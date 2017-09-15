First Ever Malvertising Campaign Uses JavaScript To Mine Cryptocurrencies In Your Browser (bleepingcomputer.com) 48
An anonymous reader writes from a report via Bleeping Computer: Malware authors are using JavaScript code delivered via malvertising campaigns to mine different cryptocurrencies inside people's browsers (mostly Monero), without their knowledge. The way crooks pulled this off was by using an online advertising company that allows them to deploy ads with custom JavaScript code. The JavaScript code is a modified version of MineCrunch (also known as Web Miner), a script released in 2014 that can mine cryptocurrencies using JavaScript code executed inside the browser. Cryptocurrency mining operations are notoriously resource-intensive and tend to slow down a user's computer. To avoid raising suspicion, crooks delivered malicious ads mainly on video streaming and browser-based gaming sites (currently mostly Ukrainian and Russian sites). Both types of sites use lots of resources, and users wouldn't get suspicious when their computer slowed down while accessing the site. Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks.
If an ad runs on your computer without authorization - it uses your computer's resources too. Is that somehow different just because ads waste less resources than mining ? What about a mining script that uses less ressources than the standard video ad - would they still be crooks ?
While I don't agree with anyone running code on a user's station without authorization, there isn't much difference between this and a common ad. Both should be illegal if you ask me. But if those guys are crooks - then what would
Is that somehow different just because ads waste less resources than mining ?
Yes. Not just because ads use less resources, but yes it's somehow different.
What about a mining script that uses less ressources than the standard video ad - would they still be crooks ?
Yes. I object to the misrepresentation as much as I do the wasted resources. That doesn't excuse wasting my resources for an unrequested video.
Both should be illegal if you ask me. But if those guys are crooks - then what would Google Adwords be ?
This I like. I think we need better guidelines on acceptable behavior. As resources have become less precious, the advertisers have gotten pretty brazen.
But that were cycles I wanted to waste on cat videos!
I block all advertising on the web (Score:1)
So this doesn't affect me.
Got to say (Score:5, Informative)
Genius.
Despite being one of the causes of adblocker proliferation it's a nice change from the usual destructive malware in ads.
Must admit I've never really understood why advertising companies allow advertisers to run potentially unsafe code via their network. Surely it reflects badly on them and I'm too ignorant to understand the need for custom code with an advert.
But how much currency can it mine?
How long are ads displayed for? Probably not long in most cases. Many browsers, especially Chrome, throttle Javascript or even stop it running entirely to save energy when the user isn't interacting with the page. And Javascript isn't exactly known for its high performance when it comes to maths.
A lot of processing will be wasted. Anything that ends before the minimum work unit that can be saved is complete is lost.
If they are mining a popular currency the chances are Javas
Re:Got to say (Score:5, Insightful)
And Javascript isn't exactly known for its high performance when it comes to maths.
That was my first thought. People spend so much on top-tier GPUs for mining, and these guys go for JS.
I bet the malware guys are using this as a proof-of-concept for something else.
Re:Got to say (Score:4, Insightful)
And Javascript isn't exactly known for its high performance when it comes to maths.
That was my first thought. People spend so much on top-tier GPUs for mining, and these guys go for JS.
I bet the malware guys are using this as a proof-of-concept for something else.
How many people have a JS enabled-browser installed vs. how many people have top-tier GPUs installed?
The performance all comes down to volume. And with Bitcoin valued at over $3000, I doubt that something else needs be a motivator.
The performance all comes down to volume.
And ratios: how many JS miners do you need to equal a current (affordable) GPU card, combined with -- as AniMoJo first mentioned -- the fact that when you stop browsing, any partial work disappears. That's really a killer.
The performance all comes down to volume.
And ratios: how many JS miners do you need to equal a current (affordable) GPU card, combined with -- as AniMoJo first mentioned -- the fact that when you stop browsing, any partial work disappears. That's really a killer.
And yet can you imagine the performance if legitimate companies that offer streaming services (Netflix,YouTube, etc.) embedded JS mining as a "feature" on their sites?
The world never stops browsing, which is why volume matters.
I'll repeat again: when you stop browsing, any partial work disappears.
The world never stops browsing, but people do.
What they lack in quality, they make up for in quantity.
"Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks."
Stick this code on any porn site or any high-traffic video site and consider how many folks stop by.
Better be careful, or someone will figure out how to mine BitCoins using WebGL in the background while you're playing a browser based game.
But how much currency can it mine?
Does it matter? Fuck all multiplied a couple of million times can become a chunky number. As long as it's more than the cost of the advertising (which may be near zero if it's charged by click-through) then they profit.
How long are ads displayed for? Probably not long in most cases. Many browsers, especially Chrome, throttle Javascript or even stop it running entirely to save energy when the user isn't interacting with the page. And Javascript isn't exactly known for its high performance when it comes to maths.
That'll be why they targeted pages that users interact with for tens of minutes (up to hours).
I've noticed that a lot of web sites now cause my browser to ask me if I trust them to run WebGL code for no obvious reason (I don't, because I've worked on GPU drivers, and there's no way I'd trust them with potentially malicious code, even if it has had some token WebGL verification). JavaScript is fairly slow, but WebGL and WebCL let JavaScript run shader code on your GPU.
Most cryptocurrency mining is probabilistic: you only win on average by having the most compute, each step involves trying a possi
WebGL is mostly used for tracking. The sites render some text and graphics and slight variations in your system make the result semi-unique, and combined with other factors can be used to identify your browser as your move from site to site.
As such, I disable WebGL entirely. I also use CanvasFingerprintBlock for the same reason.
And Javascript isn't exactly known for its high performance when it comes to maths.
the project uses asm.js for optimal speed.
Asm.js is a library that implements a simple virtual cpu and the opcodes to execute on that CPU.
The idea is that the jit compiler can compile simple real asm instructions from that. The other idea is that language designers can compile to asm.js instructions.
That is in no way faster than writing the code you want in standard JavaScript.
You confused by the word "asm" in asm.js
:D
Anyway, in the long run the developers of asm.js hope that JavaScript engines will be "asm.js aware" and realize that they can trea
Could have answered to you plus + answer
;D
But here it fits better.
First of all: JavaScript is since a decade no longer as slow as people think. Nearly all browsers optimize it and jit compile it to assembly.
Secondly: http://gpu.rocks/ [gpu.rocks]
Thanks, that's an interesting link.
I'm really glad I block WebGL.
Did you read the summary? They picked websites like web based games and video which people will interact with the page for 20-30-60 minutes at a time and are already a heavy CPU draw. To hide it.
Because the advertising companies don't need to care. It's the sites that show the ads that get the blame - and rightfully so.
It used to be that a magazine that wanted advertising had an editor responsible for looking through the ads and rejecting any that didn't follow their standards. Nowadays they just use an ad network, and the ad network doesn't care.
Because the advertising companies don't need to care.
Unless advertisers start pulling their dollars. When advertisers noticed that their ads were being shown with extremist videos on YouTube, they pulled their dollars and content creators saw their YouTube earnings drop between 50% to 90%. That situation is still on going as YouTube tries to keep the advertisers happy.
...it's a nice change from the usual destructive malware in ads.
Guess that all depends on where the Bitcoin profits go.
Funding physical destruction wouldn't be a hard stretch in a warmongering environment.
Getting my own back (Score:1)
My laptop is so pathetic I'm wasting their time.
Let's replace adverts with this. (Score:2, Interesting)
Why can't websites replace adverts with this, working for them?
That seems like a perfect way to get micro-transactions in a website without any micro-transaction having to occur, and it scales with time spent on the website.
Could we find a legitimate use for this idea? (Score:3, Interesting)
I suspect CPU time is not valuable enough to make this sort of thing viable but maybe I'm wrong.
Well, if you could get people to install an app...
Oh no, I said the word!
Re:Could we find a legitimate use for this idea? (Score:5, Interesting)
There are tons of distributed projects where people donate CPU time. It has value for communities of people that like to work on common computational goals. Examples are SETI, distributed.net, and folding@home. Here is Wikipedia's list:
https://en.wikipedia.org/wiki/... [wikipedia.org]
I ran a Pentium 200MHz overclocked to 250MHz for several years straight (along with many other machines) trying to crack RC5-64 years ago. Lots of fun.
Re: (Score:3, Interesting)
But I'm thinking of the more commercial aspects. For example, while I have no complaints about CGI movies, I'm not going to donate my CPU time to help make one. A company might be willing to pay me a fraction of a cent for rendering a few pixels though. I don't want that fraction of a cent. I do, however, want to be able to read websites without annoying popup ads. The website owner, with thousands of impressions per page per day would like th
I suspect CPU time is not valuable enough to make this sort of thing viable but maybe I'm wrong.
You are wrong because you are attributing the wrong metric.
What this strategy cares about is cycles/watt. They might have a 300 watt server set up somewhere, but beyond that the cycles are all free. A million people all mining with javascript at the cost of that 300 watts.
Why the indirection? (Score:2)
Why not write the mining and phone-home routines directly into the games that people are playing? It would probably improve efficiency considerably, and somewhere in the EULA it can be noted that the game is working on a distributed computing project in the background as the 'fee' for using their otherwise free game.