cryptojacking. We've all heard of them, and we all know what ransomware do. We're very familiar with it, and now cryptojacking is rising. So these are the two biggest malware threats. And so we kind of want to look at the details of how they operate, what they're looking for, and what vulnerabilities lie in our systems that they're exploiting. So well, keeping in tune with the theme of Turkan this year, we'll look at the trends in terms of what is here to stay. So good trends that we've noticed in ransomware from a ransomware developer's perspective that they'll continue because it gives them certain advantages. And then we'll discuss cryptojacking. It's new. Where can we expect it to go, and how can we stop it? All right, so the agenda for the talk is we start with a little bit of an introduction, and we discuss ransomware a little bit, a particular hybrid key management model in ransomware. Then we go ahead and look at certain ransomware variants and what kind of specific characteristics make them different from a traditional ransomware. Those characteristics made them trendy, and they continue because they're good for ransomware developers. And then from that point on, we'll move to cryptojacking. So the second half of the presentation will be focused on cryptojacking. And this is something new. Then we'll discuss some of the research we did to crawl the web, looking for cryptojacking websites, and discuss what we noticed in terms of cryptojacking on the internet. And then we'll conclude the presentation with kind of a comparison between the two, because they're both contenders for the top malware threat, but which one is going to win. So we'll take a look at that in conclusion. All right, so a little bit about us. My name is Pranjee Bhachpay. I'm a PhD candidate at Michigan State University. I'm also a security researcher at the Security Research Group at MSU. And previously, I used to work as an independent penetration tester. That was a lot of fun. You know, breaking things is always a lot of fun. I'm sure everybody here agrees. And then I like to speak at conferences just to, if I've done some work that I believe could be valuable to the community, then I like to share it. And sometimes when I'm in the middle of doing something, I like to think that I can get some input from the community to kind of improve my approaches. And in that sense, I like to also share with the community at conferences. All the work that I do, I do it with my PhD advisor, Dr. N. Buddy. He has been a professor at Michigan State since 1987, I believe. All right, so I felt like there's a little bit of a need to discuss why we're discussing ransomware in 2018. Because believe it or not, something that is a very 2017 thing, right? Or 2016 thing. Well, the truth is that ransomware is overshadowed currently by cryptojacking but is not really gone. And it is slowly developing and they're improving ransomware constantly. And so we have to watch out for that. But we don't see it in the news anymore. I mean, we do see it, but it's buried within other security news. And cryptojacking is kind of all over the place because it's new. But these are just some of the, if you look at the news headlines from, let's say, last week, you'll look at how ransomware is rising, specifically targeted ransomware, and how they're constantly adapting and improving their approaches. And you see new victims all the time, like just a few days ago, a Canadian town was hit. So they're constantly going for newer targets. We know about SAMSAM, which is a targeted ransomware attack. And so, yeah, they're definitely improving. And they're definitely still here. They're definitely alive and kicking. So I want to establish what the defining characteristics of a ransomware are. And these are very straightforward. We all understand it. Infiltrate the computer system or any system any way you can. There are a variety of attack vectors here. You can use the same old social engineering attacks that they've been using for many years or you know, with WannaCry, we saw it spread like a worm exploiting the eternal blue vulnerability. And then we saw that SAMSAM recently is abusing weekly secured RDP sessions to get into the host. And once you're in, you go ahead and execute your malicious functionality. So once you're in, you obtain the encryption secret. And this is important because the encryption secret or the symmetric key that they will use to encrypt the user's files or data needs to be generated differently for every victim. Because if you use the same encryption key to encrypt every victim, once one victim gets an encryption key back, they can share it with other people. And before you know it, your ransomware campaign is neutralized. So they need a new encryption secret for every victim. And there comes key management in ransomware which we'll discuss in the next slide. But they can either generate this symmetric key or set of symmetric keys, whatever their scheme is. They can either generate it on the host using the host crypto API. Or they can, what they used to do was invoke it from, let's say, a remote site like, you know, which could be like a command and control server. So, you know, these are the two approaches that they've primarily seen. There's variations to these approaches. But these are basically it to acquire the encryption secret. Then they go ahead and encrypt the files using the encryption secret or the symmetric key. And then they demand the ransom. So there has to be some sort of a channel, a route for the ransom payment to be made, you know. And, you know, usually it's via Bitcoin or some other cryptocurrency. But how does this work exactly? So we have the hybrid encryption model. We've studied the evolution of key management in ransomware. And we've discussed it in detail in our paper listed on the slide. And if you look at it over the years since GP code first came out in about 2005 or 2006, I believe, since then they have changed their key management model significantly. What it used to be was they were doing something really dumb, which was they just, they generated, the attacker generated a public private key pair. And they would ship the public key with the ransomware and use the public key to encrypt the data. Now that is very slow. Public keys were not meant for bulk data encryption. Symmetric keys were made for that particular purpose. So that was a little stupid. But, you know, then they had some other stupid variations of that and then started to evolve. And then what we saw was they were trying to import. So once the ransomware was in a host, then it would call back home to a CNC server, let's say, and get the set of keys that it needs, then it brings in the set of keys and then it uses those keys to encrypt the files. But the problem there was that security people, you know, in a network, they network administrators, they started sharing a list of bad domain names where they know that the CNC servers lie. So then you block them at the firewall, at the network firewall. Now the ransomware is in, let's say, but it's still when it calls back home that call is blocked. So it never acquires the encryption key and because it never acquires the encryption key, it cannot go ahead and encrypt the files and then it lies dormant. So that wasn't a good model either. I believe it was low key that implemented that model. But what they're using, more importantly, what they're using now is what we want to discuss is the hybrid encryption scheme. And so the hybrid encryption scheme is called a hybrid scheme because it uses the combination of symmetric and asymmetric encryption, which is best for them because in this particular approach, as you can see, the attacker has the private key, private public key pair and keeps the private key safe with them, then public key is shipped with the ransomware, ransomware comes in, uses the crypto API on host to generate a symmetric key. The symmetric key is used for encrypting user's files and then encrypt the symmetric key using the attacker's public key and then store it. And now you wipe the unencrypted symmetric key from the system and then you go ahead and demand ransom. If the ransom is paid and if you're honest criminals, then you're going to return, you're going to ask for this encrypted symmetric key and use your private key to decrypt the keys and then send it back to the victim. So that's basically how the hybrid encryption model works. There's variations of this, but primarily that's what they do. So with that, let's quickly start looking at the trends in modern ransomware. So first things first, targeted ransomware attacks are here and they're here to stay. It makes more sense to pick your victims carefully because there could be several factors why you're picking your victims. One of them you want to make sure that they have deep enough pockets to meet a big ransom demand. Like if you encrypt a bunch of computers belonging to a network in a large organization, then they should have pockets deep enough to pay you let's say $50,000 or $100,000 or whatever your demand might be. So make sense that way. Second, the data should be important enough. Some organizations have really critical data and so they are more likely to meet your ransom demand no matter how big it is. So in that sense you want to choose your victims carefully. And Sam Sam did this and the way it worked was the attack vector was weekly secure RDP session. So it will go ahead and exploit that once they're in. They will manually escalate privileges and when you become let's say an administrator, then you kill the AV and then you spread an infect and then you demand the ransom. Now they have made about $6 million so far and you make $6 million from your ransomware operation. You take out $1 million for sex drugs and rock and roll and you still have $5 million for your next ransomware campaign as a research budget. So this is a substantial amount of money. The address shown is one of the Bitcoin addresses that belong to the Sam Sam ransomware. So that's one of the things. Targeted ransomware attacks are here to say. Now adding a miner, cryptocurrency is on the rise. The second half of the presentation is about that and we'll discuss exactly what it entails but we all know that it's on the rise so why wouldn't they include another secondary infection in there? Add a crypto miner. So they are bundling mining routines with the ransomware. We saw it a little while ago with Black Ruby ransomware. We're seeing it lately with ransomware like the blue blackmail virus or the Obama themed virus as it is called and so we're seeing that they are bundling mining routines with the ransomware. There's a lot of motivation for why they would do this. First of all, it runs in the background while you're waiting for ransom. It will generate some small income for you even if the victim doesn't end up paying you ransom. You still end up generating a little bit of something if you're completely financially motivated so it makes sense. It's favorite to ransomware developers in the context of developing countries especially because you ask for $300 as a ransom demand and if it's a country like India let's say where the exchange rate is $1 to about 70 Indian rupees then you convert that to rupees and $300 is a lot of money so you're not really going to get a lot of people paying you the ransom even though they don't want to lose their files at times unless it's business critical files and in that case they might end up paying but otherwise you know if it's personal files they'll they'll be like all right I'll deal with the I'll deal with the loss I don't want to pay this kind of money so in that case it makes more sense if you if you can detect the IP address of the host you've infected resolve that to a country and see that say that if this is the list of countries you know it's a developing countries then in that case just mind in the background you know let the ransomware functionality lie dormant so so that's that that could be a thing in the future we've already seen them resolve the IP addresses to countries but they've usually done it to let's say if it's a if it's a Russian malware then it will and if it detects a Russian host that it has infected then it won't encrypt there's there could be a bunch of reasons for why they do this maybe it's some sort of patriotism or maybe it's because the authorities local authorities are more likely to get to you so we saw it with some ransomware in Iran as well where it was detecting Iran's IP and then not executing the malicious functionality so so so it makes sense for them to do it in case of cryptocurrency mining as well and so yeah something is better than nothing you at least generate some income and then and another thing we're noticing with ransomware is you know they started using elliptic core of cryptography the Petia ransomware used it the infamous Petia ransomware and the motivation now there's this is these are just speculations because we don't exactly know why they need to use the elliptic curve cryptography because RSA does the job just fine RSA 204 bit encryption is strong enough they don't really need to use this but it could be better for marketing in the underground economy because underground markets can be competitive just like any other you know business and so so it's better for marketing look at us we're using the new and shiny elliptic curve cryptography as opposed to our competitors who are using the same old RSA you've always heard of so and then and this is another speculation it's not as closely scrutinized as RSA is for for security weaknesses so if you make a mistake you're more likely to get away with it you know in in terms of implementation so so that could be another reason but but basically I wanted to discuss the example of Petia ransomware and see how they implemented the ECIS scheme as it is called the elliptic curve integration encryption scheme in in in the ransomware so so that scp 192k one I'm sure there's a better way of saying that but that what you see is the is the curve deployed in Petia ransomware the curve has certain parameters so the domain parameters of a curve is for example the base point which is shown just as an example and so the domain parameters and the public key ship with the ransomware and then the secret integer so this is the same thing as you know the public key cryptography you know the secret integer s will be kept safe with the attacker wanted to quickly discuss how ECIS works this is the only slide with with with math in there there's quite a risk I took right here but but you know you generate a random integer t this is a very simplified version of understanding how elliptic curve cryptography works in the context of ransomware uh so upon infection you generate a random integer t on the host and that for for for for doing that you can use the crypt gen random function uh that is part of the windows crypto api uh or the dev u random on linux if you're on linux but anyway you generate the random integer t and then you get q by combining t with g so g was the base point from the previous slide if you don't remember that and that's part of the domain parameters as public that's part of the curve uh so so then the ransomware combines it to get q and then once you have q you you take the t and p combine it perform a hash of it and you get the edge which is the encryption key so the p over here uh is is the attacker's public key that was embedded in the ransomware shipped with it and so now you get the encryption key now you encrypt using the encryption key and then you you go ahead and it's important execute this step uh if they make a mistake then that's why we are there to exploit it and you know making a decryptor available on a project like normal ransom so you purge t and h from host this is important for the ransomware developer to do uh and then upon receiving payment uh and then you demand the ransom and then you know if if you receive payment then what you can do is ask for q and because you have that secret integer and it has this property this important mathematical property that it can combine with q to give the same result as combining t with the attacker's public key gave us uh so basically they can get the encryption key back using the secret integer that they that never left them and that they have and so so now they're able to generate the symmetric key back on their system and then they can just send that back to you uh as your decryption key and then you can uh you can decrypt your data so that's that's that's a simplified version of how ecis works on on a ransomware like you know the petia ransomware so we may see more of elliptic cryptography as they begin to move away from rsa for whatever reason and uh all right so then so then we have purging backups this is a this is a trend that started a few years ago and you know and and it makes sense for them to do the only leverage that ransomware developers have or their victims is denial of data basically they're they're disallowing you access to your data so if you can get it packed then uh you know you know that uh basically backups are the ultimate defense against ransomware so backups can exist in many forms you can have it on a mapped network drive or you can you can you know in on a host in terms of windows you know volume shadow copies or you can have if you trust cloud storage providers then with your critical data then you can upload you know with your sensitive data then you can upload them on on cloud providers as well now ransomware are known to explicitly search for and encrypt network shares and purge vss files on host and sometimes they're even known to abuse the same clients of these cloud service providers to encrypt files stored on the cloud also uh if if it's a automatic sync up that's happening if the ransomware ends up encrypting your files and you've got it to if you've set it up to automatically sync to the cloud the cloud copies will also get encrypted but of course uh you know with I believe OneDrive is providing a functionality where it lets you revert back changes for up to a month and so you know you can kind of get your files back from there but but uh but yeah so you know if you perform a dynamic analysis of various ransomware and you know this this exists in many ransomware and that's here to stay but if you if you perform a dynamic analysis of let's say for example sam sam you'll see that you know it uses the vsadmin.exe on windows to delete to quietly delete all shadow copies and uh and that's why suggested that you rename vsadmin on windows and there's a little bit of a work around there so that uh you know so that your volume shadow shadow copies keep on you know uh producing and syncing but but but basically you want to rename it because ransomware love to use that to remove to quietly purge all of your shadow copies and then we've we're also we've also seen that they like to explicitly map network shares and then once they're mapped on your host then they will go infect that there and then you know encrypt that as well so what they use for that is a standard windows function like uh w w add connect w net add connection which is used to map the network share so we've seen a lot of that during static analysis as well um so then so next trend I wanted to quickly talk about was was dropping spyware and um and so this is an example this is an excerpt of code taken from the ra ransomware which was one of a kind ransomware because it was based entirely on javascript and uh and so they can't really do much in terms of hiding their code but they can definitely do code obfuscation so what they do is they give the functions random strings as names and you know so it's it's really hard to follow they try to jumble things up so it's basically every bad coding practice that they can do that they do it in there so that it makes it hard for you to read the and analyze the code so some code obfuscation there is part of this javascript ransomware but this particular function is important because uh this is the one that drops the the pony spyware on on a user's machine once it's done infecting the machine so so it's a it's a self decrypting code so it it decrypts a part of itself in and if you so so this code in the in the beginning decrypts to to here uh and uh and what what you can see over there is they're trying to put sd.exe which is the pony uh pony spyware in your my documents folder and then execute it from there so that it it's not not just encrypting your files but it's also stealing your passwords and uh in other kinds of information uh on on the host so uh now this they wouldn't there's not a lot of motivation for them to do it except for the obvious benefit of you know stealing your personal info as well but you know it it's it makes us distrust makes the average victim distrust ransomware operators and developers so they're not likely to pave they know that uh you know there's they they can be trusted they won't just give you a key back but we'll leave some secondary infection in there so they really like to make sure that their victims trust them in a in a sense you know but but doing these kind of practices is actually bad for for business but then there's all kind of ransomware developers in the underground industry and so you know while some of them will avoid doing this some of them will do these kind of things you know adding a minor add dropping spyware and so on so if you perform the dynamic analysis in case of the ra sample.js as as shown over here uh you'll see that it it opens wordpad.exe and puts a document in front of you with a random text in it and while you're trying to figure out what's going on in the background it it executes and drops the st.exe st.exe as the pony spyware and uh and that and then it executes it so that now you've got a spyware on your system in addition to the ransomware so the attack vectors uh uh you know uh attack vectors are constantly evolving they'll they like to get into the system any way that they can but but they used to go mostly for the social engineering attacks where they're you know attacking uh where they're sending an email to an unsuspecting victim trying to get them trick them into downloading executing the threat you know ra.js was ra ransomware was a javascript based ransomware and I believe a major motivation behind writing a ransomware in javascript could be other than the fact that the ransomware developer was very familiar with javascript and wanted to use it could be that they wanted to send an email attachment that says ra dot you know whatever dot j s and the and the and an average user is more it's like the thing that you know it's not an exe it's not dll it looks like I can you know download and execute it so you know to throw them you know off their off their sense so in in this case you know so so they they do try new social engineering tricks like that over the years and they've tried that but that has been the predominant attack vector but why WannaCry made big news uh when it came out in I believe 2015 was because of the way it spread there was nothing very special about WannaCry except for it spread like a worm and exploited this vulnerability uh and uh and because of that it made major news so they had shifted their attack vector uh in in in that case and then and then in case of Sam Sam recently in 2018 it's been like I mentioned before it's been exploiting rdp sessions or remote uh you know remote connections so so there's more to come and you know as part of the as part of security as part of the security group it's our responsibility to kind of think a step ahead and think about what other attack vectors they might exploit you know uh and try to close them down before they get attacked so um that's something to think about uh WannaCry we've all seen this p-cap of WannaCry I wanted to quickly show it you know it as soon as it as soon as you analyze it you notice that after infection it starts looking for scanning for port 445 on different hosts uh to see if it can exploit the SMB vulnerability and yeah so that's spreading like a worm all right so so with that we're we're done with like the first part of the presentation which discusses ransomware and the trends that that's here to stay in ransomware and that we've noticed over the years but uh what we want to talk about now is uh is a new thing of course cryptojacking we we all know what what it is uh but I wanted to go into a little bit of a detail about how they're how they're executing this so so one evening me and my advisor we were having a conversation about malware threats and and basically cryptojacking and ransomware and he said well you know if you think about it bitcoin made ransomware possible uh because you know so so I believe the first ransomware that came out was in 1989 and it was called the AIDS Trojan it it did some kind of jumbling up of files I'm not really sure what it did because it was a while ago and and and uh and what it did in terms of ransom payment was asked you to make a payment deposit in a in a PO box in Panama now that that doesn't you know take you far and if you're looking to develop this as an as an underground industry but with the rise of cryptocurrency especially with bitcoin made it easy to set up uh uh an online anonymous mode of payment and so and so then you know ransomware took off after that so it's kind of related in the absolute sense it doesn't have to you know it's not like bitcoin did make ransomware but you know if you think about it it did so and then and so I thought okay well in that case Monero made cryptojacking because uh you know with you can't infect a user's an average user's computer with a cryptojacking malware and mine try to mine bitcoin on there because bitcoin requires specialized hardware it requires mining rigs so it's just not very feasible unless you're doing it in really really large numbers or something it's just not feasible to mine bitcoin and an average user's computer and an average user's computer doesn't have those uh you know graphics processing units and all those you know miners that are required for the the hardware that is required for mining bitcoin but Monero on the other hand the algorithms are designed for an average user's cpu like an i5 or an i7 processor that you know almost every computer these days has so so for that uh you know because of that Monero took off and then with Monero cryptojacking took off especially especially the web-based cryptojacking there was some other factors in there like coin hype came into existence and things like that but yeah uh so cryptojacking took off when Monero took off all right so you know a little bit about cryptojacking it's also known as drive-by mining uh you know it's it's it's it's stealing someone's processing power to mine cryptocurrency uh and it's an offshoot of the valuation rise in valuation of cryptocurrencies uh when bitcoin took off it you know when it rose it brought some of the other cryptocurrencies values with it and then you know now we've got cryptojacking uh there's a general lack of awareness among the average computer users about what cryptojacking is so as part of some of our efforts we wrote some media articles to make the make the people aware about the problem and then we did a radio interview where the questions that were coming from the average people it was very clear that it's not always easy for an average computer user to understand what cryptojacking is right away uh because they have to they started all the way from blockchain asking me questions about blockchain and that that was not easy to answer so uh so so they're they're praying on general lack of awareness you know uh and then uh it's easy to pull off uh you don't even have to be really a hacker of any sort to to do this because all it all you need to do is have a website with a decent number of visitors visiting you if you think about it and then you can just include four lines of JavaScript code in your website's HTML and then you know you've got you've got a cryptojacking you know a platform ready and uh and that that's where coin hive and crypto loot and coin imp and services like that come into the picture so you don't need specialized hardware anymore that's another thing you know like like I said with Monero there's no need for specialized hardware and average cpu is fine so the the problem with cryptojacking again explaining it to the average user you know what what's the what's the problem so why is it hurting me you know so other than slowing my computer down and making noise you know that sort of thing so so the immediate problem is of course you know processing increase processing requires more electrical power so it's more costly you do that do this at an organizational level now the organization is using a lot of money because a lot of the employees are infected their stations are infected with you know cryptojacking malware or so you so you lose you know the cost of electrical power is the immediate problem long-term concern is electron migration if you use a cpu or you know high heat for a long period of time theoretically electron migration is possible that damages the cpu but the truth of the matter is that we change laptops and so the recycling time of laptops is so short these days that it's more likely that you'll change the laptop by the time that your cpu burns out except for some extreme cases where uh where I just heard about this case recently two days ago where someone's processor caught fire because one of the clients what are the clients so basically an employee in a corporate network had asked for this really really powerful computer for work apparently but what they were doing was what was mining cryptocurrency on it 24 seven ended up catching fire but that's that's not really that's not really what we're concerned about because one thing if you think about it with the next wave of cryptojacking criminals coming into the picture as I'll talk about in later slides they will be smarter and you don't if you're a smart cyber criminal cryptojacking people you don't want to kill the cash cow so turning your you know you know killing the host is not something a virus intends to do at least not right away at least not in the case of cryptojacking when a long term you know mining could give you substantial funds so so that's not really a concern right now so so types of cryptojacking you know there's several types from what we have noticed on the internet we've kind of condensed it to this you know you can install a mining application on host and in that case there's two ways of doing that you either trick the user into installing one so it's the same old social engineering tactics that I was talking about earlier so either you can you know have a user download this and execute it or you can exploit a vulnerability and spread like you know it like the red is one of mine did and it exploited the same internal blue vulnerability but instead of a ransomware it was a it was a mining malware so so so you can do that as well and now and then the other one other wave of attacks in terms of cryptojacking that we've been seeing are the javascript based miners and we all know about these ones you know just lure victims to a web page and the web page runs an embedded javascript miner so as long as the victim or the visitor stays on the web page it keeps on mining we've also seen instances where if you try to close the page it actually doesn't let you close it it actually pops a window uh in the in the and hides it behind the the time uh on the taskbar and in the way that you can barely see it so the window is small and it's kind of open and you think that it's not but it the point of keeping the window open is that it keeps mining so so we've seen them do this and and then they inject mining another way to do it is to inject mining scripts into ad networks and we've seen several examples of this where legitimate websites even goman websites are serving ads to their visitors hundreds of thousands of visitors and and the ads are infected with the cryptojacking scripts and so uh you know they they they're all unwillingly participating in this cryptojacking campaign so we've seen a lot of examples of that as well so so those are the two you know rough roughly there's the two ways of doing the the cryptojacking attacks so with that we we kind of want to move forward and discuss the uh the cryptojacking on the web some of the some of the preliminary analysis that we've done uh to to identify uh what's going on and uh and an example of a javascript based uh mining script uh is looks something like this so both of them are examples of coin hive scripts embedded in in in a in a webpage that that we visited and they are not notifying so cryptocurrency mining in itself as we all know is not inherently bad or you know illegal it's if they ask for your permission like in the case of salon you know if they ask for your permission and you say I don't want to see the ads in fact what I want to do is I'll let you mine for a little bit but just don't show me the ads and so if you agree to that as a user then that's fine you know but in these cases they were not doing that there were there was no notification given to the user so then it becomes cryptojacking and so these were two examples where you know all they need to do is just improve import the coin hive script the the js script and uh and then uh and the next set of commands are basically to initiate the the mining activity and the the long string that you see in the in the boxes those strings correspond to where to make the make the payment so you know who who should the proceeds of the cryptojacking or the cryptocurrency mining go to of course that's the attacker's address and and so your computer does the mining and you know they get the profit so the idea is clear so that's another example of a javascript based mining script except for in this case it's crypto loot it's not coin hive I wanted to put that on there because it's coin hive has become almost synonymous with javascript based mining on the web and it is the most predominant one use but there's other options available like crypto loot and coin imp and so on there's a bunch of them available the point is that when we're doing research we don't just want to be looking for coin hive there's other things as well so that's why I wanted to show this example as well now impact on system resources this is a small a simple study done by us which where we just we loaded this is a this is the before and after shot off of resources on a coli linux box and and you know before you know the course for barely barely doing anything but and the temperature was down and then after we opened this web page on firefox which was which was a crypto jacking web page the resource consumption shot up to 100 percent right away all four cores are being used to full capacity the temperature is rising this screenshot was taken immediately after it and so within within a few seconds the temperature started rising right away and if you look at the processes so the so the cpu where cpu is where you utilize all four cores and then and then the process if you look at the processes the web content or there with pid 3719 is taking 97.5 percent of cpu which you know if you think about it that's not smart of them to do because it's easier to notice something like this as opposed to if they were only mining 40 percent but would go that would go long term so that's what our concern is right now is that they will get smarter because they're doing trial and failure failure right now trial and error with time they'll get smarter and then you know they will only load your cpu so that you know it doesn't you know make a lot of noise you know it doesn't lag so that it's it's more of a chance for them to keep mining for for the long term so so that's a real concern so so crypto jacking on the internet preliminary analysis now this is there's some complications in doing this study that I will discuss basically we we want to crawl the web looking for unauthorized coin hive miners that was our goal how do we do this now you know looking mass crawling the the web with so many different kind of websites and web domains that's not easy and we're not just trying to look at the url or something we're looking at the source code of the web page to determine if there's a if there's a coin hive or some other kind of cryptocurrency mining script on there if we do recognize the presence of one which is not very easy to do if even if you do that then we have to make sure that it's not a legitimate website which is asking for permission but it is actually crypto jacking so it's co-workly mining so that's another another tricky part so so for crawling the web instead of writing our own tool right now there's some services already available like public www is a service that lets you it's it's the search engine for source code off websites so that's exactly what we need we want to look at the source code off websites to see if there's any embedded miners on there so that's one way to do it and then nerdy data and census.io they they they provide similar functionality so that's where we we looked and so how do we determine the unauthorized part that's very tricky because and that's what slows down the pace of this research because once you identify that let's say so many web pages on the internet are are deploying these crypto jacking cryptocurrency miners how do you determine that they are not asking for permission without manually looking at the web page and and and seeing if they if they some somewhere through the notice saying that you know oh by the way if you're here we're mining you know so so that's that makes it a manual process which makes it slow so how do we validate the results that's another big question some websites are now unavailable so so when they were cached by these services they you know and they gave us a list of which domains are having you know have employed these scripts now the websites are down and unavailable because these tend to be you know shady websites in the first place and now they're unavailable so you know and then some websites have not cleaned the source code so now you if you go if you go there they're the the source code doesn't really show any script so maybe they were unwillingly participating in this crypto jacking and so they have now removed the removed the mining scripts so another big question is how do we get around code obfuscation so an example of code obfuscation is is this aware so this is this was the continuation it's an excerpt from the from the html of the of the web page and if you look at that part right there that's that's an obfuscation in the form of the traditional you know java javascript eval function so they've packed the actual coin hive mining script code into into the eval part right there so if you look at it this was the obfuscation part in the first box and this was what was part of the of the of the website now the problem is that if you're using a crawler to crawl looking for let's say coin hive dot min dot js in quotes exactly as this or something like that then because this that particular string would not be found in the source code because of the obfuscation done here then you're going to miss out on this particular kind of obfuscation in your analysis so and that second box is what it if you de obfuscate it then that is what it actually is it's the same old thing that we've seen before it's just a coin hive miner so that makes it more tricky all right now this you know I just wanted to put this that's a typical example of a website mining I censored it and then I censored it again for the sake of our sanity uh you know so if you if you really look at at this at the picture in my the file in my in on in my on my box it's like you know poopy girl censored underscore censored again you know uh so so that's a typical example of a website that's doing this on the on the internet and I'll discuss why streaming content is such a good platform for them to do this uh but uh you know you know looking at this website you know forgive me for for you know questioning the no doubt pristine reputation of poopy girls but I I think they're crypto jacking their visitors you know uh because I didn't see any notice about you know mining and you know so so we identified because of our crawl that we did actually because of this crawl the results we got from the these crawling services we wrote some queries to see where the coin hive and coin imp and crypto loot and all of these java script-based miners are hidden we identified 212 websites and that's all that's not a lot of a lot of websites compared to how many there really are but like I said the process is slow and so that's why if you've got any ideas on how we can you know you know make it faster than I would love to hear it but right now we've identified 212 websites that are involved in crypto jacking and uh we want to resolve these websites to categories because you want to see what kind of websites are doing this what's what's the trend here right so uh are the are these pornography websites that are basically involved in this or are these malicious websites that are also serving other malicious content are they involved in piracy distributing pirated software and games so but how do we do this we can just look at each domain and try to understand what's about so we use the 40 guard web categories for this 40 guard provides you a way to resolve a domain name to uh to uh to what kind of website it is because they they they do it so as a as a network administrator you can block people from going to let's say pornographic websites on your network and so that's the purpose of it and so so basically we use the 40 guard to resolve these two categories we wrote a simple python script as with any kind of web scraping you want to be nice if you're doing something like this and so you you make it sleep for an amount of time so that you don't overwhelm their server with a lot of requests and if you're making a lot of requests in our case we didn't make a a lot of requests uh but if you're making a lot of requests and it just makes sense for you to just buy the api so it just play nice if you're if you're doing the web scraping and then from 40 guard we got it resolved to categories writing a simple script and we noticed that you know 40 guard came up with these so according to websites we identified that were involved in cryptojacking it came up with these were the kind of websites that were that were involved in there the malicious websites were number one so they're already involved in other kinds of you know drive by attacks and then uh streaming media and download is right up there and pornography is right up there so so that's that's part of the analysis and then uh if you look at the geographic distribution based on where the ip addresses are lie there they're all over europe and some in us we notice some in in russia and and and so on again this needs to be more we need more data because the process is slow we need to we need more data to get more results about the statistics that we're interested in knowing about these cryptojacking websites uh because then we can warn users about where not to go what not to do and that's and so on so so so some of the things that we saw right away after this analysis was uh as we expected cryptojacking websites are involved in other dubious practices you know they're already distributing malware or legal videos like you know come watch game of thrones latest episode you know and sq quality and that sort of thing and then they're also distributed in malware and and and these things now streaming media websites make them ideal for cryptocurrency mining and i don't mean things like netflix or youtube i mean more of like where can i watch game of thrones or something like that online for free where can i watch free pornographic content in hd quality if someone is showing you free pornographic content in 4k quality you need to get really suspicious about that website and uh and so streaming media websites provide a good opportunity because when the when the visitors visit there uh they they stay there for a long period of time while they're watching the video and and all that time gives more money to the cryptojacking people because uh you know uh you're cryptojacking for them in the background so uh so and and if your fans go off or something you're going to think that oh it's because of the hd quality video maybe so so yeah that they provide a good opportunity so you so users need to be really wary of uh of going to these uh these streaming media websites that serve illegal content so with that moving on to iot cryptojacking real quick uh why do why iot cryptojacking well the real question is not why it's uh why not okay so there's there's only two relevant factors here for that they will consider as cyber criminals before iot cryptojacking one of them is gaining initial entry is it is it difficult to get in so iot devices we just had another talk on iot devices earlier today which you know i iot devices are more vulnerable they don't have the same kind of protection that your average computer does in terms of antivirus solutions and intrusion detection systems and so on so they you could argue that they're more vulnerable plus people let the defaults on there we've seen the case of morai botnet and whatnot so so we know that they can be more vulnerable in computer systems the second thing that they're concerned about is will it make me money and if it's worth it they will do it so what's the profit potential so do iot devices today have enough computation power uh well that's that's a very difficult question to answer just because of how different iot devices can be from each other so you know there's all kinds of variations for what kind of processors they have what we're talking about so that's that's a difficult question to answer but we'll we'll attempt it so so so to do this as part of the preliminary analysis we just took a look around the room and whatever iot device was available so for for for reference purposes i put then an average user's i7 processor up there that gives you a hash rate of 150 on the coin hive dot com if you go and test what the hash rate your computer can produce then that's what it gave us that's so that's use that as a reference point then on the amazon fire stick tv that i had it it gave me a hash rate of five on on my phone you know galaxy s9 i had a hash rate of 25 so that that's not that bad and then on my galaxy gear s3 smartwatch it's point four that's what the what the what the what the the snapshot is from so the and then we're not even considering those the routers that have good processors we're not even considering the cameras that have good processors and then we're not considering a lot of other iot devices where so i think the answer to this is that it definitely is worth it for them if they can get into the right kind of devices and they'll find a way into those devices one way or the other so what we need to do is proactively start protecting our iot devices better because crypto jacking is going to hit them pretty soon so uh so and and and then how much money can they make now this again is a very difficult question to answer not only because of how much how much there is variations in processing power of iot devices but also because the valuation for cryptocurrency changes violently over time so this is just you know so what the the valuation of manero you know it stayed flat you know for many years and then it shot up of course with bitcoin and then it started falling down again as as bitcoin kind of dove down and then right now it's about it's about a hundred dollars or so little little over a hundred dollars and and so the real concern right now for us to think about for the future in terms of crypto jacking is clever crypto jacking attacks not the ones that are using 100 percent of your cpu so they use you can train your user to try to try to see if if your if your computer is lagging and you know making the the the the cpu fan is making a lot of noise that's not the that's not a real concern the clever ones are going to stay there for a long term mining only using 40 30 percent of your cpu and go undetected and then you know improve so you know and then improve the attack vector just like any other thread malware you know like any other malware like ransomware improve the attack vectors and then they'll do stealthy mining it was using only part of the cpu and then we can expect to see google play and app store apps that mine in the background so doing crypto jacking over there because uh you know the the process of vetting these apps you know there's there's there's a lot to be desired there and and and so they will make their way in and when they make your cpu hot while you're playing a game on your phone you're going to think that it's probably because of you know shitty programming in the game but could be mining in the background and with with with the latest smartphones it makes sense for them to do that so so we're definitely concerned about that now protection against crypto jacking is is the standard these are the standard things that people can do that we can tell people to do you know update your computer systems you know use anti-virus solutions actually while making this presentation the this part these powerpoint slides were deleted twice by my anti-virus solution because i put the javascript code in there and so that's good that the the latest anti-virus solutions they're detecting uh uh those lines of code as malware which is basically and then said it's java you know j s dot minor routine so you know deleted my files had to recover them but you know so anti-virus solutions are recognizing them and then we want to spend user awareness it's not easy to you know explain crypto jacking to the average user monitor system resources your average user wouldn't do this but you know it's a good way to look at what's going on in your computer and then install browser extension that specifically block mining scripts if you want to go the next level then use no script now nothing works on the internet anymore but at least they can't execute javascript on your computer right so so that's good all right so so in conclusion you know ransomware versus crypto jacking well you know they're they're both here to stay their ransomware is not going anywhere right now at least they're both they're both here to say uh ransomware is more intricate in terms of the crypto API function all the key management that was talking about earlier so it makes it a little harder to do that but uh crypto jacking on the other hand is relatively straightforward once you make your way in just start mining right uh no ransom guarantees after infection the user could just format their computer and start from from new if they don't care about losing their files but crypto jacking uh a crypt crypt you the some of the currency that you've generated some value that you've generated is not going anywhere so you know ransomware is known to the average user it's been many years it's a known threat people are aware about it uh crypto jacking is still very new noisy ransom notes uh as opposed to co-ord long-term mining and then uh ransomware is always dependent so most of the ransomware that we see they either work for you know the mostly they work for windows but then some go for apple and but uh but crypto jacking especially the one on the web doesn't matter what what as long as you've got a browser doesn't matter what kind of device you're coming from or if it's an apple or windows computer you still are crypto jacking so so that's that's another big difference and with that you know what what i presented today is is part of what i'm working on and part of what i'm doing but if you've got an idea for how to improve upon some of these results or how to make the processes more efficient and faster uh you know uh i would be i would be glad to hear those ideas and with that you know thank you very much and we conclude the presentation