MANiC: Multi-step Assessment for Crypto-miners

Modern Browsers have become sophisticated applications, providing a portal to the web. Browsers host a complex mix of interpreters such as HTML and JavaScript, allowing not only useful functionality but also malicious activities, known as browser-hijacking. These attacks can be particularly difficult to detect, as they usually operate within the scope of normal browser behaviour. CryptoJacking is a form of browser-hijacking that has emerged as a result of the increased popularity and profitability of cryptocurrencies, and the introduction of new cryptocurrencies that promote CPU-based mining. This paper proposes MANiC (Multi-step AssessmeNt for Crypto-miners), a system to detect CryptoJacking websites. It uses regular expressions that are compiled in accordance with the API structure of different miner families. This allows the detection of crypto-mining scripts and the extraction of parameters that could be used to detect suspicious behaviour associated with CryptoJacking. When MANiC was used to analyse the Alexa top 1m websites, it detected 887 malicious URLs containing miners from 11 different families and demonstrated favourable results when compared to related CryptoJacking research. We demonstrate that MANiC can be used to provide insights into this new threat, to identify new potential features of interest and to establish a ground-truth dataset, assisting future research.

[1]  W. Marsden I and J , 2012 .

[2]  Kevin W. Hamlen,et al.  SEISMIC: SEcure In-lined Script Monitors for Interrupting Cryptojacks , 2018, ESORICS.

[3]  Christopher Krügel,et al.  MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense , 2018, CCS.

[4]  Julian Schütte,et al.  WebEye - Automated Collection of Malicious HTTP Traffic , 2018, ArXiv.

[5]  Stefan Savage,et al.  Botcoin: Monetizing Stolen Cycles , 2014, NDSS.

[6]  Aron Laszka,et al.  When Bitcoin Mining Pools Run Dry - A Game-Theoretic Analysis of the Long-Term Impact of Attacks Between Mining Pools , 2015, Financial Cryptography Workshops.

[7]  Arvind Narayanan,et al.  Bitcoin and Cryptocurrency Technologies - A Comprehensive Introduction , 2016 .

[8]  Jeremy Clark,et al.  A First Look at Browser-Based Cryptojacking , 2018, 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[9]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[10]  Lei Zhang,et al.  How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World , 2018, CCS.

[11]  Ahmed Shosha,et al.  JSDES: An Automated De-Obfuscation System for Malicious JavaScript , 2017, ARES.

[12]  Qixu Liu,et al.  A Novel Approach for Detecting Browser-Based Silent Miner , 2018, 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC).

[13]  Joachim Posegga,et al.  CSP & Co. Can Save Us from a Rogue Cross-Origin Storage Browser Network! But for How Long? , 2018, CODASPY.

[14]  Neil Genzlinger A. and Q , 2006 .

[15]  Jan Rüth,et al.  Digging into Browser-based Crypto Mining , 2018, Internet Measurement Conference.

[16]  Jérôme Segura A look into the global ‘ drive-by cryptocurrency mining ’ phenomenon , 2017 .