Bitcoin: Monetizing Stolen Cycles

Presented by: Natalie Pollard and Derek Roetzel

UC San Diego George Mason University International Computer InstitutePaper by: Danny Yuxing Huang, Hitesh Dharmdasani, Vacha Dave, Chris Grier, Damon McCoy, Alex C. Snoeren

and Kirill Levchenko, Sarah Meiklejohn, Stefan Savage, Nicholas Weaver

There are several established ways to make money with a Botnet.

Stealing Bank Accounts

Denial of Service Attack

Sending Spam Messages

Stealing Intangible Goods

Mining bitcoin is a new way that botmasters are attempting to profit.

Mining Cryptocurrency

As infected computers become more valuable, more malware is created and distributed.

Your Computer =

Agenda● Background on Bitcoin● Related Work● Contributions● Methods● Findings● Summary

Some background on bitcoin is helpful in understanding this research.

Currency

Pools

Miners

Block Chain

Some background on bitcoin is helpful in understanding this research.

Currency

Miners

● Currency● Conduct transactions

● Group together recent transactions into a block

● Add header containing nonce value and perform cryptographic hash algorithm

● If result contains the correct number of leading zeros they receive a payout

● Otherwise they guess a different nonce● Effectively a state-space search

Some background on bitcoin is helpful in understanding this research.

Block Chain

● Public record made of successfully hashed blocks containing all bitcoin transactions from the beginning of time

● Since the block chain is public, all transactions are public

● Guessing right nonce is like winning a lottery

● Miners group together to hash blocks and share their profits

Pools

Related WorkThere are three papers concerning the anonymity of bitcoin as a currency.● How the Bitcoin Economy Can be Manipulated by a Powerful Adversary● Majority is Not Enough: Bitcoin Mining is Vulnerable● Bitcoin in the Presence of Adversaries

There are four papers concerning monetization of botnets.● What’s Clicking What? Techniques and Innovations of Today’s Click Bots● Measuring Pay-per-install: The Commoditization of Malware Distribution● The Underground Economy of Fake Antivirus Software● Show Me the Money: Characterizing Spam-advertised Revenue

This is the first research released on the use of botnets to mine bitcoin.

There are four major questions addressed by this research.

“Understanding the balance of added cost and risk versus potential revenue from Bitcoin mining is the motivation for our work.”

What malware is being used?

How much profit is being made?

What is the infrastructure and

scope?

How much bitcoin are they mining?

Researchers identified malware that has been used to mine bitcoins.

Goals:● Examine mining malware to learn about the botnet’s

infrastructure and the botmaster’s credentialsSources of Information:● Malware in repositories that utilize the getwork protocol (a

clear sign that the malware is mining)

Researchers found botmaster’s mining credentials and learned about infrastructure.Goals:● Find botmasters’ wallet addresses● Learn about the infrastructure botmasters use to mine

Sources of Information:● Malware binaries● Network communications

○ Messages sent by bot to the pool or proxy servers● Command and control channel

○ Messages sent by the botmaster to bots● Pool operators

○ Credentials of suspicious miners● Anti-virus vendors

○ Information on proliferation of mining malware that researchers identified

We have to understand botnet infrastructure to find which pools are being used.

Level of Effort

Once we understand which pools are being used, we can learn more about how much money the botmaster earned.

For bots using a proxy, researchers determined where the work was being sent.

Researchers used two techniques:● HTTP Cross Login Test

○ Create accounts at major pools and attempt to log in by sending messages to an HTTP proxy

● Block reversal○ Pools often use specific range of nonce values -

determined by sending getwork requests to the pool server

○ If bots only receive nonce values in a specific range we can predict which pool the bot is working for

Using wallet addresses, researchers determined the revenue of specific botmasters

Goal:● Understand the revenue collected by botmasters

Sources of Information:● Since all transactions are public, researchers identified the

cash inflows for each botmaster's wallet● Researchers can find the exchange rate at the time the

botmaster “cashed out” (converted the bitcoins to USD)● Other sources include publicly available pool leaderboards

and data voluntarily provided by pool operators

All of the pieces come together in a simple equation for total earnings per day.

USDDay

SecondsDay

MHSecond

BTCMH

USDBTC

= x x x

Power:Millions of

Hashes performed each

second

Difficulty:Expected

Revenue per million SHA-256

computations

Exchange Rate:In US

Dollars

Botnets mining bitcoin have varying degrees of success.

In 2012, botmasters could earn high profit margins on mining activities

Costs● Bots purchased on the black market cost only $5 per 1000 ● An average bot was infected for one week● Therefore: One bot cost on average $.25 per year

● Mining infrastructure is very easy to establish● Mining does not interfere with other activities, but could

make the malware more noticeableProfits● An average bot could complete 10 million hashes per

second and earned $.01 per day

Since 2014, margins have decreased quickly, and mining has become far less promising.

Since the publication of this research, bitcoin mining has become much less profitable. Many botnets, including one of the world’s largest has stopped mining altogether. Others have switched to lightcoin mining.

Bitcoin: Monetizing Stolen Cycles

Presented by: Natalie Pollard and Derek Roetzel

Paper by: Danny Yuxing Huang, Hitesh Dharmdasani, Vacha Dave, Chris Grier, Damon McCoy, Alex C. Snoeren and Kirill Levchenko, Sarah Meiklejohn, Stefan Savage, Nicholas Weaver

Appendix I: Revenue per MH/s per day over time

Appendix II:Minimum earnings of various mining botnets.

Appendix III:What’s in the block chain?

See all transactions: blockchain.info