bitcoin: monetizing stolen cyclesdszajda/classes/...measuring pay-per-install: the commoditization...
TRANSCRIPT
Bitcoin: Monetizing Stolen Cycles
Presented by: Natalie Pollard and Derek Roetzel
UC San Diego George Mason University International Computer InstitutePaper by: Danny Yuxing Huang, Hitesh Dharmdasani, Vacha Dave, Chris Grier, Damon McCoy, Alex C. Snoeren
and Kirill Levchenko, Sarah Meiklejohn, Stefan Savage, Nicholas Weaver
There are several established ways to make money with a Botnet.
Stealing Bank Accounts
Denial of Service Attack
Sending Spam Messages
Stealing Intangible Goods
Mining bitcoin is a new way that botmasters are attempting to profit.
Mining Cryptocurrency
As infected computers become more valuable, more malware is created and distributed.
Your Computer =
Agenda● Background on Bitcoin● Related Work● Contributions● Methods● Findings● Summary
Some background on bitcoin is helpful in understanding this research.
Currency
Pools
Miners
Block Chain
Some background on bitcoin is helpful in understanding this research.
Currency
Miners
● Currency● Conduct transactions
● Group together recent transactions into a block
● Add header containing nonce value and perform cryptographic hash algorithm
● If result contains the correct number of leading zeros they receive a payout
● Otherwise they guess a different nonce● Effectively a state-space search
Some background on bitcoin is helpful in understanding this research.
Block Chain
● Public record made of successfully hashed blocks containing all bitcoin transactions from the beginning of time
● Since the block chain is public, all transactions are public
● Guessing right nonce is like winning a lottery
● Miners group together to hash blocks and share their profits
Pools
Related WorkThere are three papers concerning the anonymity of bitcoin as a currency.● How the Bitcoin Economy Can be Manipulated by a Powerful Adversary● Majority is Not Enough: Bitcoin Mining is Vulnerable● Bitcoin in the Presence of Adversaries
There are four papers concerning monetization of botnets.● What’s Clicking What? Techniques and Innovations of Today’s Click Bots● Measuring Pay-per-install: The Commoditization of Malware Distribution● The Underground Economy of Fake Antivirus Software● Show Me the Money: Characterizing Spam-advertised Revenue
This is the first research released on the use of botnets to mine bitcoin.
There are four major questions addressed by this research.
“Understanding the balance of added cost and risk versus potential revenue from Bitcoin mining is the motivation for our work.”
What malware is being used?
How much profit is being made?
What is the infrastructure and
scope?
How much bitcoin are they mining?
Researchers identified malware that has been used to mine bitcoins.
Goals:● Examine mining malware to learn about the botnet’s
infrastructure and the botmaster’s credentialsSources of Information:● Malware in repositories that utilize the getwork protocol (a
clear sign that the malware is mining)
Researchers found botmaster’s mining credentials and learned about infrastructure.Goals:● Find botmasters’ wallet addresses● Learn about the infrastructure botmasters use to mine
Sources of Information:● Malware binaries● Network communications
○ Messages sent by bot to the pool or proxy servers● Command and control channel
○ Messages sent by the botmaster to bots● Pool operators
○ Credentials of suspicious miners● Anti-virus vendors
○ Information on proliferation of mining malware that researchers identified
We have to understand botnet infrastructure to find which pools are being used.
Level of Effort
Once we understand which pools are being used, we can learn more about how much money the botmaster earned.
For bots using a proxy, researchers determined where the work was being sent.
Researchers used two techniques:● HTTP Cross Login Test
○ Create accounts at major pools and attempt to log in by sending messages to an HTTP proxy
● Block reversal○ Pools often use specific range of nonce values -
determined by sending getwork requests to the pool server
○ If bots only receive nonce values in a specific range we can predict which pool the bot is working for
Using wallet addresses, researchers determined the revenue of specific botmasters
Goal:● Understand the revenue collected by botmasters
Sources of Information:● Since all transactions are public, researchers identified the
cash inflows for each botmaster's wallet● Researchers can find the exchange rate at the time the
botmaster “cashed out” (converted the bitcoins to USD)● Other sources include publicly available pool leaderboards
and data voluntarily provided by pool operators
All of the pieces come together in a simple equation for total earnings per day.
USDDay
SecondsDay
MHSecond
BTCMH
USDBTC
= x x x
Power:Millions of
Hashes performed each
second
Difficulty:Expected
Revenue per million SHA-256
computations
Exchange Rate:In US
Dollars
Botnets mining bitcoin have varying degrees of success.
In 2012, botmasters could earn high profit margins on mining activities
Costs● Bots purchased on the black market cost only $5 per 1000 ● An average bot was infected for one week● Therefore: One bot cost on average $.25 per year
● Mining infrastructure is very easy to establish● Mining does not interfere with other activities, but could
make the malware more noticeableProfits● An average bot could complete 10 million hashes per
second and earned $.01 per day
Since 2014, margins have decreased quickly, and mining has become far less promising.
Since the publication of this research, bitcoin mining has become much less profitable. Many botnets, including one of the world’s largest has stopped mining altogether. Others have switched to lightcoin mining.
Bitcoin: Monetizing Stolen Cycles
Presented by: Natalie Pollard and Derek Roetzel
Paper by: Danny Yuxing Huang, Hitesh Dharmdasani, Vacha Dave, Chris Grier, Damon McCoy, Alex C. Snoeren and Kirill Levchenko, Sarah Meiklejohn, Stefan Savage, Nicholas Weaver
Appendix I: Revenue per MH/s per day over time
Appendix II:Minimum earnings of various mining botnets.
Appendix III:What’s in the block chain?
See all transactions: blockchain.info