This article will discuss All About In-Browser Mining: Coinhive and WebAssembly
Following a few evolutionary leaps via Application Specific Integrated Circuits (ASICs), mining algorithms appear to have reverted to their origins: the ‘humble’ personal computer.
The appropriateness of algorithms such as CryptoNight (which underpins the Monero currency) led to the conversion of the source code to JavaScript and a break from the more traditional practice of using standalone executables for mining in favor of executing code within browser processes. This blog examines the history and current state of in-browser mining.
After a few evolutionary steps via Application Specific Integrated Circuits (ASICs), mining algorithms reverted to their origins: the ‘humble’ personal computer.
The appropriateness of algorithms such as CryptoNight (which underpins the Monero currency) led to the conversion of the source code to JavaScript and a break from the more traditional practice of using standalone executables for mining in favor of executing code within browser processes.
Table of Contents
The Beginning of In-Browser Mining
This new method allowed any browser that supported JavaScript to be used for currency mining, and services quickly appeared to monetize webpages using the method. It was no longer necessary for hackers to distribute and maintain persistent binaries; all that was required was a simple code injection on a web page.
Image credit: pexels
JavaScript is platform-independent, but it operates in a browser sandbox, far from the bare metal and, thus, from optimal performance. In contrast to older PC- and IoT-based solutions, which could run indefinitely (or at least until someone discovered and terminated the related process), the browser-based technique can only operate as long as the page containing the miner remains open.
On the other hand, the web-based method allows further freedom for malicious actors: there is no need to store anything on the same page. Functionality and components can be divided among numerous domains, and previously rented or compromised servers can be repurposed.
Coinhive et al.
Midway through 2017, Coinhive emerged as a credible Monero (XMR) miner based on JavaScript. Once installed on a website, it utilizes the visitor’s CPU power for mining, giving an alternative money stream to traditional adverts. By the end of 2017, more than a thousand websites included its code, which can be at least partially due to The Pirate Bay’s early support.
Soon, fingers began to point at the designers, partly because sites were not always prepared to provide an opt-out from executing scripts on visitors’ computers. Many did not even attempt to inform their visitors about this use of their computers.
In response, Coinhive developed a new version that would only become active if explicit permission was granted. Unfortunately, this did not guarantee that Coinhive users would adopt the updated release, particularly those with malevolent intent.
Coinhive’s popularity led to the development of competing services in late 2017 and early 2018, as well as a number of simple mining plugins for major web platforms like WordPress.
WebAssembly
WebAssembly (abbreviated Wasm) is central to the majority of in-browser currency miners. It is a new binary instruction format using a stack-based virtual machine, designed as a portable target for high-level programming languages such as C/C++.
Its primary design objectives include load time efficiency and execution performance near to native in a memory-safe sandboxed environment – i.e. the in-browser JavaScript sandbox. Responsible for the open standard is the WebAssembly Community Group.
The first “Minimum Viable Product” (MVP) release of WebAssembly occurred in March 2017, and the standard is currently supported by all major browsers, including Mozilla Firefox, Google Chrome, Apple Safari, and Microsoft Edge.
The WebAssembly design documents describe multiple use-cases of the technology, and it’s easy to see why coin miner developers would be interested in it: WebAssembly’s emphasis on speed helps close the performance gap between in-browser mining and native mining.
Is It Malware?
Even the security industry has conflicting opinions over whether or not in-browser mining is fundamentally malicious.
Running a hashing algorithm on someone else’s computer without their knowledge is harmful conduct, as it eventually constitutes the unauthorized use of their resources.
Image credit: pexels
Even though it shouldn’t cause any damage to the data or the machine’s integrity, it will result in a slower-responding PC and a higher electricity bill, especially if it remains undetected for an extended length of time.
On the other hand, hashing with a user’s permission is not malicious; at least some people may be eager to execute these scripts if it means no advertisements on a website. The Salon website experimented with this method at the start of 2018.
Please note that from this point forward, when we refer to Coinhive, we are strictly referring to the unauthorized use of the Coinhive code and service for mining purposes.
When good dogs do bad things
Multiple ways were immediately devised by malicious users to insert miners inside users’ browsers. As the miner ran whenever the browser was open, Chrome extensions containing Coinhive code were rapidly developed and provided a vastly superior return to simple web pages. Concurrently, a variety of Coinhive blocker extensions were built in an effort to prevent unauthorized website mining.
Initially, Google’s Web Store policy on mining extensions was permissive: the extension could use mining as its only purpose as long as the user was fully informed and the extension had no other purpose. Yet many extensions did not comply with these standards, so Google recently prohibited mining extensions from the Chrome Web Store.
This left the bad guys with the tried-and-true technique of injecting code into websites.
How does all this work in the wild?
Miners are injected into the code of unknowing websites by exploiting their vulnerabilities. As has been the case for years, this is often accomplished by automated software that scans for known vulnerabilities; once a vulnerable website is identified, it is exploited and malicious JavaScript code is inserted.
Due to the prevalence of browser-based miners among cybercriminals, a vulnerable website may be infiltrated by multiple actors: for example, the website depicted below was compromised by three distinct hackers, each employing a unique browser miner. Note the absence of apparent signs of the miners on the actual site.
Active Infection #1: ‘Basic’ Miner
The first active miner is a widely accessible browser miner tool (referred to in the schematics as “Basic Miner”).
It is less sophisticated and easier to block with a web security gateway than the second active miner because it relays mining traffic to mining pools using proxy servers based on WebSockets, using static domains and minimal obfuscation.
Upon loading, it initially loads the CryptoNight WASM binary and then initiates mining using coinhive.com WebSocket proxies that are known to the public.
Active Infection #2: ‘Advanced’ Miner
Many publicly accessible ‘grey/black’ miners also have private versions for subscribers that are typically designed to be significantly more difficult to discover.
The ‘basic miner’ retrieves the mining script from a URL shortening service and employs some advanced obfuscation techniques; however, it should be noted that it is still a very basic obfuscation technique when compared to exploit kits, for example.
An interesting feature of this miner is that it employs a dynamic DNS proxy server to transport mining data via WebSocket connections, making detection and blocking significantly more difficult.
Mitigation
1. Web Sockets
In-browser miners are distinguished by their dependency on WebSockets for communication. As processes operating in a browser sandbox are not permitted to access system sockets, WebSockets were created to enable full-duplex, asynchronous interactions between code running on a webpage and servers – for instance, chat services such as Slack heavily utilize WebSockets.
As the standard for WebSockets requires sessions to be established as HTTP and then “Upgraded” to a WebSocket (see the example below), this precludes direct connection with the vast majority of currency mining “pools” that employ the Stratum protocol.
The operators of in-browser mining operations must therefore set up WebSocket servers to listen for connections from their miners and either process the information internally or externally, depending on whether they manage their own mining pool.
While a coin mining script may appear on dozens or even hundreds of websites, there are likely to be significantly fewer WebSocket servers involved in any deployment, which greatly simplifies blocking using web proxies: the inability to communicate with the mining pool typically results in the elimination of mining activity.
2. Disabling WebAssembly and/or JavaScript
As of April 2018, only Firefox and Chrome support the nuclear option of disabling Wasm. To accomplish this, please follow the steps below. Before proceeding, evaluate the likelihood that this technique will impede the normal operation of an increasing number of locations as the technology becomes more widespread.
Navigate to about: config in Firefox and change javascript.options.wasm to false.
Change the value of chrome:/flags/#enable-webassembly to disabled in Chrome.
If deactivating Wasm is the nuclear option, then completely disabling JavaScript is the thermonuclear alternative. For this aim, security advice typically includes recommendations for plugins such as NoScript. Again, this will have an impact on the functionality of websites, so you should assess whether it is suitable for your organization and browsing practices.
Quick Links:
- Blockchain & Bitcoin Conference Prague: Why Should You Join?’
- The Impact Cryptocurrencies Have on The Environment: Is Cryptocurrency Good For The Environment?
- CryptoBlockCon- The Best Blockchain Event to Promote Blockchain Technology
Conclusions: All About In-Browser Mining: Coinhive and WebAssembly 2023
The continued interest in coin mining is unsurprising, given the rising popularity of cryptocurrencies (despite Bitcoin’s volatile value in 2018) and despite the volatility of Bitcoin’s price. The security sector must answer the issue stated above: is it malware?
The mining process is, at its core, nothing more than mathematical instructions run in order to solve a predefined puzzle piece. This is not necessarily malevolent on its own.
The essential question is whether this activity occurs with the user’s knowledge and consent. Therefore, disabling all mining scripts without understanding their context may not be the ideal strategy.
Forcepoint employs a combinatorial approach to the discovery and blockage of currency miners associated with compromised websites, blocking not just the instances of the scripts that we uncover, but also the WebSocket command/relay servers on which entire campaigns rely.
