Crypto-jacking – Computerphile


I wanted to talk about crypto-jacking, right, which is, I mean the name itself it starts off in a good way
Sometimes called drive-by mining also a great name.
This is the idea that
we can trick someone instead of maybe putting a virus on their machine
I mean it might still be a virus, but we can trick them into mining some cryptocurrency for us.
And that way we make a profit
Think of it like an alternative in crime sensitive ransomware where you trying to get money off someone by taking control of their files.
We’re now just trying to use some of their CPU power to earn us some money
Right, so theoretically they mine some coins for us. They send them to us and then we
We profit from those
So this all came about because a company called Coinhive decided that maybe instead of showing people adverts online
They could just use a little bit of their CPU to mine you cryptocurrency while they’re browsing and that way they don’t have to look
at adverts and you still get paid for your your website. Right now that
Actually is not a bad idea or in some sense
The idea would be but you go to let’s say a newspaper and instead of seeing a load of banner ads
You see a little ticker that says you’re mining some cryptocurrency while you’re on this website
and you know
We’re gonna make a small amount of money off this in exchange for you not having any ads and reading the news for free, right?
Okay, and I mean the amount of money you’re gonna spend a couple of minutes reading an article
It’s not very much right if you even if your CPUs on a hundred percent, this is JavaScript
So you you go to a website. It serves you a script which instructs your computer to start mining these coins
The problem is that it wasn’t long before people thought well, we don’t maybe we should just not ask permission, right? We should we should
Have them mine all the coins all the time. Right? And the other thing was that coin hive has a
Feature, which lets you only use let’s say 60% of a CPU
So there’s some overhead for Mouse
Events and things that are kind of important to keep the operating system running and of course
The malware programmers thought, well you know, 100%, right? So I’ve just got this web server set up on my machine
I’ve extended my classic blog. This is the world’s best blog, of course, right?
It looks good and it’s got good content on it […] with a nice banner ad which also happens to mine me some Manero cryptocurrency.
Right so let’s have a look, so you can see here
I’ve got my blog before it’s got my comments and my cat pictures I had before and it’s also got this lovely banner ad which
I made for my shop which is not a real shop. Don’t send me any money.
You will also notice now if you look at my CPU monitor
Which I’ve also got running
It’s sitting on 100% and if we leave it for a minute
We’re going to start hearing my fan get louder and louder and louder because basically the entirety of my CPU is mining Monero cryptocurrency now.
I mean I didn’t notice the mouse is still responding. I mean, you know it’s a modern PC
But you know, you wouldn’t necessarily know apart from the fact that your fan has spun up. Now, it’s also not plugged in
So the battery is going to be draining pretty fast.
The good news is that this is already less common than it was just a few months ago because Chrome, Firefox
You know
Antivirus vendors and things like this are all cracking down on these kind of scripts. Now Coinhive as I pointed out,
Is actually a legitimate company. They weren’t intending on people abusing this service
So they’ve now got an opt-in version where a little pop-up turns up and you can say I do opt-in for this time instead of
Ads or something like this, right that isn’t blocked by browsers because that’s a legitimate commercial
Alternative to ads but of course Coinhive aren’t the only people that are making these, right?
So you’re going to have clones you’re going to have malware that does this and you can just imagine that instead of getting ransomware
You’ll just get something like this and runs on your PC instead
And the same is true also for phones. So you might download an app, which seems too good to be true
Oh there’s not even any adverts on this free game and maybe it’s because it’s using up extra of your CPU to mine
Crypto currency if you were doing this in Bitcoin, you wouldn’t you wouldn’t get a look-in. Essentially. I could mine with my CPU
Bitcoins, you know for hundreds of years and never get any, right? Because compared to the size of the Bitcoin network
We’ve all their dedicated hardware. My CPU is a nonentity essentially
Manero is slightly different Monero has a a
Hashing function, but it uses in the mining process
which is quite hard to do on a GPU and
So you get some but not a lot of benefit from having a dedicated rig, right? Two times, maybe.
Given the cost of a graphics card not very good
so actually you could have a lot of Android phones competing with big graphics cards in Monero specifically and
and
So in some sense there is a point to do it.
Now, that’s one of the reasons it was designed this way to allow people on phones and things to mine.
But it has this benefit that or benefit depending on who you are that it’s a good target for this kind of
malware, right? Because if you have a website where everyone is mining
Monero for you. It’s not gonna make you a huge amount of money
but it’ll make you some and Monero is one of these currencies that’s a little bit hard to keep a track of and
So maybe you can get away of it
That’s that’s the idea.
My browser and my extensions block it, my antivirus on my machine blocks it, the university firewall blocks it.
So, I’m currently I have all of those disabled and I’m rooting through my 4G phone connection. It works fine at home
I know good or bad
So, you know, like I say, vendors of things like antivirus are taking a lot of steps to
To fix this. I’m gonna close this now because it’s it’s not that loud actually
Sean: It’s basically the thing that says: “Many things for sale, buy now.” That’s got some JavaScript […]
Mike: Well, yeah, I mean, this is just an image, but yeah …
Just next to it is some script that does it. You could imagine that if I was running a like a newspaper
Website I’m being served ads by some ad company
All I have to do to get in there
Is pay some money to have an advert deployed which also happens to have this script. No one’s going to go to my blog, right?
It’s not online but also because no it’s rubbish.
So what I if I was an attacker
It would be much smarter for me to try and take over a site
Where lots of people are going. This came into a news because in February 2018 an
Accessibility website that are just like screen reading and things like this was hacked and their JavaScript file had some
Monero mining code
Inserted into it and this website was serving JavaScript to about 4000 UK and US government websites among others
including the Information Commissioner’s Office and various high-level government websites.
This meant that when you went on those web sites to let’s say find out about something important
You were actually mining Monero for the attackers not ideal
Sean: Could you work out who did it?
Mike: Absolutely, well no all you can all you know is I mean assuming …
Sean: the wallet
Mike: All you know is the address that the Monero is being mined to right and as usual
You’ve got the traceability issues of that. If they use that address to buy like pizza to their house
It might be slightly easier to find them. But if they try and hide it, it’s gonna be harder
This is the code that was inserted into all these government websites. This is not my code.
My code is much simpler than this and it’s also not obfuscated
So this has been encoded to try and make it harder for anti-viruses to find and then this is deobfuscated version
Which is essentially looking up the Coinhive JavaScript and then pointing it towards this address
Which you shouldn’t mine Monero for because they’re malware writers.
Sean: They weren’t even writing their own JavaScript, they were using Coinhive’s actual — Mike: Yeah
Yeah, I mean, it’s pretty lazy, really.
Yes, so I think now some are writing their own JavaScript or embedding it into Java apps or for Android phones and things like this
But yes, when Coinhive first came out. This wasn’t I would say an unexpected side effect of their new idea.
Like I say they’ve kind of come up with a more legitimate way of doing this now and they have interesting things like
CAPTCHAs which do a little bit of hashing
as an alternative to pick these
Images that have road signs in, right? Just just do a little bit of CPU, which is interesting enough
But yeah
So I think going forward we’re going to see fewer of these deployed in a browser
Unless they can find a way of getting around these new browser restrictions
But they might start to find their way into more actual malware, right? Maybe instead of encrypting everyone’s files
you just take over their CPU for a while and
Make some money that way or do both at the same time. Both: Or do you buy for the same time?
Mike: Yeah, why not?
Sean: The free games thing is quite classic because I mean we’re all used to just getting games for free and expecting you that purchases
Mike: Yeah, when you download an app, it’s got free access to your CPU. It could do this
You’ll know because your phone will get hot and your battery will go [… noise of draining battery …] like this
But that happens with some games that are poorly written anyway, so how do we know that? You’ve got a hope?
I suppose that there’s some vetting process on the apps, which might hopefully detect this kind of stuff
But it’s not always going to be easy to find
And so you can expect a few of these to pop up from time to time
We’re going to say “document.write(”)”
Okay, now that’s it’s going to write nothing to the screen, right?
So my comment on my blog, it’s just going to be a script that does nothing. Okay, that’s not very interesting
So let’s do something a bit more interesting our PHP file takes the cooking gives an image back
So let’s just show it on the screen, right? So image tag in HTML.is the image tag …

100 Comments

Add a Comment

Your email address will not be published. Required fields are marked *