Cybersecurity researchers have detailed two novel strategies that can be utilized to disrupt cryptocurrency mining botnets.
The strategies make the most of the design of varied widespread mining topologies with a purpose to shut down the mining course of, Akamai mentioned in a brand new report printed immediately.
“We developed two methods by leveraging the mining topologies and pool insurance policies that allow us to cut back a cryptominer botnet’s effectiveness to the purpose of fully shutting it down, which forces the attacker to make radical modifications to their infrastructure and even abandon the complete marketing campaign,” safety researcher Maor Dahan mentioned.
The methods, the net infrastructure firm mentioned, hinge on exploiting the Stratum mining protocol such that it causes an attacker’s mining proxy or pockets to be banned, successfully disrupting the operation.
The primary of the 2 approaches, dubbed dangerous shares, entails banning the mining proxy from the community, which, in flip, ends in the shutdown of the complete operation and causes the sufferer’s CPU utilization to plummet from 100% to 0%.
Whereas a mining proxy acts as an middleman and shields an attacker’s mining pool and, by extension, their pockets addresses, it additionally turns into a single level of failure by interfering with its common perform.
“The thought is straightforward: By connecting to a malicious proxy as a miner, we are able to submit invalid mining job outcomes — dangerous shares — that can bypass the proxy validation and might be submitted to the pool,” Dahan defined. “Consecutive dangerous shares will ultimately get the proxy banned, successfully halting mining operations for the complete cryptomining botnet.”
This, in flip, entails utilizing an in-house developed device referred to as XMRogue to impersonate a miner, connect with a mining proxy, submit consecutive dangerous shares, and in the end ban the mining proxy from the pool.
The second technique devised by Akamai exploits situations the place a sufferer miner is related on to a public pool sans a proxy, leveraging the truth that the pool can ban a pockets’s tackle for one hour if it has greater than 1,000 employees.
In different phrases, initiating greater than 1,000 login requests utilizing the attacker’s pockets concurrently will drive the pool to ban the attacker’s pockets. Nevertheless, it is price noting this is not a everlasting answer because the account can stage a restoration as quickly because the a number of login connections are stopped.
Akamai famous that whereas the aforementioned strategies have been used to focus on Monero cryptocurrency miners, they are often prolonged to different cryptocurrencies as effectively.
“The methods offered above present how defenders can successfully shut down malicious cryptominer campaigns with out disrupting the authentic pool operation by making the most of pool insurance policies,” Dahan mentioned.
“A authentic miner will have the ability to shortly get better from this sort of assault, as they’ll simply modify their IP or pockets regionally. This process can be rather more tough for a malicious cryptominer as it might require modifying the complete botnet. For much less refined miners, nevertheless, this protection may fully disable the botnet.”
