 Good. We will start our talk about the web-based crypto hacking in the wild when your browser is mining coins for other people. It will be by Marius Mush, who is doing a PhD as Technical University Bondschweig on web application security with a focus on client-side attacks and large-scale analysis. Please welcome Marius. Hi, everyone. I'm Marius. Thanks for having me. Today I will talk about web-based crypto-checking. I worked on that project as part of my PhD, together with my colleagues Christian Resneger, Martin Johns, and Konrad Rieck. So unless you have been living under a rock in the past two years, you might have heard about Bitcoin and all the cryptocurrency stuff. So in January 2017, we had Bitcoin at an exchange rate of about $1,000. And it went up all the way to $20,000 in December. And today we are somewhere between $3,000 and $4,000 back again. So just for context, when we worked on this, it was around February when we started on this project. And the final data collection was around May. So it was after the real hype died down, but still cryptocurrencies were somewhat more popular and higher priced than today. So to get you quickly on the same page, I have prepared two slides about mining in general. So mining is the process of creating new coins in cryptocurrency. And what you need is the state of the current network, which also is called the blockchain. And also you need a random number or a nonce. So you take both these things, put them together and calculate a hash over this. And the resulting hash sum is compared to a target. So in the end you basically want a resulting hash that has a very low number. So we have a lot of leading zeros in the case of Bitcoin. You actually want to find a hash that has 19 leading zeros. And this is usually not the case. You repeat this process very, very often. So you brute force a lot of hashes. And in the end you hopefully some day then find such a hash. And then you have basically mined a block. This is what mining is about. And in this process you are trading your computational power and electricity for shiny new coins. So you have the initial investment of hardware. And you have this constant cost of the electricity. And for you mining only really makes sense if the coin is worth more than the electricity you pay for. And we also need to know about mining pools. So the problem is if you are now decide to start mining with your desktop computer and with a normal CPU and you say, yeah, I want to mine Bitcoin now because I've had that's the next new thing. So the problem is this is very inconsistent. Because you could mine for centuries and not mine a single block. So you never get any reward at all but you still have to pay for all the electricity. So what you could do is you could join forces with other miners and you get a more consistent reward. Because if anyone in this pool finds a block then it's shared amongst all the peers in the pool according to their contribution. So the pool has to track who calculated how many hashes and then later you get the payout based on that amount. So it's a lot less random this reward. And so that you better understand how this could work. I have here a simplified protocol of me speaking to the pool. So in the beginning I say, oh yeah, I understand version seven of this protocol and the side key will become relevant later in this talk. So this thing basically ties the hashes you calculate to your account. So it's just some ID that later says, okay, if you then pay me remember these hashes I calculate now belong to this account specified here. And the pool will then say, oh yeah, okay. I know you calculated zero hashes so far. So here this blob is basically the state of the current network that we need. And you know, you've seen that in the previous slide with the nonce. And this contains stuff like the mercury root hash and the current block header and transactions and stuff. So we don't really care what this is. It's just a blob for us, right? And also the pool says here is this target. I want every hash that's lower than this number. So we need two leading zeros in this case. And the thing is now we report, we retry it for a bit and then report to the pool, oh yeah, for this job you gave me, I found this nonce and that resulted in this hash. And so the pool can verify that far. And why do we do this? You see only two leading zeros. This will not result in a new mind block. And the thing is the pool doesn't want to be cheated, right? So if you just say the pool, oh we tried a million hashes and we didn't find anything and the pool says oh yeah, great. That would be a dumb protocol, right? So in this case we report a subset of the hashes. And that is all that have two leading zeros because the pool requested it this way. And because the hashes are basically random, right? We can't predict what's the output. And we know this is hexadecimal. So each position in this hash has 16 possible cases. So 16 gives 265. So basically because we found the hash the pool can now say okay, we probably need it around this amount of tries. So this continues and continues and so on. So far for the basic introduction into mining and the mining pool, just as you know what we are talking about. But now what's this crypto checking? Which is actually what the talk is about. So imagine the story kind of like this. Somebody came up with the idea, okay, so we have this cost as electricity. Why should we pay for this? Maybe somebody else can mine for us, right? So this is basically what externalizing costs is about. That's the technical term. Imagine if you're an energy company which is producing fusion energy or something like that and they create a lot of radioactive waste that they don't care about and they just say oh yeah, the society will deal with it, then they have externalized their costs. And this kind of success model got adopted into the cryptocurrency world in the sense that some people decided well, I could just mine on other people's computers so I don't neither need the hardware nor pay for the electricity, right? So this is rather old news from 2017 actually. The register wrote in May that some cryptocurrency miners were found and they were armed with exploits that were already seen on another malware campaign. And I'm the guy on the right who should rather like okay, this actually rather boring because if you can infect the computer with malware, you achieved arbitrary code execution, obviously you can start a miner, right? You could encrypt the hard disk but then you have to deal with all this payment, maybe this guy has a backup and just wipes his machine and loads the backup so maybe you just start a miner and you have less hassle but it's not really interesting on you in any way. But then we saw this article that was in October in white and they said your browser could be mining cryptocurrency for a stranger and I'm like oh, this is rather interesting actually because now there are no exploits involved, right? We have just normal people visiting a website and they are part of your cryptocurrency mining scheme so you can roll out this much more easily, right? You don't need to infect a lot of computers, you just need a website that's rather popular and that's basically what web-based crypto checking is about. So you have a popular page and you just insert a small mining script into the html, small JavaScript file, no exploit involved, people visit your website, they mine for you, people leave the website, they stop mining. That's rather the drawback of this case, if they close the website again, then the whole thing stops but on the other hand you can far more easily start the mining because you don't need to really infect somebody, you just need somebody visiting your web page. So okay, we want to do mining in the browser but I'm sure you're kind of skeptical now because there are a lot of problems that we would see, right? So the first thing is fast execution. You think a miner in JavaScript that doesn't really sound great but luckily the solution is WebAssembly, it's a new language supported by the browser, it's a low-level bytecode language and that's executed in a stack-based virtual machine inside the browser. So you can write a code in C++, translate that to WebAssembly and then call that from a JavaScript API. So basically we can execute the hashing function in WebAssembly so that will be really fast and efficient so that's great for us. So one problem less but then also we want to do multi-threaded, right? So if somebody visits with four cores then we want to use all that four cores. Well luckily there's also API for that which we can call from JavaScript, you can say, you can ask a browser how many cores does this visitor have and the browser will happily return to us the correct number and then we can instantiate so-called WebWorkers and basically these spawn multiple threads and these will be even de-active if the user switches the tab as long as he does not close it. So okay we can, we have very efficient and fast execution, we can use all the cores of the machine. What would be also very useful is efficient communication, right? We don't want to talk to the pool over HTTP because we have to send a lot of very small messages that we don't want to really deal with all the HTTP headers and that stuff. So we can use WebSockets and these allow for a full duplex communication without the overhead because you mention if you have like tens of thousands of concurrent visitors to your website you don't want them to DDoS your own mining backend infrastructure, right? That would be bad. So we can use these WebSockets and combining all these things we have a rather good miner actually now but I'm sure some in the audience are still skeptical, right? Because we're in the browser so this proof of work, this hashing function that we have to call very, very often we execute it on the CPU and you might say oh wait mining on the CPU that's like 2011 or something. So that's true, right? But for Bitcoin at least not only. So in Bitcoin the proof of work, this hashing function is a normal char. So the thing is this is much more efficient if executed on a GPU or even on specialized hardware like an ASIC which is an application specific integrated circuit. So it's an imaginary hardware that was specifically designed only to do this hashing function, right? It's not a general purpose thing like the CPU which can execute arbitrary stuff but it only does this hashing functions. But it does them really, really well. So if you combine these numbers you actually see these are just rough estimates but such an ASIC could perform like as much commutation as 12,000 CPUs. So our web-based mining can't really compete with these huge mining farms for Bitcoin which employ these ASICs. So what is the solution here? Well the solution is just to not mine Bitcoin because there are a lot of other cryptocurrencies out there and in this case we take Monero which is of the Kryptonite family. So they use this Kryptonite hashing function which was specifically designed for cryptocurrency. So they invented a new hashing function which is resistant to all these other hardware. So it executes really well on a CPU but if you use a GPU or something else it is not really much faster. And people try to design ASICs but it's really hard because they implemented this algorithm in a way with a special 2 megabyte scratchpad which exactly fits into cache of the CPU and stuff. So ASICs have really problems there and also when one was announced they just changed the algorithm. So somebody said and it was just last month that they actually changed it again. So when somebody announces here we are selling our special Monero mining ASIC you can buy that for $5,000 and they just say oh yeah we do a hard fork. So we changed the algorithm. Now the money you invested to build these things and this is really expensive to build such an ASIC. This is now basically worthless and everybody who bought such a thing is also now broke. Okay so with all these things together with mining this Monero and using the Web SMB and WebWorkers and WebSockets somebody combined all that had this brilliant idea and this was the birth of CoinHive. So CoinHive is a service or infrastructure. They were the first big and are still the largest of them all. They provide you with a JavaScript file you embed that into your web page and then you also add a small configuration script which is which I've shown here. So here you see the site key again so you basically have to identify your visitors. So each calculated hash will be attributed to this account that you write in there in the site key and if you're nice you can also say I don't want to mine at 100% of the CPU but because I don't want to annoy my visitors that much so you can say I only mine about at 70% which is this throttle here. So what you also could do is you could say if we detect a mobile device then we don't start the mining because it will not help very much but you can also skip that step. And they claim that this miner they've implemented actually performs at about 65% of the native miner performance. So it would be still more efficient if you would do this not in the browser but on the machine natively but it's not too bad like you get two thirds of the possible computation in the browser. And Koenheifheis hosts this infrastructure with the web socket backend and the pool communication and all that for you but they take a 30% cut so you don't get all the money. They actually do. It was kind of to be expected that people then started to clone this script they basically just copied the script and modified it a bit and booted up their own backend infrastructure so there are slight modifications of the script but from what we've seen it's actually all the same script that was initially implemented by this Koenheif. And there's also an interesting story behind that which I can't go into detail here but if you're interested look up the block by Brian Krebs where he found out that Koenheifheis actually originated from the German image board program which surely somebody here knows. So if you're interested into that and the story behind that look that up. So we have this great service Koenheif and we have headlines which claim that crypto checking is now the next new thing and oh my god the world is going down and everything but we were wondering is this really the case like is this how often does this happen this crypto checking do they actually make profits this way so what we need is a way to detect this in the wild so what I wanted to do was visit a lot of websites and check if I kind if I kind of find indications that they're using a cryptocurrency miner and I didn't just want to look at Koenheifhe but actually find them in general so also modificated versions of it and before we go into that I want to add a small disclaimer like not all mining is evil right so we see here screenshots of two services which actually ask you before they perform their currency mining in your browser so this would be okay for us we ignore these right when we talk about crypto checking what I mean is mining that starts automatically and without your explicit consent so all others are basically fine for us right so we don't detect them and this off mine even is run by the same guys as Koenheifhe so they noticed that a lot of ad blockers wanted to block them and they started the second service off mine where they asked you first but from what we've seen it's not used very often and also a lot of ad blockers still block that also and another thing is like I don't want to say all mining is evil because it could be interesting as an alternative for ads or trackers or even for captures if you imagine like you have to provide a proof of work instead of a capture for an API that's profit or something so there's there's potential there but sadly what we've seen is mostly people trying to profit from it directly by starting a miner in the form of crypto checking so how could we detect this so we could do some blacklist right so we start with the Koenheif script and if we see that we know it's pretty sure a crypto miner but then we see that people are starting to host these as jQuery or player js or something like that so this doesn't really help us right so we don't do a well based blacklist we could for look for known strings but you know people are just obfuscating their miner right so this doesn't really help us either so as kind of expected the static detection of miners is not really that interesting and also not working perfectly well so what we've done instead is execution traces so this is from the chrome's profiler it's a built-in tool in the two the dev tools of your browser or maybe of another browser and you don't really have to understand what's going on here i've visited google and they execute a lot of javascript you basically see the functions which calls another function another function and so on and after a while the page has loaded and nothing much is happening right here after a while it just stops so you don't have to understand this but rather look at the difference this is a cryptocurrency mining page and what we see here is eight threads so i couldn't expand them all because it wouldn't fit the screen but these bars here are basically the same as these expanded bars here so we see eight different threads which are concurrently executing the same function which is conveniently called hash which calls into a web assembly yeah that's really suspicious i would say because this function is called over and over again and as long as you stay on the page it will be called more often as as long as you stay so this in eight cores or in eight threads in parallel is really a strong indicator for a cryptocurrency mining so we use this and some other indicators to get our results but we did this back in may so may this year we did a stator collection but i also have some two slides about updated results from this month or rather today so we looked at the alexa top one million this is just a list of a million websites which are rather popular and we found about two thousand and five hundred websites which are which had an active miner so we just visited the front page that was the reason why we probably missed a lot of them and there might be various other reasons but it's just so you get an estimate so we found about one in five hundred websites had such a crypto checking script actively and then we made a small plot about is this more in the popular pages on the less popular pages and you have to know that the alexa rank one is google so a low number is high is popular so these are the most popular pages and they also had the most mining scripts but we still see that there's also a minus in the lower or less popular ranks of the alexa right so it's there's a slight trend towards here but there's still a lot going on here then we wanted to do know like what are these websites and we don't want to visit two thousand five hundred websites so we used the service by simantec they have some website categories for you so not every page actually had a category attributed to that and some had multiple but just a rough estimate we found that entertainment and pornography is kind of unsurprisingly most popular for crypto checking and this makes sense intuitively because if you're on a website which shows you videos or a whole movie then it's really worthwhile for the website owner because you stay for a very long time right so the remember the miner is only active during the pay during the time which the tap is open in your browser and so what this means is you're kind of distracted like I was just because you're watching a movie and it plays sound and you don't really notice what what your computer is doing like the the fans might spin up and this is what happens during cryptocurrency miners because they use a lot of your CPU but if you're watching a movie you might not care because you have explosions all around your ears so now the question is do they earn significant amount of money so if you take the top 10 popular pages so the top 10 most popular pages which had a miner and they had on average about 400,000 visitors which stayed for roughly six minutes these are also again very rough estimates because it's very hard to get these numbers there are some services like similar web which can give you some insight but it's unclear how accurate this is and we found that they could earn at that time about 180 dollars I did in euros actually but this is really the top end so an average website in the Alexa top one million which is still not your new personal homepage but it's kind of popular but not really popular had about 25,000 visitors and they could only earn about five euros a day and this is very generous still because we didn't actually we assumed that nobody has an ad blocker and we didn't really calculate how many users are mobile on mobile devices because they also have a much lower hash rate so there are a lot of things that could go wrong also people could just boycott your site if they notice that there's cryptocurrency miner going on maybe somebody posted on Reddit or something so and they stopped visiting your website so there are a lot of reasons why you probably earn less money than that but in case you're wondering is this game over for the smaller websites not exactly so we were wondering maybe a lot of small websites belong to the same guy or are working together and then it could be interesting again like if you have hundreds of these small websites maybe there's some money to make so we tried to track this money but if you know a bit about Monero then or if you look into it then you notice that this thing is infeasible because unlike Bitcoin Monero has a lot more privacy stuff involved so the payments are untraceable you can't really link transactions you don't even know how much money is in a particular wallet from the outside without having a special access key they use a lot of fancy cryptography which i don't know anything about but they have these ring signatures and one-time keys derived from another key and muddling factors and it's crazy so you can't do anything right you can't track money in Monero basically and the next problem is we don't even know the wallet addresses right so we would need the wallet address and then we still couldn't do anything but we can't even do that so with coinhive for example remember there was the side key and the side key was just an ID that coinhive then later maps to a wallet where they pay out the money but we are not running coinhive so we don't know which side key gets paid out to which wallet address and also the side key as the name implies is intended to be unique for each side so if people are running multiple sites then they could just use multiple side keys and we from the outside wouldn't know that they actually mine for the same account but also people make mistakes so we only found 570 side keys on 830 sites so obviously some side keys were used multiple times in fact one of them was used 55 times on different websites and on the in this picture you can see a cluster of 21 pages which had the same side key and then one of these pages actually had a second miner with another side key which linked it to these five other pages so this page maybe was infected twice we don't really know that's the problem right because even these 21 sites with the same side key we don't know if they have the same owner or if they were hacked with the same exploit or by the same guy or same campaign so we know these belong together and that the same person gets all the money from these 21 sites but we don't know if that's intentional or not and this case with this one side which had two miners on it which doesn't really make sense kind of indicates that there was some hack involved but again we don't really know from the outside which is kind of sad there was a last thing we could do which is probably the most easy of them all and this is using web artifacts which means we look at the mining script so we look at the URL of the script and if you see the same script over and over again or the same web socket backend then it could be that they belong together but the problem is there these pools right so if you see crypto coin high for example multiple times we don't know anything but on the other hand there are private pools which don't have a public website so there's nothing to register and then we kind of can conclude that they have to be run by the same people right so for example we use the scripts or rather the hashes of the javascript miners and we clustered them in this picture here and the biggest obviously is coin hive as expected so there's this huge block here basically means there were about 700 or so script scripts which were exactly the same and then there's another block we called it advisors that because that was the URL of that miner so we were wondering there were 311 sites which had this miner but when I visited the web page it just said 403 forbidden so there's nothing really there so why are there so many web pages which use that miner if there's nothing there like they it kind of has to be run by those guys right nobody in their own mind would come up with the with the exact URL of the script and then just include it if you can't register on that page so we looked into a few of those pages and then we saw that all of them had such a banner so we noticed that they are all were run by a free okay you Ukrainian hosting service and they included this banner on all the web pages in the top and it even got translated into German when I visited it so why are this banner and over a certain hops of other domains which were all registered through privacy protect and who is God and such stuff so you can't really find out who registered these domains but over this chain they finally included from advices that the mining script and the script itself and the socket communication was also obfuscated like I shown it before and the miner was only active on the very first visit after that it set a cookie and never mind again or never on the same day mind again right so they were really stealthy about that but on the other hand there's kind of dampened their profits because you know if if you visit the front page and you click a link and the miner stops then okay you have maybe a few seconds of mining I don't know but they had 300 sites so if you put all this together they made a bit more money but it can't be much right so these were results from me but now you might be wondering this is actually a different chart this is now the Monero exchange rate and so when we did our our study we were around here where Monero had worth about 225 dollars for one XMR and today they're at about 50 dollars so this means actually the numbers you've seen before you have to divide them by four or by five somewhere in between and this means if you round it down then basically you make one euro a day with an average website and kind of expected you can expect that that means people stopped mining right because I only I did this actually today this graph and I found that only 300 miners were active currently and interestingly we also see that in the most popular bin we now see a rather larger percentage amount so the the first bar here is actually 25 percent of the total and in May it was 14 percent so the more popular pages still do that while a lot of the smaller ones stop because if you're here you're really not going to make any money at all okay so this already concludes my talk thank you all for listening and I'm free for questions those of you that have questions please stand up behind the microphones and those of you leaving please do so quietly so we have the q and a's there is a question from microphone number two hi did you look into open source cms and their plugins so for example there could be the approach to put some mining script into a popular WordPress plugin and although it would be only for each page like maybe 10 visitors per day it might be in hundreds of websites and maybe be valuable it's through this I've heard about a story but we didn't really look into the the spreading factors because for us from the outside it's very hard like we can't really tell was that website hacked or was that the miner there intentionally so we yeah we could try all a possible known exploits currently but that's kind of a slippery slope if I have to attempt the hack or if I have to check if the website is actually vulnerable so we we didn't conclude anything there right so we just is there a miner active and we we don't look further into that right so we don't tell we can't tell if this the website owner or if it was a hacker so there's nothing to conclude there sadly from the outside at least we have a couple of more questions please please if you're leaving leave quietly we have a question from microphone number one yes there's libraries like webgl which lets you run code or through your graphic cards would this it be possible through something like to to mine on directly on the graphics card I've seen a prototype implementation of that but it was no longer maintained and I didn't really try if it actually works so for Monero you there's an interesting angle but if you're mining Monero anyways you don't really gain that much by that and also you have to remember most of your visitors probably don't have really the gaming PC so you could put a lot of effort into creating a GPU miner but then you kind of lose out on all the people who are running laptops and don't really have a dedicated graphics card but still a very decent CPU so I I guess it's just not worth for their amount of visitors who are running good modern graphics cards I've spotted a question a microphone number five there's one from the internet as well please don't be shy we have plenty of time for questions so stand up behind the microphones signal angel what does the internet want to know thank you how could a user prevent cryptojacking in the browser besides of blocking javascript completely what there are certain counter measures actually prepared that's like beforehand and then I removed it from the talk when I noticed that there are only about 300 miners left so the problem with this detection I've shown you with the execution traces is that it involves a lot of runtime overhead right so if you have this profile on all the time you slow down all the websites which don't have a miner so that doesn't really make sense for me but there are some extensions like we tried three of them a minor block no coin which are two extensions and the third is basically just an a special list for ad blockers which you can subscribe to which is specialized for mining strips and these are the number of miners that they detected from the set of the 2500 we found so they still miss a lot but it's kind of expected because they use this static lists which I've shown they kind of work but the problem is that they miss some on the other hand the overhead is lower so if you're really concerned about that you can then the most practical thing to do is install such an extension yeah we have a question from microphone number five did the person move away we have a question from microphone number four would there be a way that you could put a crypto miner in a browser extension so that it runs on every web page as long as the browser is opened totally yeah with extensions you can inject arbitrary code into the page so if at least if you have this permission so it would totally make sense to create such an extension but you also have kind of the problem that if someone reports it then it can be easily removed from the store of extensions so yeah it's an interesting approach but you kind of don't have as much control as if you host it on the site your own right and you also need this permission to inject the scripts and that means basically you already have control over all the sites that your user is visiting so that would be a problem anyways right so you already that's the thing again you you kind of you need to trick the user to not install malware but install a malicious extension and the real crypto checking basically which I've shown you about is the more easier variant where you just need somebody to visit your web page so the the bar is much much lower right so that's the advantage here we have a question from microphone number one have you seen anything like a pop over or an iframe or something that would allow it to live beyond when you close the tab no no we haven't seen that so uh pop under would work yes uh a normal iframe no because if you close the page that is gone but yeah pop under would really make sense now maybe someone is using that but like I said we did this automatic detection but which means we could visit a lot of websites but on the other hand sadly we might have missed out on those special techniques or something which you only would find if you really look manually into all the pages uh but the pop under totally makes sense rear because it says active in the background uh behind all the tabs we still have time for questions so if you are sitting in your seat thinking do we have time for my question please get up and move over to one of the microphones we have five of them two in the back one on way on the side and two up front and the signal angel tells me the internet has a question yes um could j s work against this uh sorry come again uh libre j s could it work against this I actually don't know what it's doing so sadly I can't tell you uh if it would work against it okay perhaps the internet can rephrase the question while we take question from microphone number two yes you said that one way of detecting it was that it was using eight cores simultaneously for a long period of time but wouldn't web pages like Netflix or like sites with online games look the same way yeah um especially with games you have a point um for but you have to remember that we didn't really look into uh whether the CPU is used a lot but rather uh whether a single function in all in all the code of the website uh if a single function was executed over and over again so we we really checked if if it is the same function here and the same function here and the same function here um obviously there are also kind of uh workarounds if you know that I detected this way then you can write write your code to do it another way but currently we just did this and um for a game you could imagine that there's a central update loop which uh basically draws all the sprites and such but do you really need to execute this update loop in in eight threads in parallel I would say it's unlikely but surely we can have some false positives that's true we could have good if there are no more further questions and Marius does not have anything more to add then please thank Marius for an excellent talk