Digital Forensics
How To Detect Cryptocurrency Miners

How To Detect Cryptocurrency Miners

A sudden spike in cryptocurrency rate recently has grabbed some attention of the common public towards crypto exchange and trading, and many even have turned towards mining to earn some easy cash. Cybercriminals also saw an opportunity to mine cryptocurrencies using other people’s resources, where a person who is mining wouldn’t be sentient and can’t fix anything. This is identified as crypto–Jacking. Thus Network overseers and researchers found a way to find these cryptocurrency miners. 

Some standard methods of detecting cryptocurrency miners

Port Blocking

The access to ports that the blockchains operate is blocked. Only the permissions to needed ports are granted in a network.

DNS Traffic / Deep Packet Inspection

 Every data packet needs to be verified and recorded. The source and target need to be identified. It is a long and tedious work and can take many hours to finish. 

Moreoverthese methods can be used when the mining servers are known. We can’t use them if the mining servers are unknown. Along with the problem mentioned above, Inspection of the traffic is using up labor and is expensive.

So an alternate way is to use machine learning-based methods such as – Netflow / IPFIX network measurements.

Netflow / IPFIX

It doesn’t require inspecting packets’ payload. Thus, this is a cost-effective method. Most mining servers use the Stratum Protocol, which are built over the TCP protocol, and since no known ports connect the links, the destination port renders useless.

The connections over the Stratum need to be inspected. Only limited communications occur between the server and the clients, and most of them start with an extension. 

“Mining (Command)“. This information is helpful while dealing with the Netflow traffic. 

Netflow has the following fields:

  • Source / Destination IP
  • Source / Destination Ports 
  • Next Hop 
  • Input/ output SNMP interface 
  • Number of packets & Bytes in the Flow
  • Timestamp of the starting and ending of the Flow.
  • TCP Flags 
  • Protocol 
  • Type of Service
  • Source and autonomous destination system 
  • Source address / Destination address Mask.

Since the mining server is not known – IP addresses, ports, SNMP interface all these data is not of much help, all the packets that are not using the TCP protocol should be ignored. What we are left with now is the starting and ending time and the packages with TCP protocol. The spectrum of analysis is narrowed down much, and machine learning can help with the payload. 

Monero is the most commonly mined cryptocurrency using malware and but it does not work over Stratum, along with Ethereum uses a similar custom protocol that worked over JSON, but the functionality is analogous.  

Softwares used – 

  1. PCAP – To collect the traffic
  2. Softflowd – Exporter 
  3. Nfcapd – Collector to create Nfcapd files. 
  4. nfdump – To extract the data. 

Another method, to find if there is unauthorized mining in a pc.

  • Code – Analysis –   In this method, a detailed study of the application code is done to find the algorithms used by popular mining applications and find if it is incorporated into other programs or applications to run in the background. 
  • CPU – Performance monitoring – The temperature, background activity, etc., are monitored to find the suspicious mining activities in the background. 

Along with these, a long Flow of data to unknown sources must always be suspected of malware using your resources to mine cryptocurrencies . 

Leave a Reply

Your email address will not be published. Required fields are marked *