Cryptojacking malware is designed to provide an attacker with a profit and increased control over the blockchain’s distributed ledger at another party’s expense. The popularity of this type of malware tends to wax and wane as the price of cryptocurrency changes. The more valuable that cryptocurrency mining is, the more cryptojackers that will be active.
Proof of Work Consensus and Computational Power
The goal of blockchain consensus is to allow the nodes within a blockchain network to agree on the state of the blockchain’s distributed ledger in a completely decentralized fashion. Balancing the need for consistency and complete decentralization is difficult, which is why blockchain consensus algorithms are needed.
Proof of Work (PoW) is the original blockchain consensus algorithm. PoW pioneered the use of a scarce resource to represent control over the distributed ledger. The more of the scarce resource that a node controls, the higher their probability of being selected as the creator of the next block in the blockchain. Since the block creator chooses which transactions are included in their block, this equates to control over the contents of the distributed ledger.
The Proof of Work consensus algorithm uses computational power as its scarce resource. Miners within a Proof of Work network create a block candidate, then search for a nonce value that makes the block header “valid”. A valid block header is one that hashes to a value less than a set threshold.
The attributes of hash functions make it so that the best way to find a valid block in Proof of Work is by a brute force search. Miners keep trying nonce values until they find one that meets the desired criteria.
The more computational power that a node controls, the more potential nonce values it can try within a given time period and the higher its probability of finding the next block in the blockchain. Since creating blocks comes with a reward, miners are incentivized to control as much computational power as possible.
Introducing Cryptojacking
Blockchain miners can gain access to computational power in a few different ways. They could buy additional hardware or rent it from other providers. Or they could steal it from other people.
Cryptojacking is an example of this last option. Cryptojacking malware is designed to run Proof of Work calculations on an infected computer for the attacker’s benefit. The attacker designs a block candidate and distributes it to their malware. The infected computers try various nonce values and, if they find one that works, they send it back for submission on the blockchain network. Since the block is associated with the attacker’s account, they get the credit and the reward.
Cryptojacking Malware
Cryptojacking malware comes in a variety of different forms. Some common examples include:
- Browser Scripts: In the past, Coinhive maintained a script designed to mine cryptocurrency within a browser. This script could be embedded within the source code of a website, and it would perform mining within a visitor’s browser. Some sites used this script as a replacement for ad revenue (with or without the consent of their users), and cybercriminals would infect legitimate sites with the script to mine cryptocurrency for them.
- IoT Devices: Internet of Things (IoT) devices are notoriously insecure, making them a common target of cybercriminals building botnets for Distributed Denial of Service (DDoS), credential stuffing, and other attacks. A large enough botnet can also be used for cryptojacking by distributing the mining process over many different devices.
- Enterprise Servers: Company servers are often high-end computers, and the company is paying for their power, network connections, etc. A number of cases have emerged where cybercriminals have infected these servers with cryptojacking malware or where a company employee has used them to mine cryptocurrency.
Cryptojacking malware is designed to perform a legitimate function within a Proof of Work blockchain: searching for nonces that create valid blocks. The problem is that the resources that cryptojackers use for this are used without the consent of their owners. Additionally, by providing cybercriminals with access to additional computational resources, cryptojacking increases the probability of a 51% attack.
Protecting Against Cryptojacking Attacks
There is little that blockchain designers and developers can do to protect against cryptojacking attacks. The blockchain has no visibility into the block creation process, only the result. Any attempt to make cryptojacking impossible or unprofitable for an attacker will also increase the centralization of the blockchain by pushing out smaller miners. Some cryptojacking malware can be detected using features of the blocks that it creates, but these could easily be changed by a sophisticated attacker.
A better way to protect against cryptojacking is to cut attackers off from the systems that they need to perform their attacks. Using antivirus, patching commonly-exploited vulnerabilities, and monitoring for unusual usage of server resources can all help with preventing, detecting, and remediating infections of cryptojacking malware.
For help on how to protect your blockchain project from cryptojacking attacks, get in touch with Halborn’s cybersecurity for blockchain experts at halborn@protonmail.com.