Professional Documents
Culture Documents
in the Wild
Amin Kharraz† Zane Ma† Paul Murley† Charles Lever⋄
Joshua Mason† Andrew Miller† Nikita Borisov† Manos Antonakakis⋄ Michael Bailey†
blockchain and assigns mining tasks to each miner that connects Monerominer
Coinhave
Monero
Monero
✓
-
✓
✓
28 (0.9%)
15 (0.5%)
to it. These tasks are a low threshold version of the actual proof- Monero.cc
Webmine
Monero
Monero
✓
-
✓
✓
10 (0.3%)
-
of-work puzzle, so that the mining pool can record and reward Inwemo Monero - ✓ -
incremental mining effort. Occasionally, when one of the completed Total - 10 families 14 families (100%) 3,006 (100%)
tasks constitutes a successful block, the mining pool adds the block Table 1: The training set of cryptojacking libraries we collected.
to the blockchain and claims the associated mining reward for Wappalyzer recognized all the libraries collected, but lacks market
itself. Then, periodically, the mining pool will distribute a portion share (MS%) data for most of the families at the time of writing. Our
of this reward among its mining accounts in proportion to the work labeled dataset of 3,006 websites covers 12 of 14 (85%) cryptojacking
accomplished; the rest is kept as a mining pool fee. These fees are
libraries.
typically around 10–30%, but can be as low as 1% or 2% [51].
The description provided thus far has focused on the components still achieves high detection coverage if adversaries utilize different
involved in the cryptojacking workflow. In reality, many of these levels of obfuscation techniques.
components are controlled by a shared operator. To elucidate the The prior work most relevant to ours is MineSweeper [30], which
common mappings between components and operators, we present introduces a static analysis technique to study the wasm code used
two scenarios: full-service cryptojacking and do-it-yourself (DIY) by cryptojacking code. While this approach is an improvement
cryptojacking. For full-service cryptojacking such as CoinHive, a over the status quo, it would be desirable to complement it with a
website owner or hijacker only needs to create a CoinHive account more generic approach that requires minimal human intervention.
and then insert a script inclusion tag her website. In this scenario, Outguard does not require manual analysis, and does not rely on
CoinHive operates the delivery server and the mining pool / proxy. cryptographic primitive identification. This was a conscious design
For a DIY use case, the publisher may host her own delivery server choice to avoid possible false positive cases, as acknowledged by
and have the cryptojacking code connect to a public mining pool. the authors [30]. MineSweeper also shows that CPU cache L1 event
monitoring can be quite useful in detecting cryptojacking websites
2.2 Related Work by analyzing two cryptojacking families with 100% CPU usage.
While WebAssembly provides significant freedom to manage the
Techniques seeking to gain financial profit through unauthorized
memory layout, an adversary may not be able to selectively load
access to a victim computer are numerous. There is a large body
mining operations in the L1 or L3 cache in order to bypass the pro-
of work studying adversarial attempts to profit from end-user ma-
posed detection. However, our analysis reveals that cryptojacking
chines. Ransomware [25, 27, 29, 45], malicious advertisements [7,
libraries impose different L1 cache event loads as a function of the
33, 35, 57], click fraud [19], web-based social engineering attacks [5,
CPU threshold, leaving threshold-based approaches still vulnerable
8, 9, 26, 34, 52, 54], online scams [28, 40], and Potentially Unwanted
to future evasion. Furthermore, measuring CPU cache events is
Programs (PUPs) [31, 43, 49] are only a few examples of these ac-
a very expensive operation, as the entire process of inferring the
tivities in the wild. In the following paragraphs, we explain more
state of the CPU cache is very sensitive to noise and to the global
closely related work on cryptojacking operations.
status of other active applications on the test machine. This makes
A subset of prior work on cryptojacking [16, 41, 47] mainly fo-
approaches similar to MineSweeper less likely to scale. Outguard
cuses on the impacts of unwanted mining on user machines (e.g.,
does not have this limitation, and the detection accuracy of Out-
CPU utilization), and provides an estimate of network size and rev-
guard is not impacted by the type of cryptographic function or
enue for CoinHive. In this paper, we mainly focus on less noisy fea-
CPU-related features (see Section 3). Thus, Outguard is a more
tures that can facilitate automatic detection. Very recently, Konoth
generic solution to the same problem space.
et al. [30] and Hong et al. [20] concurrently and independently
performed systematic analyses on cryptojacking incidents. Hong
et al. [20] proposed two techniques by statically searching for a 3 OUTGUARD
set of fixed signatures in cryptojacking code as well as identifying Because cryptojacking is still in its infancy, existing detection
patterns in the execution stack. The authors demonstrated the in- mechanisms are still sparse and relatively naive: NoCoin [46],
sufficiency of blacklists and provide insight on a set of techniques minerBlock [4], and CoinBlockerLists [1] rely on open-source, user-
(e.g., obfuscation) that are currently used by adversaries to bypass updated blacklists to match domains or filenames. Building of an
blacklists. While there are some similarities between their detection automated cryptojacking detection system in this nascent land-
approach and ours (e.g., identifying specific patterns), Outguard scape requires a full construction process: building a ground-truth
mainly relies on dynamic behaviors of cryptojacking libraries that dataset, creating features, selecting features, training a classification
are the core components of in-browser cryptojacking, and that are model, and finally evaluating the model under benign and adver-
quite unlikely to be used in the same way in benign programs. We sarial inputs. In this section, we describe Outguard’s architecture,
elaborate on the feature set in Section 3, and show that the system shown in Figure 2, and detail its implementation and performance.
3
Visiting via Feature Feature Model Searching &
Benign/Malicious Dynamic Trace Analyst
Instrumented Browser Construction Selection Evaluation
Dataset Collection
number of identical tasks as a numeric value for detection. Table 2: 10-fold cross-validation on Support Vector Ma-
WebAssembly WebAssembly, or wasm [55], is a new web stan- chines (SVM) and Random Forest (RF), using balanced (BD)
dard introduced in 2015 that allows web developers to specify and imbalanced (ID) datasets. We selected SVM as the clas-
assembly-like code that executes on modern browsers at near-native sifier for Outguard because of its superior 96.2–97.9% TPR
speeds. The performance of WebAssembly makes it an attractive and 0.2–1.1% FPR.
target for processing intensive cryptomining, and we found that
all cryptojacking libraries in our training set use WebAssembly. operations inside loops. These operations are pushed to the Mes-
Outguard detects the usage of WebAssembly by monitoring the sageLoop of the thread to be sequentially processed. While use of
exchange of wasm modules between the main execution thread and MessageLoop does not by itself necessarily mean that a website
web workers. This detection technique, which is oblivious to the is performing cryptojacking operations, a significantly large num-
communication obfuscation found in some variants of CoinHive, ber of MessageLoop events during a short site visit, along with
results in a boolean feature that indicates the presence or absence other features, can be an indication of cryptojacking. We report the
of WebAssembly. number of MessageLoop events as a numeric value.
WebSockets WebSockets are a low-overhead, full-duplex com-
munication channel over TCP that was standardized in 2011. Our 3.3 Prototype Implementation
analysis shows that most mining modules in a browser establish a Automatic recording of the dynamic behavior of client-side JavaScript
WebSocket connection to a remote mining pool/proxy. In addition code, such as resource usage, code provenance, and network com-
to overcoming some limitations of JavaScript APIs in accessing the munication, is a non-trivial challenge. In order to extract these
TCP socket, WebSocket provides a faster communication channel features from websites, we instrumented Chromium and leveraged
than standard TCP, as it eliminates the sending of additional HTTP the Chromium Debugging Protocol [17] to access nearly all the
headers for each client-side request. We also observed that cryp- functionality of DevTools [18]. More specifically, the crawler col-
tojacking libraries use WebSocket APIs to receive data from the lected browser request and response traces, JavaScript execution
mining pool which reduces bandwidth usage. Outguard searches traces, and the source code of both inline and dynamically loaded
for webSocketCreate events in its JS execution traces and outputs JavaScript code. This set of information was sufficient to attribute
a numeric feature value for the number of WebSocket connections. specific JavaScript code to the requested computational resources,
Hash Algorithms As shown in Table 1, Monero is the most com- the functions being executed, any external code referenced by the
mon cryptocurrency mined by cryptojacking libraries. Monero min- function, and the execution time spent per function. This trace
ing is a proof-of-work (PoW) task that requires the repeated calcula- data includes all features we discussed with respect to the feature
tion of the CryptoNight hashing algorithm, which can be calculated selection phase. We deployed the Outguard crawler on 40 vir-
efficiently on consumer CPUs. Outguard identifies CryptoNight tual machines. For each website, the crawler stayed on the visited
hashing by searching for specific function names and binary signa- website for 45 seconds and interacted with the page by programmat-
tures in JS execution call stacks. For instance, JSECoin and some ically scrolling to the bottom of the page to simulate user behavior.
CoinHive variants call functions named module._cryptonight_hash We empirically found that 45 seconds was sufficient time for a
and CryptonightWASMWrapper.hash, respectively. On the other cryptojacking website to load a cryptojacking library, communicate
hand, CoinHave embeds and executes binary wasm hashing func- with a mining pool, and run mining tasks. Our analysis on 1,000
tions inline for which we also developed detection signatures. This randomly selected websites shows that the run-time overhead of
detection mechanism outputs a boolean feature. the instrumentation layer is approximately 2%.
The second module of Outguard is a classifier that analyzes
PostMessage Event Load Web workers constantly have to send the collected data and detects cryptojacking websites by incor-
the results of mining operations to the main process by sending the porating the features described in Section 3.4. To construct the
job id, the nonce, and the result of each operation. This information detection model, we tested multiple classification algorithms and
is then sent to mining proxies over WebSocket connections in order found that an SVM classifier produced the best detection results
to manage mining tasks. The communication between the renderer on the training dataset. To construct the classification model, we
process and the web workers is handled via PostMessage. As the used the SVM implementation provided by scikit-learn [48]. We
number of web workers is significantly high in cryptojacking web- evaluate the classifier in Section 3.4.
sites, and PostMessages are the only form of communication with
web workers in most modern browsers, a large number of PostMes- 3.4 Evaluation
sage events in site visits can be an indication of cryptojacking. We
In this section, we examine Outguard’s detection accuracy on the
report the total number of PostMessage events as a numeric feature.
ground-truth training dataset and compare it with CPU utilization,
MessageLoop Event Load Chromium performs task manage- an existing cryptojacking detection heuristic. To identify the best
ment among threads by using MessageLoop. When a WebAssmebly machine learning algorithm for automatic classification of crypto-
module is loaded into a web worker thread, it starts cryptographic jacking libraries, we ran a 10-fold cross-validation on our BD and
5
Rank Feature Category Score Ratio New?
1 No. Web Workers E 100% ✓
2 Creating Identical Tasks E 93.7% ✓ 1.00
3 PostMessage Event Load L 91.2% ✓
4 Using WebAssembly E 85.8% [20, 30]
5 MessageLoop Event Load L 82.3% ✓ 0.95 1.00
6 Using Hash Functions M 76.4% [20]
of Support Vector Machines (SVM) and Random Forests (RF), based Exclude mining-based & network-based features
0.75
on prior work that showed these two classification algorithms work All features
Exclude mining-based feature
well on balanced and imbalanced datasets [28]. As shown in Ta- Exclude mining, network, and event-based features
0.70
ble 2, both models perform above 95% TPR and below 3% FPR. We 0.0 0.2 0.4 0.6 0.8 1.0
False Positive Rate
selected SVM as the default classifier for Outguard because it
slightly outperforms the RF model across both training sets.
The SVM model chosen for Outguard is highly selective, achiev- Figure 3: Detection results of Outguard on the labeled
ing TPR rates of 96.2% and 97.9% for our BD and ID datasets, respec- dataset when different evasive scenarios were used.
tively. Our analysis of the detected cases revealed that Outguard 3.4.2 Evaluating the Effectiveness of CPU Utilization. We com-
achieved a false positive rate (FP) of 1.1% (with 32 false detections) pared Outguard’s classification model against a CPU usage model
on an imbalanced dataset. Further manual analysis revealed that which is a detection heuristic utilized by several reports [14, 39].
all the false positive cases were a set of parked domains that in- We collected the traces of all websites in our BD training dataset
serted 29 JavaScript scripts, on average, including trackers and that consumed at least 50% of the total CPU capacity. One might
advertisements. These websites were falsely labeled as cryptojack- expect a 50% CPU usage threshold to be reasonable for detecting
ing because multiple trackers were using WebSocket connections cryptojacking given that we observed cryptojacking libraries from
for communications, and some of these scripts created multiple all 12 families establish CPU thresholds of at least 50% of the total
threads for client-side data processing. Our manual analysis of the CPU capacity. The CPU usage heuristic was applied to the BD. Out
false negative cases revealed that Outguard was unable to detect of the 2,000 non-cryptojacking websites in BD, CPU usage heuristic
some variants of CoinImp because they did not contain indicative misclassified 263 as cryptojacking websites (false positive rate =
function calls in their execution traces, and they used fewer than 13.1%). Manual inspection of a handful of these cases revealed non-
three web workers. cryptojacking websites that introduced high CPU overhead due to
3.4.1 Feature Analysis. We divided the features we selected in a large number of requests and responses, constant JavaScript com-
Section 3.2 into four categories in order to reason about subse- pilation, and frequent dynamic changes in the DOM during script
quent analysis, such as feature ranking and classification evasion, loads. For example, a visit to cnn.com, a high-profile news website,
from a feature function perspective. The categories are (1) runtime generated an execution trace with 151 unique domain names that
execution-based features such as WebAssembly usage; web worker were used to retrieve JavaScript resources and other content (e.g.,
quantity, and running of parallel tasks for mining activities; (2) a fonts, images, and styles).
network-based feature which describes the type of communication Our comparative analysis demonstrates that it is not uncommon
between the mining module and the mining pool; (3) event load- for non-cryptojacking websites to exhibit high CPU utilization,
based features such as MessageLoop and PostMessage Load, and (4) even for websites that typically do not require elevated CPU usage
a mining-based feature that looks for hash algorithm fingerprints. in order to function. CPU utilization can be a helpful feature for
To determine the significance of each incorporated feature, we analysis of cryptojacking at small scales, but it is a less effective
performed recursive feature elimination (RFE) using Outguard’s feature for automatic detection at scale. CPU usage is a noisy signal—
SVM model on the BD dataset. The ranking procedure begins with relying on this heuristic increases the likelihood of false positive
all seven features. At each subsequent step, a feature with the mini- cases when hundreds of thousands of websites are being analyzed.
mum weight is removed, and the FP and TP rates are re-calculated
to measure the contribution of the removed feature. Table 3 displays
3.5 Adversarial Considerations
the ranks of all features, in descending order of importance. For Cryptojacking operators, like malware authors, are likely to exercise
convenience, we derived a score ratio by dividing each feature score techniques to evade Outguard by changing their implementation
with the maximum score. We found that the five most predominant strategies. To address potential evasion scenarios, we evaluated the
detection features target the dynamic characteristics of cryptojack- efficacy of Outguard’s SVM model with specific feature categories
ing, making the system more resilient to common evasions such selectively removed. Figure 3 summaries the results of the experi-
as code obfuscation. This matches our intuition that such behav- ment. The solid green curve shows the ROC curve of Outguard
iors contribute to successful mining operation – avoiding these when it incorporates all the features into the detection model. The
techniques would likely impact revenue generation. dotted purple curve represents the ROC curve in the absence of
mining-based features. Evasion of this feature from the detection
6
model is a realistic possibility as our approach to detect hashing al- Results Experiment 1 Experiment 2 Total
gorithm usage is somewhat brittle because it is based on collecting Target crawl size Alexa 1 Million Alexa 600K -
in-line binaries that are statically included in cryptojacking libraries URLs visited
Unique cryptojacking domains
3,798,433
5,873
1,329,684
429
5,128,117
6,302
or on finding references to a specific hash function in execution New detections 3,171 429 3,600 (57%)
traces. Cryptojacking operators can re-generate cryptojacking bina- Overlap with MinerBlock
Overlap with AntiMiner
-
-
-
-
3,776 (60%)
3,684 (58.5%)
ries by adding dead code or by renaming functions, much as evasive
Table 4: Number of cryptojacking incidents detected by Out-
malware does, to bypass mining-based feature. In this scenario, the
guard. 3,600 (57%) of the detected cryptojacking websites
detection performance of Outguard degrades, but it still achieves
were new detections.
a relatively high detection accuracy, with 93% TPR and 1.2% FPR.
The mining-based feature is important, but as suggested by the data, we characterized the broader cryptojacking ecosystem by
RFE analysis, it is not precariously important, since Outguard still examining the websites on which cryptojacking occurs, and the
achieves high detection results without it. infrastructure supporting its mining and monetization. We later
In the next step, we excluded the network-based feature with performed a scan of the Alexa Top 600K websites to supplement
the assumption that a cryptojacking library may forgo a websocket the case study.
connection to the mining pool/proxy server and connect through For the real-world application of Outguard, we enabled Google
other means instead. For instance, the code may use standard TCP Safe Browsing in our instrumented browser to avoid falsely re-
connections or JSONP or other communication techniques. In this porting cryptojacking that might be prevented by default browser
case, Outguard will rely on event loads and runtime execution protection mechanisms. That allowed us to represent realistically
features to identify cryptojacking activity. The dashed blue ROC the cryptojacking exposure of an end-user browsing the web. We
curve illustrates Outguard’s performance with mining-based and also modified Outguard to access 3 random links on each Alexa
network-based features excluded. The system still achieves 92% Top webpage to simulate user interaction/navigation on the page.
TPR and 1.5% FPR. In the final experiment, we removed the event The measurements were conducted over two time ranges: the first
load features under the assumption that adversaries may try to limit scan took place from February 12 to April 15, 2018, on the Alexa
the number of threads, and thereby impact the generated events Top 1M websites, and the second scan took place from October
between the web workers and the host process. The red ROC curve 20 to October 30, 2018, on the Alexa Top 600K websites. In total,
illustrates Outguard’s performance. In this case, Outguard relies Outguard reported 6,302 cryptojacking websites across 5,128,117
solely on runtime execution features to identify cryptojacking ac- URLs, as shown in Table 4.
tivity. Use of runtime features (e.g., WebAssembly) in cryptojacking
libraries is vital from profitability perspective, as these libraries 4.1 Obtaining User Consent
have to incorporate such browser functionalities to use system
Mining cryptocurrency in a browser is not inherently malicious,
resources effectively. Failing to do so would make the in-browser
and in-browser cryptomining has been presented as a justifiable
cryptomining not practical or less attractive for generating revenue.
business model alternative to advertising and captcha services. The
So in this final scenario, the classification accuracy has decreased
lack of user consent is the distinguishing factor between legitimate
significantly with the loss of networking features, down to 87%
in-browser cryptomining from cryptojacking.
with 1.1% FPR.
We performed a manual analysis of 100 randomly selected web-
Note that while an adversary can evade network or event load
sites that contained the JSECoin library by visiting the websites
features, doing so will likely have a significant effect on the efficacy
and checking whether the opt-in system was enabled on them. 22%
of mining operations, as the mining module requires low-overhead
of the websites were not reachable during the manual check (e.g.,
connections in order to communicate with mining pools. Further-
mxqproject.com, masir.us). We found that in the remaining 78%
more, as discussed in Section 2, in-browser cryptojacking relies on
of websites, the JSECoin cryptojacking library was automatically ex-
multiple external parties to operate. Consequently, network-level
ecuted without user consent (e.g., media9.pk, seriesenlinea.net).
changes requires compatibility with the rest of the parties involved
Furthermore, on late 2017, CoinHive introduced a version of crypto-
in the ecosystem (e.g., pools and proxies). Moreover, minimizing
mining code called AuthedMine, which requires user permission to
of JS event loads to evade the corresponding feature set is not a
turn the browser into a Monero miner. We did not find any instance
trivial task, as the entire operation, including task management
of this library either in the training or in the large-scale deployment
and task execution, significantly depends on the communication
of Outguard, which mirrors other reports [24]. This experiment
between the host process and the mining threads. Overall, we argue
suggests that website operators are likely to be reluctant to use
that a tool similar to Outguard can provide robust detection of
libraries with explicit opt-in forms, and that most detected cases
cryptojacking websites and potentially increase the operational
do, in fact, constitute cryptojacking.
costs of cryptojacking or reduce the generated revenue of such
operations.
4.2 Detection Coverage Evaluation
In total, Outguard detected 6,302 cryptojacking websites. 3,600
4 REAL-WORLD DEPLOYMENT of the detected sites in our two experiments were newly detected
We demonstrated the feasibility of real-world deployment of Out- websites not observed in the training dataset. Since we do not have
guard by performing an analysis of the Alexa Top 1M websites. ground truth labeled data in the large-scale experiment, we cannot
Outguard detected 5,873 instances of cryptojacking. Using this provide precision-recall analysis of the detection results. However,
7
manual analysis shows that Outguard falsely reported 14 web- FQDN Lookups (%) e2LD+eTLD Lookups (%)
sites as cryptojacking because they were loading several frames coinhive.com*† 128.31M (21.5%) coinhive.com*† 308.09M (51.7%)
cnhv.co*† 34.83M (5.8%) cnhv.co*† 34.83M (5.8%)
and iframes to embed videos and pop-ups. In addition to creating moonbit.co.in† 15.53M (2.6%) adsptp.com† 19.10M (3.2%)
www.adsptp.com† 13.60M (2.3%) watchfree.to† 17.30M (2.9%)
multiple threads, we observed several WebSocket connections with 1480876790.rsc.cdn77.org† 12.87M (2.2%) moonbit.co.in† 15.61M (2.6%)
mining pool proxies (e.g., xmrpool.net). As shown in Table 4, Out- Total 595.67M (100%) Total 595.67M (100%)
guard had approximately 40% more coverage than MinerBlock and Table 5: Grouping the top passive DNS lookups by FQDN
41.5% more coverage than AntiMiner. and e2LD+eTLD highlights that the expanded passive DNS
While disrupting the communication between the cryptojacking dataset includes two types of domains: cryptojacking admin-
libraries and the mining pools is an effective mitigation technique, istration domains (*) and cryptojacking website domains(†).
this approach is less likely to be very successful in identifying dif-
ferent variants of cryptojacking families. For example, the naive relative popularity of the cryptojacking domains. Through the lens
versions of cryptojacking families make queries to a specific address of one of the largest U.S. ISPs, we collected the contents and daily
that can easily be detected and blocked. However, we observed lookup volume of DNS resource records (RRs) for all successful
several cases of Crypto-loot, JSECoin, and CoinImp, which use DNS resolutions. We extracted all passive DNS RRs that match the
legitimate cloud deployment services (e.g., now.sh) for this pur- seed list of 5,873 cryptojacking domains from the initial Alexa Top
pose. Unsurprisingly, it is impractical to block a domain name or 1M real-world deployment and also included RRs with subdomains
IP address that belongs to cloud services without affecting a large of the seed list. This dataset consisted of 595.6 million RRs collected
number of other legitimate applications. Consequently, these exten- from April 2016 to March 2018.
sions are limited to domains that do not map to cloud services, and
can therefore be evaded fairly easily. We posit that a solution such 1
11
Sophos_ZeroAccess_Botnet.pdf, 2012.
[57] Zarras, A., Kapravelos, A., Stringhini, G., Holz, T., Kruegel, C., and Vigna,
G. The dark alleys of madison avenue: Understanding malicious advertisements.
In Proceeding of 2014 ACM Internet Measurement Conference (IMC) (2014), pp. 373–
380.
12