# Final project : Cryptojacking ###### tags: `資安` [Intro](https://www.kaspersky.com/resource-center/definitions/what-is-cryptojacking) --- 簡述:劫持其他人的電腦幫自己挖礦(殭屍礦工) 裝置會消耗CPU 記憶體 硬碟 電力來挖礦，替其他人賺錢 ### in-browser cryptojacking 瀏覽器上的劫持 用 javaScript 在web page 去挖加密貨幣，不需要安裝任何東西 >You load the page, and the in-browser mining code just runs. No need to install, and no need to opt-in. * **Question:** [**怎麼用javaScript 實作挖礦?**](https://blog.gtwang.org/web-development/coinhive-website-crypto-miner-tutorial/) * [**javaScript參考2**](https://hackerbits.com/programming/cryptojacking-javascript/) * [**星巴克WiFi挖礦事件**](https://www.ithome.com.tw/news/119518) (**coinhive** //已關閉服務) Motivation & background 動機跟背景? --- 動機:賺取挖礦的利潤 背景:隨者加密貨幣的盛行， 挖礦事業已經從teams of miners running dedicated mining hadware(硬體的CPU/GPU) ->這種做法會消耗大量電力和硬體資源 可在受害者網頁上進行挖礦(mobile device也可以) cryptojacking開始盛行 而且不管你是不是加密貨幣的用戶，你都會被捲入cryptojacking Attack 攻擊模式 --- :::success **兩種主要攻擊方式** 1. By getting the victim to click on a malicious link in an email that loads cryptomining code on the computer 2. By infecting a website or online ad with JavaScript code that auto-executes once loaded in the victim's browser ::: same way with ransomware does phishing and malware 如果駭客可以讓受害主點擊惡意連結(malicious link/email/infected ad /website) 靠script 在 backgroud 跑 >ex: Monero 門羅幣 [**Attack method 簡述**](https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html) * Endpoint attacks : 傳統攻擊方式，把惡意軟件script等等在端點運作 * Scan for vulnerable servers and network devices : 把目標延伸到server等網路設備，server 效能比端點用戶更強大(**新**主要攻擊方式) * Software supply chain attacks * Leveraging cloud infrastructure **與其他malware不同之處:do not damage computers or victims' data** Defense 防禦模式 --- ### <font color="1F3484">detect cryptojacking(機器學習偵測)</font> 通常cryptojacking不好檢測，因為他是躲藏在背後運作 檢測有沒有cryptojacking可以從三個角度去看 >1. Decreased performance 效能降低(電力掉的速度變快等等) >2. overheating 過熱( laptop or computer's fan is running faster than usual) >3. Central Processing Unit (CPU) usage CPU的使用率 >用 Activity Monitor / Task Manager 監測 (可能會藏在合法的程式裏面變得難以排除) <font color="dark">**一些論文的做法**</font> 1. [Website Cryptojacking Detection Using Machine Learning](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9162342) (不停在讀取區塊鏈上的歷史交易紀錄，也同時在做記憶體的左移與右移) * monitored the **cache activity** * CryptoNight algorithm /Ethash 一些加密貨幣演算法  **作法:** 蒐集 60secs內 每 100 毫秒 的cache hits 和 cache misses 次數 `The reason behind this is that when attacker set higher throttle, which means that the attacker is utilizing the CPU’s maximum capacity for computing hashes and because of which the attacker could compute maximum number of hashes possible` 2. [MINOS*: A Lightweight Real-Time Cryptojacking Detection System](https://www.ndss-symposium.org/wp-content/uploads/ndss2021_4C-4_24444_paper.pdf) 偵測的是wasm-based mining activity(二進位格式) MINOS uses an image-based classification technique 用圖像去區分有無被劫持 早期用黑名單排除惡意網頁很容易被繞過 而大部分是基於特徵分析 Most of these techniques are based on the analysis of dynamic features **缺點**:有很高的運行時間開銷(high runtime overheads)，還會受其他外部程式干擾，而且需要權限才能監測(require administrator privileges to monitor CPU and memory events)，並且這樣在背景下的動態分析也會影響使用者瀏覽網頁的效能 ``` attackers can throttle the resource consumption of their malware, change function names and strings, use proxies, dynamically generated domain names, and encrypted communications that make their detection increasingly challenging. ``` **MINOS 創新做法:** :::success **特徵 :** use of gray-scale image representations of Wasm-binaries in web browsers. **把網頁的wasm 二進制文件轉成灰階的圖 圖會相似是因為即便他們可以踩取各種手段 利用基於卷積神經網絡 (CNN) 的 Wasm 分類器將圖像分類為惡意（即加密劫持）或良性** // utilizes a Convolutional Neural Network (CNN)-based Wasm classifier to classify the image as either malicious(惡意) (i.e., cryptojacking) or benign(良性). MINOS does not require continuous monitoring of CPU, memory, and network events or counting running instructions. **不像上面需要持續監控CPU memory network event也不用在背景持續running** ::: **Malicious Cryptocurreny Mining Detection Systems** 1. Browser-based Mining (Cryptojacking) Detection `tries to find out how similar the analyzed module is to cryptojacking malware Wasms. In addition, it monitors cache events during runtime` 2. Host-based Stand-alone Mining Detection 針對主機的攻擊:用opcode sequences 和 system calls of windows portable executable files 3. Network-based Detection ### <font color="1F3484">**against cryptojacking**</font> >1. Use a good cybersecurity program: >2. Use browser extensions designed to block cryptojacking: minerBlock, No Coin, and Anti Miner 不好用因為(malicious entities that use cryptojacking malware change their domains’ names frequently) >3. Disable JavaScript:但這樣有些網頁功能就沒辦法使用 >* JavaScript的工作 * 嵌入動態文字 * 對瀏覽器事件做出回應 * 讀寫HTML元素 * 在資料被提交到伺服器之前驗證資料 * 檢測訪客的瀏覽器資訊 * 控制cookie建立、修改…等 >4. 討論 --- **公平交易?** >網頁提供你免費服務 Vs 使用者幫忙挖礦? :::info **大綱** 1. 動機/背景/cryptojacking intro 2. 攻擊模式 3. 具體例子 4. 防禦模式 5. 未來發展 :::