Placeholder Image

Subtitles section Play video

  • I wanted to talk about crypto-jacking, right, which is, I mean the name itself it starts off in a good way

  • Sometimes called drive-by mining also a great name.

  • This is the idea that

  • we can trick someone instead of maybe putting a virus on their machine

  • I mean it might still be a virus, but we can trick them into mining some cryptocurrency for us.

  • And that way we make a profit

  • Think of it like an alternative in crime sensitive ransomware where you trying to get money off someone by taking control of their files.

  • We're now just trying to use some of their CPU power to earn us some money

  • Right, so theoretically they mine some coins for us. They send them to us and then we

  • We profit from those

  • So this all came about because a company called Coinhive decided that maybe instead of showing people adverts online

  • They could just use a little bit of their CPU to mine you cryptocurrency while they're browsing and that way they don't have to look

  • at adverts and you still get paid for your your website. Right now that

  • Actually is not a bad idea or in some sense

  • The idea would be but you go to let's say a newspaper and instead of seeing a load of banner ads

  • You see a little ticker that says you're mining some cryptocurrency while you're on this website

  • and you know

  • We're gonna make a small amount of money off this in exchange for you not having any ads and reading the news for free, right?

  • Okay, and I mean the amount of money you're gonna spend a couple of minutes reading an article

  • It's not very much right if you even if your CPUs on a hundred percent, this is JavaScript

  • So you you go to a website. It serves you a script which instructs your computer to start mining these coins

  • The problem is that it wasn't long before people thought well, we don't maybe we should just not ask permission, right? We should we should

  • Have them mine all the coins all the time. Right? And the other thing was that coin hive has a

  • Feature, which lets you only use let's say 60% of a CPU

  • So there's some overhead for Mouse

  • Events and things that are kind of important to keep the operating system running and of course

  • The malware programmers thought, well you know, 100%, right? So I've just got this web server set up on my machine

  • I've extended my classic blog. This is the world's best blog, of course, right?

  • It looks good and it's got good content on it [...] with a nice banner ad which also happens to mine me some Manero cryptocurrency.

  • Right so let's have a look, so you can see here

  • I've got my blog before it's got my comments and my cat pictures I had before and it's also got this lovely banner ad which

  • I made for my shop which is not a real shop. Don't send me any money.

  • You will also notice now if you look at my CPU monitor

  • Which I've also got running

  • It's sitting on 100% and if we leave it for a minute

  • We're going to start hearing my fan get louder and louder and louder because basically the entirety of my CPU is mining Monero cryptocurrency now.

  • I mean I didn't notice the mouse is still responding. I mean, you know it's a modern PC

  • But you know, you wouldn't necessarily know apart from the fact that your fan has spun up. Now, it's also not plugged in

  • So the battery is going to be draining pretty fast.

  • The good news is that this is already less common than it was just a few months ago because Chrome, Firefox

  • You know

  • Antivirus vendors and things like this are all cracking down on these kind of scripts. Now Coinhive as I pointed out,

  • Is actually a legitimate company. They weren't intending on people abusing this service

  • So they've now got an opt-in version where a little pop-up turns up and you can say I do opt-in for this time instead of

  • Ads or something like this, right that isn't blocked by browsers because that's a legitimate commercial

  • Alternative to ads but of course Coinhive aren't the only people that are making these, right?

  • So you're going to have clones you're going to have malware that does this and you can just imagine that instead of getting ransomware

  • You'll just get something like this and runs on your PC instead

  • And the same is true also for phones. So you might download an app, which seems too good to be true

  • Oh there's not even any adverts on this free game and maybe it's because it's using up extra of your CPU to mine

  • Crypto currency if you were doing this in Bitcoin, you wouldn't you wouldn't get a look-in. Essentially. I could mine with my CPU

  • Bitcoins, you know for hundreds of years and never get any, right? Because compared to the size of the Bitcoin network

  • We've all their dedicated hardware. My CPU is a nonentity essentially

  • Manero is slightly different Monero has a a

  • Hashing function, but it uses in the mining process

  • which is quite hard to do on a GPU and

  • So you get some but not a lot of benefit from having a dedicated rig, right? Two times, maybe.

  • Given the cost of a graphics card not very good

  • so actually you could have a lot of Android phones competing with big graphics cards in Monero specifically and

  • and

  • So in some sense there is a point to do it.

  • Now, that's one of the reasons it was designed this way to allow people on phones and things to mine.

  • But it has this benefit that or benefit depending on who you are that it's a good target for this kind of

  • malware, right? Because if you have a website where everyone is mining

  • Monero for you. It's not gonna make you a huge amount of money

  • but it'll make you some and Monero is one of these currencies that's a little bit hard to keep a track of and

  • So maybe you can get away of it

  • That's that's the idea.

  • My browser and my extensions block it, my antivirus on my machine blocks it, the university firewall blocks it.

  • So, I'm currently I have all of those disabled and I'm rooting through my 4G phone connection. It works fine at home

  • I know good or bad

  • So, you know, like I say, vendors of things like antivirus are taking a lot of steps to

  • To fix this. I'm gonna close this now because it's it's not that loud actually

  • Sean: It's basically the thing that says: "Many things for sale, buy now." That's got some JavaScript [...]

  • Mike: Well, yeah, I mean, this is just an image, but yeah ...

  • Just next to it is some script that does it. You could imagine that if I was running a like a newspaper

  • Website I'm being served ads by some ad company

  • All I have to do to get in there

  • Is pay some money to have an advert deployed which also happens to have this script. No one's going to go to my blog, right?

  • It's not online but also because no it's rubbish.

  • So what I if I was an attacker

  • It would be much smarter for me to try and take over a site

  • Where lots of people are going. This came into a news because in February 2018 an

  • Accessibility website that are just like screen reading and things like this was hacked and their JavaScript file had some

  • Monero mining code

  • Inserted into it and this website was serving JavaScript to about 4000 UK and US government websites among others

  • including the Information Commissioner's Office and various high-level government websites.

  • This meant that when you went on those web sites to let's say find out about something important

  • You were actually mining Monero for the attackers not ideal

  • Sean: Could you work out who did it?

  • Mike: Absolutely, well no all you can all you know is I mean assuming ...

  • Sean: the wallet

  • Mike: All you know is the address that the Monero is being mined to right and as usual

  • You've got the traceability issues of that. If they use that address to buy like pizza to their house

  • It might be slightly easier to find them. But if they try and hide it, it's gonna be harder

  • This is the code that was inserted into all these government websites. This is not my code.

  • My code is much simpler than this and it's also not obfuscated

  • So this has been encoded to try and make it harder for anti-viruses to find and then this is deobfuscated version

  • Which is essentially looking up the Coinhive JavaScript and then pointing it towards this address

  • Which you shouldn't mine Monero for because they're malware writers.

  • Sean: They weren't even writing their own JavaScript, they were using Coinhive's actual -- Mike: Yeah

  • Yeah, I mean, it's pretty lazy, really.

  • Yes, so I think now some are writing their own JavaScript or embedding it into Java apps or for Android phones and things like this

  • But yes, when Coinhive first came out. This wasn't I would say an unexpected side effect of their new idea.

  • Like I say they've kind of come up with a more legitimate way of doing this now and they have interesting things like

  • CAPTCHAs which do a little bit of hashing

  • as an alternative to pick these

  • Images that have road signs in, right? Just just do a little bit of CPU, which is interesting enough

  • But yeah

  • So I think going forward we're going to see fewer of these deployed in a browser

  • Unless they can find a way of getting around these new browser restrictions

  • But they might start to find their way into more actual malware, right? Maybe instead of encrypting everyone's files

  • you just take over their CPU for a while and

  • Make some money that way or do both at the same time. Both: Or do you buy for the same time?

  • Mike: Yeah, why not?

  • Sean: The free games thing is quite classic because I mean we're all used to just getting games for free and expecting you that purchases

  • Mike: Yeah, when you download an app, it's got free access to your CPU. It could do this

  • You'll know because your phone will get hot and your battery will go [... noise of draining battery ...] like this

  • But that happens with some games that are poorly written anyway, so how do we know that? You've got a hope?

  • I suppose that there's some vetting process on the apps, which might hopefully detect this kind of stuff

  • But it's not always going to be easy to find

  • And so you can expect a few of these to pop up from time to time

  • We're going to say "document.write('')"

  • Okay, now that's it's going to write nothing to the screen, right?

  • So my comment on my blog, it's just going to be a script that does nothing. Okay, that's not very interesting

  • So let's do something a bit more interesting our PHP file takes the cooking gives an image back

  • So let's just show it on the screen, right? So image tag in HTML. is the image tag ...

I wanted to talk about crypto-jacking, right, which is, I mean the name itself it starts off in a good way

Subtitles and vocabulary

Click the word to look it up Click the word to find further inforamtion about it

A2 cpu mining cryptocurrency malware javascript blog

Crypto-jacking - Computerphile

  • 12 1
    林宜悉 posted on 2020/03/27
Video vocabulary