Article Details

Researchers Find Way to Shut Down Cryptominer Campaigns Using Bad Shares and XMRogue. Cybersecurity researchers have detailed two novel methods that can be used to disrupt cryptocurrency mining botnets. The methods take advantage of the design of various common mining topologies in order to shut down the mining process, Akamai said in a new report published today. "We developed two techniques by leveraging the mining topologies and pool policies that enable us to reduce a cryptominer botnet's effectiveness to the point of completely shutting it down, which forces the attacker to make radical changes to their infrastructure or even abandon the entire campaign," security researcher Maor Dahan said. The techniques, the web infrastructure company said, hinge on exploiting the Stratum mining protocol such that it causes an attacker's mining proxy or wallet to be banned, effectively disrupting the operation. The first of the two approaches, dubbed bad shares, entails banning the mining proxy from the network, which, in turn, results in the shutdown of the entire operation and causes the victim's CPU usage to plummet from 100% to 0%. While a mining proxy acts as an intermediary and shields an attacker's mining pool and, by extension, their wallet addresses, it also becomes a single point of failure by interfering with its regular function. "The idea is simple: By connecting to a malicious proxy as a miner, we can submit invalid mining job results — bad shares — that will bypass the proxy validation and will be submitted to the pool," Dahan explained. "Consecutive bad shares will eventually get the proxy banned, effectively halting mining operations for the entire cryptomining botnet." This, in turn, entails using an in-house developed tool called XMRogue to impersonate a miner, connect to a mining proxy, submit consecutive bad shares, and ultimately ban the mining proxy from the pool. The second method devised by Akamai exploits scenarios where a victim miner is connected directly to a public pool sans a proxy, leveraging the fact that the pool can ban a wallet's address for one hour if it has more than 1,000 workers. In other words, initiating more than 1,000 login requests using the attacker's wallet concurrently will force the pool to ban the attacker's wallet. However, it's worth noting this isn't a permanent solution as the account can stage a recovery as soon as the multiple login connections are stopped. Akamai noted that while the aforementioned methods have been used to target Monero cryptocurrency miners, they can be extended to other cryptocurrencies as well. "The techniques presented above show how defenders can effectively shut down malicious cryptominer campaigns without disrupting the legitimate pool operation by taking advantage of pool policies," Dahan said. "A legitimate miner will be able to quickly recover from this type of attack, as they can easily modify their IP or wallet locally. This task would be much more difficult for a malicious cryptominer as it would require modifying the entire botnet. For less sophisticated miners, however, this defense could completely disable the botnet."