Cybersecurity researchers at Akamai have detailed two novel methods that can be used to successfully disrupt cryptocurrency botnets. The new methods take advantage of the design of various common mining topologies in order to shut down the mining process. Researchers developed two techniques by leveraging the mining topologies and pool policies that enable them to disrupt operations. The techniques hinge on exploiting the Stratum mining protocol so that it causes an attacker’s mining proxy to be banned.
The first of the two new approaches, which has been dubbed bad shares, entails banning the mining proxy.
This results in the complete shutdown of the entire operation and causes the victim’s CPU usage to plummet. While a mining proxy acts as an intermediary, it also becomes a convenient single point of failure. The idea is simple, by connecting to a malicious proxy, defenders can submit many invalid mining job results. Consecutive bad shares will eventually get the mining proxy banned, effectively halting all mining operations for the botnet.
To demonstrate this new technique, Akamai researchers developed XMRogue, which is a specialized tool for this purpose. XMRogue impersonates a miner, connects to a mining proxy, and submits consecutive bad shares to ban the proxy. The second method devised by Akamai exploits scenarios where a victim miner is connected directly to a public pool. It leverages the fact that the pool can ban a wallet’s address for one hour for excessive workers.
Initiating more than one thousand login requests using the attacker’s wallet will force the pool to ban it.
The researchers at Akamai noted that while these methods have been used to target Monero, they can be extended. The techniques show how defenders can effectively shut down malicious cryptominer campaigns without disrupting legitimate pool operations. A legitimate miner will be able to quickly recover from this new type of defensive attack by modifying their IP. This task would be much more difficult for a malicious cryptominer as it would require modifying the botnet.
Reference:
