Evaluating the Effectiveness of Miner Blocker Browser Extensions

Monero XMR

JavaScript crypto miners have been around for quite a while. Monero (XMR), the crypto currency mined by these scripts was released in April 2014. As shown in the following figure, the increase in price of Bitcoin was coupled with increase in price of Ethereum and Monero. This jump led to these in browser miners being over emphasized in the media.

Monero price vs Bitcoin and EtheriumAdvertisements being replaced by miners

Website administrators started including miner scripts in their websites. The more the user stays on the website, the more Monero mined. Coinhive review: Embeddable JavaScript Crypto Miner – 3 days in [1] shows that using JavaScript crypto miners in place of advertisements provides a marginally smaller revenue. The takeaway is that miners can’t replace ads, but using both of them or using miners specifically on websites where users spend more time like video sharing or gaming websites can increase the income.

Replacing annoying advertisements with annoying miners

Many of us use ad blockers to prevent advertisements being shown on websites when we are surfing the web. Use of these blockers brings up many arguments and ethical concerns, since ads are usually the source of income for websites, by blocking them the income for these websites is being limited. On the other hand we see Malwaretisement campaigns abusing ad networks to distribute their malware and compromise users’ machines. As websites started including miners in their pages, users started using miner blocker extensions to stop the miners from running. In this study we analysed top miner blocker extensions for Firefox and Google Chrome and report on their effectiveness. List of analysed extensions is available in the following table:

 

Firefox Chrome
No Coin (84,524 Users) No Coin (570,185 Users)
No Miner (28,413 Users) Miner Block (157,807 Users)
Miner Block (15,557 Users) CryptoMiner Blocker (5,811 Users)
Mining Blocker (12,187 Users)

 

 “No Coin” has more than half a million installation on Chrome store. In the next step we analyse the source code of these extensions. Turns out the same method of blocking is used in nearly all of them. A set of regex statements that match URLs that the main javascript for known miners are hosted on, one example of this would be:

https://coinhive.com/lib/coinhive.min.js

and the regex matching this script for different miner blocker extensions is:

*://*.coinhive.com/*

*://*/*coinhive*.js*

*://coinhive.com/lib*

*://*.coinhive.com/lib/*

*://*/*coinhive.min.js*

Existing method in extensions to block miners is by detecting and blocking the main JavaScript library that has to be included in web pages. As you already noticed, by self hosting these scripts one can trivially bypass these blockers. Now let’s use PublicWWW to find out how many miners on the web actually include these JavaScript libraries from the provided URLs.

Number of websites using miners

Based on signatures derived from browser extensions, we found only 12 websites in top 10k Alexa websites, this number grows linearly and reaches 36053 for Top 212M Alexa websites. This would either mean that top Alexa websites do not use miners, or it could mean that they actively try to hide their miners which makes miner blocker extensions useless.

Now let’s look at the websites which use miners from another view, for this part of the report, https://fortiguard.com/webfilter, is used to categorize the URLs, since most of these samples are not well known websites, the category won’t be present for most of them, but out of those which we could find a category for, this is the top ones:

  1. Malicious  Websites
  2. Business
  3. Information Technology
  4. Pornography
  5. Personal Websites and Blogs

Next, we analyze which miners are more popular:

Miners rated by popularityThis plot has a couple of interesting findings, first, coinhive and its other domains (coinhive.com, coin-hive.com, cnhv.co) together make up the most popular miners used by websites on the web. Next we have authedmine.com, which also belongs to coinhive, but this service explicitly asks the user for permission to mine on his computer, this is due to the fact that mining without users’ concent was deemed as a malicious act and browser extensions started blocking them. To prevent it, coinhive proposed authedmine as a fully “ethical” counterpart of their original service.

On this list we also see crypto-loot, which is a new player in this game, they provide 80% of the mining income to website administrators compared to 70% revenue share for admins using coinhive.

“rest” category is the sum of samples with presence on less than 200 websites on Alexa top 212M websites.

On this list, we see greenindex.dynamic-dns.net which looks to be a non-miner website. Our first guess was that someone hosted a miner script on their website. After doing some research, we get to their website which looks benign. They host https://greenindex.dynamic-dns.net/jqueryeasyui.js which is a version of deepMiner, which is a self hosted cryptominer. Various blogs point out that this miner is used in a malicious way, as in being injected into compromised websites. deepMiner has a feature to limit the amount of its CPU utilizations, and in some of the compromised websites with this specific miner URL in them, this value was set to 0.5, preventing full cpu utilization by the script [2].

Another benign looking domain is cookiescript.info. They advertise themselves as:

The most popular free solution to US and European Cookie Laws

European and American laws require that digital publishers give visitors to their sites and apps information about their use of cookies and other forms of local storage. These laws also require that consent be obtained. A breach of these regulations can result in a fine of up to $500,000.

As it turns out, these guys have been abusing their script that users would include in their website to mine cryptocurrencies. The two following URLs are examples of mining scripts present on this domain:

http://cdn.cookiescript.info/libs/cookieconsent.5.min.js

https://cdn.cookiescript.info/libs/cookiescript.min.js

The author of “CookieScript.info mining Monero on your website?! It’s true” [3], claims that cookiescript moderators have been contacted and no response was received as of the writing.

Analyzing the miner scripts

We extracted the list of URLs that host JavaScript miner scripts. They can be used in a future research but for now, we tested their reachability. Following are some samples of URLs with invalid SSL certificates:

  • https://staticsfs.host/js/EQHAwxADAgAUxAGS
  • https://gtg02.bestsecurepractice.com/meri.js

Invalid SSL Certificate on miner script

These samples were using let’s encrypt, they might have forgotten to setup auto renew script to renew certificates, but the outcome of this is that websites that include these JavaScript files won’t be able to mine because browsers will not fetch scripts hosted in websites with invalid SSL certificates. This was also reported recently on twitter by @bad_packets, a malicious actor managed to break into a government website, but due to invalid SSL certificate of the website hosting his miner, he failed to mine crypto currency.

Malicious Miners

Now the question arises, are these the true number of websites using crypto miners? Or are there many other self hosted and malicious miners that obfuscate themselves and their URLs to stay hidden? To answer this question we can refer to Unauthorized Coin Mining in the Browser [4], where the author from Palo Alto Networks uses their own dataset of passive DNS and logs from their devices, shows that they observe roughly the same number of malicious infected websites by miner campaigns as we observed by using signatures used in miner blocked browser extensions.

Conclusion

To study the effectiveness of available miner blocker browser extensions, we extracted the signatures used by these extensions, all observed extensions try to statically find URLs that are known to host JavaScript libraries used by these miners. Their database of signatures contain a high amount of false positive and dead links, as we were able to reduce aggregated list of 1000 signatures to ~100 valid and live URLs actively hosting miner scripts.

We also show that at best, these extensions are able to detect half of known miners and website moderators can trivially bypass these extensions by self hosting and obfuscating their mining scripts. Hence, a more concrete and dynamic approach is required to detect and block JavaScript crypto miners on the web.

 

References

[1] https://medium.com/@MaxenceCornet/coinhive-review-embeddable-javascript-crypto-miner-806f7024cde8

[2] https://www.fortinet.com/blog/threat-research/the-growing-trend-of-coin-miner-javascript-infection.html

[3] https://www.caveconsulting.com/2018/03/23/cookiescript-info-mining-monero-on-your-website-its-true/

[4] https://www.paloaltonetworks.com/resources/blogs/unit42-unauthorized-coin-mining-browser.html