This forum requires Javascript to be enabled for posting content
This article appears in the Malwarebytes September Issue 1 (2018) and sent to members who wish to receive informative articles. Read along, share and enjoy, Mindblower!
All about cryptojacking
Cryptojacking (also called malicious cryptomining) is an emerging online threat that hides on a computer or mobile device and uses the machine’s resources to “mine” forms of online money known as cryptocurrencies. It’s a burgeoning menace that can take over web browsers, as well as compromise all kinds of devices, from desktops and laptops, to smart phones and even network servers.
Like most other malicious attacks on the computing public, the motive is profit, but unlike many threats, it’s designed to stay completely hidden from the user. To understand the mechanics of the threat and how to protect yourself against it, let’s begin with a bit of background.
What are cryptocurrencies?
Cryptocurrencies are forms of digital money that exist only in the online world, with no actual physical form. They were created as an alternative to traditional money, and gained popularity for their forward-looking design, growth potential, and anonymity. One of the earliest, most successful forms of cryptocurrency, Bitcoin, came out in 2009. By December 2017, the value of a single bitcoin had reached an all-time high of nearly $20,000 USD, then dropped below $10,000. Bitcoin’s success inspired dozens of other cryptocurrencies that operate in more or less the same way. Less than a decade after its invention, people all over the world use cryptocurrencies to buy things, sell things, and make investments.
Two words—“cryptography” and “currency”—combine to form “cryptocurrency,” which is electronic money, based on the principles of complex mathematical encryption. All cryptocurrencies exist as encrypted decentralized monetary units, freely transferable between network participants. Or put more simply, cryptocurrency is electricity converted into lines of code, which have a real monetary value.
“Units of cryptocurrency (called “coins”) are nothing more than entries in a database.”
Units of cryptocurrency (called “coins”) are nothing more than entries in a database. In order to perform a transaction that alters the database, one must meet certain conditions. Think of how you track your own money in a bank account. Whenever you authorize transfers, withdrawals, or deposits, the bank’s database updates with your new transactions. Cryptocurrencies work in a similar way, but with a decentralized database.
Unlike traditional currencies, cryptocurrencies like bitcoin aren’t backed by a specific government or bank. There is no government oversight or central regulator of cryptocurrency. It is decentralized and managed in multiple duplicate databases simultaneously across a network of millions of computers that belong to no one person or organization. What’s more, the cryptocurrency database functions as a digital ledger. It uses encryption to control the creation of new coins and verify the transfer of funds. All the while, the cryptocurrency and its owners remain completely anonymous.
The decentralized, anonymous nature of cryptocurrencies means there is no regulating body that decides how much of the currency to release into circulation. Instead, the way most cryptocurrencies enter circulation is through a process called “mining.” Without going too in depth, the mining process essentially turns computing resources into cryptocurrency coins. At first, anyone with a computer could mine cryptocurrency, but it quickly turned into an arms race. Today, most miners use powerful, purpose-built computers that mine cryptocurrency around the clock. Before long, people started to look for new ways to mine cryptocurrency, and cryptojacking was born. Instead of paying for an expensive mining computer, hackers infect regular computers and use them as a network to do their bidding.
If cryptocurrencies are anonymous, how do people use them?
Cryptocurrency owners keep their money in virtual “wallets,” which are securely encrypted with private keys. In a transaction, the transfer of funds between the owners of two digital wallets requires that a record of this exchange be entered into the decentralized public digital ledger. Special computers collect data from the latest Bitcoin or other cryptocurrency transactions about every 10 minutes and turn them into a mathematical puzzle. There, the transaction-within-a-puzzle awaits confirmation.
Confirmation only happens when members of another category of participants, called miners, independently solve the complex mathematical puzzles that prove the transaction’s legitimacy, thereby completing the transaction from the owner of one wallet to another. Typically, an army of miners toils away on the puzzle simultaneously in a race to be the first with the puzzle proof that authenticates the transaction.
“Miners found that even high-end PCs with a powerful processor could not mine profitably enough to cover the costs involved.”
The miner who first solves the encrypted problem receives a reward, usually some amount of new cryptocoin. This approach was specially conceived as an incentive for those who sacrifice the time and computing power of their computers to maintain the network and create new coins. Because the complexity of the puzzle calculations has steadily increased over time (and particularly for Bitcoin), miners found that even high-end PCs with a powerful processor could not mine profitably enough to cover the costs involved.
Miners stepped up their game by adding sophisticated video cards, sometimes multiple cards, to handle the burdensome calculations. Eventually, miners who wanted to stay competitive ramped up to building huge farms of computers with dedicated hardware for mining cryptocurrencies on a commercial scale. That is where we are today: serious cryptocurrency players invest big money into a high-stakes battle against other miners in order to solve the puzzle first and claim their reward.
Scaling up to this massive effort is a hugely expensive arms race, requiring a lot of processing power and electricity to increase miners’ chances of being profitable. For instance, before China shut down cryptocurrency farms in that country, monthly electrical bills reportedly reached $80,000.
“If you’re a victim of cryptojacking, you may not notice.”
What is cryptojacking?
Cryptojacking is a scheme to use people’s devices (computers, smartphones, tablets, or even servers), without their consent or knowledge, to secretly mine cryptocurrency on the victim’s dime. Instead of building a dedicated cryptomining computer, hackers use cryptojacking to steal computing resources from their victims’ devices. When you add all these resources up, hackers are able to compete against sophisticated cryptomining operations without the costly overhead.
If you’re a victim of cryptojacking, you may not notice. Most cryptojacking software is designed to stay hidden from the user, but that doesn’t mean it’s not taking its toll. This theft of your computing resources slows down other processes, increases your electricity bills, and shortens the life of your device. Depending on how subtle the attack is, you may notice certain red flags. If your PC or Mac slows down or uses its cooling fan more than normal, you may have reason to suspect cryptojacking.
The motivation behind cryptojacking is simple: money. Mining cryptocurrencies can be very lucrative, but turning a profit is now next to impossible without the means to cover large costs. To someone with limited resources and questionable morals, cryptojacking is an effective, inexpensive way to mine valuable coins.
The latest cryptojacking (malicious cryptomining) news
Labs CTNT report shows shift in threat landscape to cryptomining
Malicious cryptomining and the blacklist conundrum
The state of malicious cryptomining
How does cryptojacking work?
Cryptojackers have more than one way to enslave your computer. One method works like classic malware. You click on a malicious link in an email and it loads cryptomining code directly onto your computer. Once your computer is infected, the cryptojacker starts working around the clock to mine cryptocurrency while staying hidden in the background. Because it resides on your PC, it’s local—a persistent threat that has infected the computer itself.
An alternative cryptojacking approach is sometimes called drive-by cryptomining. Similar to malicious advertising exploits, the scheme involves embedding a piece of JavaScript code into a Web page. After that, it performs cryptocurrency mining on user machines that visit the page.
“Drive-by cryptomining can even infect your Android mobile device.”
In early instances of drive-by cryptomining, web publishers caught up in the bitcoin craze sought to supplement their revenue and monetize their traffic by openly asking visitors’ permission to mine for cryptocurrencies while on their site. They posed it as a fair exchange: you get free content while they use your computer for mining. If you’re on, say, a gaming site, then you probably will stay on the page for some time while the JavaScript code mines for coin. Then when you quit the site, the cryptomining shuts down too and releases your computer. In theory, this isn’t so bad so long as the site is transparent and honest about what they’re doing, but it’s hard to be sure the sites are playing fair.
More malicious versions of drive-by cryptomining don’t bother asking for permission and keep running long after you leave the initial site. This is a common technique for owners of dubious sites, or hackers that have compromised legitimate sites. Users have no idea that a site they visited has been using their computer to mine cryptocurrency. The code uses just enough system resources to remain unnoticed. Although the user thinks the visible browser windows are closed, a hidden one stays open. Usually it’s a pop-under which is sized to fit under the task bar or behind the clock.
Drive-by cryptomining can even infect your Android mobile device. It works with the same methods that target desktops. Some attacks occur through a Trojan hidden in a downloaded app. Or users’ phones can be redirected to an infected site that leaves a persistent pop-under. There’s even a Trojan out there that invades Android phones with an installer so nefarious, that it can tax the processor to the point that the phone overheats, makes the battery bulge, and essentially leaves your Android for dead. So there’s that.
You might think, “Why use my phone and its relatively minor processing power?” But when these attacks happen en masse, the greater number of smartphones out there adds up to a collective strength worth the cryptojackers’ attention.
Some cybersecurity pros point out that, unlike most other types of malware, cryptojacking scripts do no damage to computers or victims’ data. But stealing CPU resources has consequences. Sure, slower computer performance might just be an annoyance for an individual user. But for larger organizations that might have suffered many cryptojacked systems, there are real costs. Electricity costs, IT labor costs, and missed opportunities are just some of the consequences of what happens when an organization is affected by drive-by cryptojacking.
How prevalent is cryptojacking?
Cryptojacking is relatively new, but it’s already one of the most common online threats. In a recent Malwarebytes blog, our intel team reports that since September 2017, malicious cryptomining (another term for cryptojacking) has been our most common malware detection. The following month, in an article published in October 2017, Fortune suggested that cryptojacking is the next major security threat in the online world. More recently, we saw a 4000 percent increase in detections of Android-based cryptojacking malware through the first quarter of 2018.
What’s more, the cryptojackers continue to up their game, invading increasingly powerful hardware. One example is an incident where criminals cryptojacked the operational technology network of a European water utility’s control system, degrading the operators’ ability to manage the utility plant. In another instance from the same report, a group of Russian scientists allegedly used the supercomputer at their research and nuclear warhead facility to mine Bitcoin.
“Criminals even seem to prefer cryptojacking to ransomware.”
As stunning as these intrusions are, cryptojacking of personal devices remains the more prevalent problem, since stealing little amounts from many devices can amount to large sums. In fact, criminals even seem to prefer cryptojacking to ransomware (which also relies on cryptocurrency for anonymous ransom payments), as it potentially pays hackers more money for less risk.
How do I protect myself from cryptojacking?
Whether you’ve been cryptojacked locally on your system, or through the browser, it can be difficult to manually detect the intrusion after the fact. Likewise, finding the origin of the high CPU usage can be difficult. Processes might be hiding themselves or masking as something legitimate in order to hinder you from stopping the abuse. As a bonus to the cryptojackers, when your computer is running at maximum capacity, it will run ultra slow, and therefore be harder to troubleshoot. As with all other malware precautions, it’s much better to install security before you become a victim.
One obvious option is to block JavaScript in the browser that you use to surf the web. Although that interrupts the drive-by cryptojacking, this could likewise block you from using functions that you like and need. There are also specialized programs, such as “No Coin” and “MinerBlock,” which block mining activities in popular browsers. Both have extensions for Chrome, Firefox, and Opera. Opera’s latest versions even have NoCoin built in.
“Whether attackers try to use malware, a browser-based drive-by download, or a Trojan, you’re protected against cryptojacking.”
However, our suggestion is to avoid a purpose-built solution and look for a more comprehensive cybersecurity program. Malwarebytes, for example, protects you from more than just cryptojacking. It also prevents malware, ransomware, and several other online threats. Whether attackers try to use malware, a browser-based drive-by download, or a Trojan, you’re protected against cryptojacking.
In a threat landscape that’s constantly morphing, staying safe from the latest menaces like cryptojacking is a full-time job. With Malwarebytes, you’ll have the means to detect and clean up any kind of intrusion and ensure your computer resources remain yours alone.
(For further reading, see “How to protect your computer from malicious cryptomining” by Pieter Arntz.)
"For the needy, not the greedy"
1 Guest(s)