First Ever Malvertising Campaign Uses JavaScript To Mine Cryptocurrencies In Your Browser

An anonymous reader writes from a report via Bleeping Computer: Malware authors are using JavaScript code delivered via malvertising campaigns to mine different cryptocurrencies inside people's browsers (mostly Monero), without their knowledge. The way crooks pulled this off was by using an online advertising company that allows them to deploy ads with custom JavaScript code. The JavaScript code is a modified version of MineCrunch (also known as Web Miner), a script released in 2014 that can mine cryptocurrencies using JavaScript code executed inside the browser. Cryptocurrency mining operations are notoriously resource-intensive and tend to slow down a user's computer. To avoid raising suspicion, crooks delivered malicious ads mainly on video streaming and browser-based gaming sites (currently mostly Ukrainian and Russian sites). Both types of sites use lots of resources, and users wouldn't get suspicious when their computer slowed down while accessing the site. Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks.

I block all advertising on the web

So this doesn't affect me.

Got to say

Genius.

Despite being one of the causes of adblocker proliferation it's a nice change from the usual destructive malware in ads.

Must admit I've never really understood why advertising companies allow advertisers to run potentially unsafe code via their network. Surely it reflects badly on them and I'm too ignorant to understand the need for custom code with an advert.

Re:Got to say

[AmiMoJo]

But how much currency can it mine?

How long are ads displayed for? Probably not long in most cases. Many browsers, especially Chrome, throttle Javascript or even stop it running entirely to save energy when the user isn't interacting with the page. And Javascript isn't exactly known for its high performance when it comes to maths.

A lot of processing will be wasted. Anything that ends before the minimum work unit that can be saved is complete is lost.

If they are mining a popular currency the chances are Javascript running on a CPU will to too slow to earn anything significant. If they are mining a less popular currency it is now tainted by malware and unlikely to ever be worth much.

Re:Got to say

[Nutria]

And Javascript isn't exactly known for its high performance when it comes to maths.

That was my first thought. People spend so much on top-tier GPUs for mining, and these guys go for JS.

I bet the malware guys are using this as a proof-of-concept for something else.

Re:Got to say

Because the advertising companies don't need to care. It's the sites that show the ads that get the blame - and rightfully so.

It used to be that a magazine that wanted advertising had an editor responsible for looking through the ads and rejecting any that didn't follow their standards. Nowadays they just use an ad network, and the ad network doesn't care.

Re:Got to say

[Cederic]

But how much currency can it mine?

Does it matter? Fuck all multiplied a couple of million times can become a chunky number. As long as it's more than the cost of the advertising (which may be near zero if it's charged by click-through) then they profit.

How long are ads displayed for? Probably not long in most cases. Many browsers, especially Chrome, throttle Javascript or even stop it running entirely to save energy when the user isn't interacting with the page. And Javascript isn't exactly known for its high performance when it comes to maths.

That'll be why they targeted pages that users interact with for tens of minutes (up to hours).

Re:Got to say

[TheRaven64]

I've noticed that a lot of web sites now cause my browser to ask me if I trust them to run WebGL code for no obvious reason (I don't, because I've worked on GPU drivers, and there's no way I'd trust them with potentially malicious code, even if it has had some token WebGL verification). JavaScript is fairly slow, but WebGL and WebCL let JavaScript run shader code on your GPU.

Most cryptocurrency mining is probabilistic: you only win on average by having the most compute, each step involves trying a possible solution and hopefully getting lucky. If you try enough solutions in parallel, you'll probably find the correct one before anyone else. Even if each person only gives you 30 seconds of GPU time, that's still a lot if you can infect a few million people.

I seem to recall a browser-based game a few years ago that used this exact business model: as you play the game, it mined bitcoin in the background on your GPU, which paid for the game.

Re:Got to say

[AmiMoJo]

WebGL is mostly used for tracking. The sites render some text and graphics and slight variations in your system make the result semi-unique, and combined with other factors can be used to identify your browser as your move from site to site.

As such, I disable WebGL entirely. I also use CanvasFingerprintBlock for the same reason.

Re:Got to say

Things might improve when publishers decide on providing static advertising linked to content instead of networks that send the ad with the highest bid for the set of eyes they think are looking at it.
And they won't because it would require hiring people to vet the ads and be responsible for making sure they fit the publisher's branding.

Advertisers never cared about the content, because their most lucrative revenue stream was buying ad space from the publishers in bulk and reselling to their clients.
Toss in

Re:Got to say

[geekmux]

And Javascript isn't exactly known for its high performance when it comes to maths.

That was my first thought. People spend so much on top-tier GPUs for mining, and these guys go for JS.

I bet the malware guys are using this as a proof-of-concept for something else.

How many people have a JS enabled-browser installed vs. how many people have top-tier GPUs installed?

The performance all comes down to volume. And with Bitcoin valued at over $3000, I doubt that something else needs be a motivator.

Re:Got to say

[geekmux]

...it's a nice change from the usual destructive malware in ads.

Guess that all depends on where the Bitcoin profits go.

Funding physical destruction wouldn't be a hard stretch in a warmongering environment.

Re:Got to say

[sirber]

And Javascript isn't exactly known for its high performance when it comes to maths.

the project uses asm.js for optimal speed.

Re:Got to say

[nehumanuscrede]

What they lack in quality, they make up for in quantity.

"Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks."

Stick this code on any porn site or any high-traffic video site and consider how many folks stop by.

Re:Got to say

[Nutria]

The performance all comes down to volume.

And ratios: how many JS miners do you need to equal a current (affordable) GPU card, combined with -- as AniMoJo first mentioned -- the fact that when you stop browsing, any partial work disappears. That's really a killer.

Re:Got to say

[CastrTroy]

Better be careful, or someone will figure out how to mine BitCoins using WebGL in the background while you're playing a browser based game.

Re:Got to say

[geekmux]

The performance all comes down to volume.

And ratios: how many JS miners do you need to equal a current (affordable) GPU card, combined with -- as AniMoJo first mentioned -- the fact that when you stop browsing, any partial work disappears. That's really a killer.

And yet can you imagine the performance if legitimate companies that offer streaming services (Netflix,YouTube, etc.) embedded JS mining as a "feature" on their sites?

The world never stops browsing, which is why volume matters.

Re:Got to say

[angel'o'sphere]

Could have answered to you plus + answer ;D
But here it fits better.

First of all: JavaScript is since a decade no longer as slow as people think. Nearly all browsers optimize it and jit compile it to assembly.

Secondly: http://gpu.rocks/

Re:Got to say

[AmiMoJo]

Thanks, that's an interesting link.

I'm really glad I block WebGL.

Re:Got to say

[angel'o'sphere]

Asm.js is a library that implements a simple virtual cpu and the opcodes to execute on that CPU.
The idea is that the jit compiler can compile simple real asm instructions from that. The other idea is that language designers can compile to asm.js instructions.
That is in no way faster than writing the code you want in standard JavaScript.

You confused by the word "asm" in asm.js :D

Anyway, in the long run the developers of asm.js hope that JavaScript engines will be "asm.js aware" and realize that they can treat it special and compile to a more optimized native asm, than they would compile "ordinary JavaScript"

Re:Got to say

[cdreimer]

Because the advertising companies don't need to care.

Unless advertisers start pulling their dollars. When advertisers noticed that their ads were being shown with extremist videos on YouTube, they pulled their dollars and content creators saw their YouTube earnings drop between 50% to 90%. That situation is still on going as YouTube tries to keep the advertisers happy.

Re:Got to say

[Nutria]

I'll repeat again: when you stop browsing, any partial work disappears.

The world never stops browsing, but people do.

Re:Got to say

[peragrin]

Did you read the summary? They picked websites like web based games and video which people will interact with the page for 20-30-60 minutes at a time and are already a heavy CPU draw. To hide it.

Re:Got to say

[geekmux]

I'll repeat again: when you stop browsing, any partial work disappears.

The world never stops browsing, but people do.

This is exactly why I mentioned streaming services. You can probably get some considerable crunching done when the word "binge" is often used to describe browser session times. Wouldn't be surprised one bit if the next YouTube/Netflix app upgrade comes with a few extra lines of JS.

On top of that, I'll give it about another HFT micro-second before someone realizes the value of breaking up JS cryptomining assignments into 60-second chunks to try and counteract that "partial" work problem, and take advantage of this distributed mining model. Or perhaps they'll wrap this around something that is always running in the background; you've only got about 1,000 opportunities to do this with Win10 telemetry services...

Re:Got to say

[s_p_oneil]

Anyone have a JavaScript OpenCL/CUDA/Vulkan plugin handy to use for this? ;-)

TBH, I imagine they would want to use the asm.js subset for this. I'm not sure what the status is for browsers compiling it, but basic math operations would definitely be covered in the asm.js subset. Sure it wouldn't be GPU-powered, but these days most visitors would be using cell phones, tablets, or cheap netbooks/laptops with cheap integrated graphics.

IMO, the worst thing about this wouldn't be when it happened on a laptop or desktop. It would be when it drained the battery on my cell phone (especially if it could keep chugging along when I put my phone to sleep while a web page was up).

Re:Got to say

[tlhIngan]

And ratios: how many JS miners do you need to equal a current (affordable) GPU card, combined with -- as AniMoJo first mentioned -- the fact that when you stop browsing, any partial work disappears. That's really a killer.

Well, when the CPU comes "for free" (they're using your CPU to make them money - the only cost is the ad campaign, and those are generally cheap because those are running on the second tier advertisers - the ad networks that do ads for "non mainstream" websites like torrents, porn, etc.

And if you do it right, you can save your state when the user navigates away from the page - there are javascript hooks that can be called when you navigate away that can upload the current state to a server. It's how those "are you sure you want to leave this page?" alerts are issued.

Re:Don't run javascript.

[JaredOfEuropa]

It has its uses. But it has absolutely no business being used in ads, just like other Javascript over which the site owner has no control. I wish blocking 3rd party Javascript by default was an option, but that pretty much breaks all of the Internet.

Getting my own back

My laptop is so pathetic I'm wasting their time.

Let's replace adverts with this.

Why can't websites replace adverts with this, working for them?

That seems like a perfect way to get micro-transactions in a website without any micro-transaction having to occur, and it scales with time spent on the website.

Re:Let's replace adverts with this.

[thereitis]

For one thing, it will kill the user's mobile/laptop battery.

Could we find a legitimate use for this idea?

[91degrees]

Micropayments have never caught on because they're a pain to deal with. People might be willing to spend some of their CPU time though. They don't object too much to doing the millions of operations required for a few seconds of video (the objection is more the annoyance of the video itself)

I suspect CPU time is not valuable enough to make this sort of thing viable but maybe I'm wrong.

Re:Could we find a legitimate use for this idea?

[Opportunist]

Well, if you could get people to install an app...

Oh no, I said the word!

Re:Could we find a legitimate use for this idea?

[hord]

There are tons of distributed projects where people donate CPU time. It has value for communities of people that like to work on common computational goals. Examples are SETI, distributed.net, and folding@home. Here is Wikipedia's list:

https://en.wikipedia.org/wiki/...

I ran a Pentium 200MHz overclocked to 250MHz for several years straight (along with many other machines) trying to crack RC5-64 years ago. Lots of fun.

Re:Could we find a legitimate use for this idea?

[Rockoon]

I suspect CPU time is not valuable enough to make this sort of thing viable but maybe I'm wrong.

You are wrong because you are attributing the wrong metric.

What this strategy cares about is cycles/watt. They might have a 300 watt server set up somewhere, but beyond that the cycles are all free. A million people all mining with javascript at the cost of that 300 watts.

Re:Could we find a legitimate use for this idea?

[91degrees]

Yup, and those are great. I approve of the aspirational ideals.

But I'm thinking of the more commercial aspects. For example, while I have no complaints about CGI movies, I'm not going to donate my CPU time to help make one. A company might be willing to pay me a fraction of a cent for rendering a few pixels though. I don't want that fraction of a cent. I do, however, want to be able to read websites without annoying popup ads. The website owner, with thousands of impressions per page per day would like that fraction of a cent for each page.

So the computer animation company pays the website some money to run a few seconds rendering time on my PC. I get the web-page for a negligible increase in power costs, and the computer animation company gets some pixels. Multiply that by a few hundred thousand users. They all get the information they want, the computer animation company gets several frames rendered, and the website owner gets money.

Re:Could we find a legitimate use for this idea?

[91degrees]

This strategy only cares about dollars per cycle. If I want some computing done, I don't care how many watts it takes if those watts are being paid for by someone else.

Re:Could we find a legitimate use for this idea?

[Solandri]

That doesn't really make much sense. Technically you're not donating CPU time. You're donating the price of the electricity to run the CPU to perform those calculations. Unless the project is transient (e.g. crack RC5-64, then it's over), the acquisition cost of the CPUs is tiny compared to the operational cost (electricity) to perform the actual calculations. A computer animation company is presumably going to continue to remain in the business of computer animation for decades, so it makes more sense for them to buy their own CPUs/GPUs and pay for their own electricity to run them, rather than use the money on advertising to run the calculations in Javascript much less efficiently.

It's like that stupid idea which comes up every now and then to harvest energy from cars driving over roads. Yes it'll work, but you're not tapping some cheap form of energy. You're stealing energy from all the cars which drive on the road, and you're doing it very inefficiently because of all the mechanical losses involved in transferring energy from the car, to the road, to your energy capture device. The cumulative cost to all the cars (slight decrease in MPG) plus the cost of re-engineering the road to incorporate the energy capture device is several times higher than what it would've cost you to just build a power plant and generate the energy directly.

That's really what the economic viability of this sort of thing hinges on: How energy-efficient is it to perform this sort of activity distributed over millions of people's computers, vs. doing the activity on your own dedicated equipment? In nearly all cases, it's more efficient to do it on dedicated equipment, and this idea is a non-starter.

• The malware cryptocurrency mining works because the miners aren't paying for the costs. So even though it's less efficient, by externalizing the electricity cost it becomes a net benefit for the malware authors.
• Likewise, Folding@home is less energy- and cost-efficient than if people just sent donations to the project to buy their own equipment and run their own protein folding simulations. The project is successful because people tend to lump their electricity bill into an "I gotta pay it" category, whereas a separate charitable contribution could end up axed when they think "I really don't have the extra money to be donating to this."
• Donating CPU time to crack RC5-64 worked because it was a temporary project. Once it was completed, there was no need to do further computations. So if the team had acquired their own computers, they would've had to sell them at the end of the project at a substantial loss (depreciation). Doing it as a distributed project neatly avoided that expense by shifting that cost from the project onto the computer purchase and amortization schedules of computer owners around the world (which is near zero because people buy those computers anyway). But on a commercial scale (not taking charitable donations) this sort of activity is more cheaply performed by temporarily renting servers via a hosting service like Amazon EC2.

Because of the relative inefficiency of Javascript, I can't really think of any activities where distributing it to browsers via ads is really cost- or energy-efficient. Maybe Amazon EC2 might find it useful if there were a sudden temporary spike in CPU demand which exceeded their servers' capability to deliver, and they needed to temporarily find some extra CPU cycles to take the additional load. But in every other case I can think of, it's cheaper to just buy your own computers or to rent time on them directly. The only way selling CPU time via browser ads is competitive is if you're actually stealing CPU time - selling the CPU time for cheaper than the extra electricity cost to the person running the browser. And at that point you've crossed the line from being a legitimate ad to being malware.

Re:Could we find a legitimate use for this idea?

[91degrees]

Technically you're not donating CPU time. You're donating the price of the electricity to run the CPU to perform those calculations. Unless the project is transient (e.g. crack RC5-64, then it's over), the acquisition cost of the CPUs is tiny compared to the operational cost (electricity) to perform the actual calculations.

I don't see why it matters what we're donating. As far as the customer is concerned, they send data to a third party, and they get rendered frames.

A computer animation company is presumably going to continue to remain in the business of computer animation for decades, so it makes more sense for them to buy their own CPUs/GPUs and pay for their own electricity to run them, rather than use the money on advertising to run the calculations in Javascript much less efficiently.

Pixar or Dreamworks, sure. A lot of these companies are a lot smaller. They don't want to have large server farms sitting idle most of the time. They lease a server farm. Plenty of companies provide this service already. My suggestion is to enter this market using distributed processing.

They wouldn't be using Javascript. WebAssembly exists. That can be compiled and optimised pretty easily. Maybe not as well as targeted optimisation but we're only after compeitive efficiency here; not peak efficiency.

Likewise, Folding@home is less energy- and cost-efficient than if people just sent donations to the project to buy their own equipment and run their own protein folding simulations. The project is successful because people tend to lump their electricity bill into an "I gotta pay it" category, whereas a separate charitable contribution could end up axed when they think "I really don't have the extra money to be donating to this."

And this is the principle this works on. Except the psychology is wrong. People don't mind donating to the project. But the time cost is too great for people to feel it's worth the effort. Microtransactions are even worse, because people need to make the effort to pay a fraction of a cent. But this just uses their cycles when they're not using them. Yes, if they were willing to pay the microtransaction directly it would be cheaper, but they aren't. So charge them in something they are willing to pay. Reward them with something that costs a lot less than what they're paying.

Re:Could we find a legitimate use for this idea?

[Rockoon]

This strategy only cares about dollars per cycle.

Do you really think a valid retort is to restate what I said?

You are part of the problem. You were pretending to have a reasoned argument, got caught out, and now rephrased "cycles per watt" as "cycles per dollar" (its the same thing, fucknut)

Re:Could we find a legitimate use for this idea?

[91degrees]

I don't understand your objection.

People pay money for processing time. They don't care whether their processing happens on an ARM or a bunch of decade old Pentium 4s. They care how much it costs them. Not how much it costs ther person they're buying CPU time from.

People would be willing to sell their processing power at a nominal loss, because they gain the convenience of not having intrusive ads, so the number of watts it costs them or the number of dollars it costs them are an irrelevance.

Re:Crooks?

[Opportunist]

But that were cycles I wanted to waste on cat videos!

Re: Crooks?

[Boutzev]

If an ad runs on your computer without authorization - it uses your computer's resources too. Is that somehow different just because ads waste less resources than mining ? What about a mining script that uses less ressources than the standard video ad - would they still be crooks ?

While I don't agree with anyone running code on a user's station without authorization, there isn't much difference between this and a common ad. Both should be illegal if you ask me. But if those guys are crooks - then what would Google Adwords be ?

Why the indirection?

[Mal-2]

Why not write the mining and phone-home routines directly into the games that people are playing? It would probably improve efficiency considerably, and somewhere in the EULA it can be noted that the game is working on a distributed computing project in the background as the 'fee' for using their otherwise free game.

Shame on the ad network

[cdwiegand]

What advertising network? They should be known, publicly shamed, and every website operator should know not to do business with them.

Honestly, I wish there was a way for me to report an ad that's violating browser rules. I hate when I go to a real newspaper site that uses ads, and I get served an ad that takes over the whole window, hiding stuff behind, but there's no way for me, on my phone / tablet, to know who served the ad or report the ad placement. Makes me want to block all ads everywhere on my personal devices and networks, but THAT comes with issues because many sites and even many mobile apps refuse to function if they can't talk to the ad networks and/or Google/Adobe/etc..

The importance of editing

[argStyopa]

I read "...mine different cryptocurrencies inside people's browsers (mostly Monero),..." and was like what's this new browser Monero that so many people are using that it's worth focusing malware on?

Maybe it could have been written better as: "...mine different cryptocurrencies (mostly Monero) inside people's browsers,..."

WebSockets are the next threat

[CrashNBrn]

The other thing to keep an eye on these days are WebSockets, I would be surprised if this JS BS incorporates that now or the near future. There don't appear to be memory limitations to WebSockets either.

Re: Crooks?

[K.+S.+Kyosuke]

What about a mining script that uses less ressources than the standard video ad - would they still be crooks ?

I vaguely recall that The Cuckoo's Egg mentions a case of someone convicted of stealing electricity in Canada since they couldn't prosecute computer intrusion at that time. So the amount of electricity is perhaps secondary. Also, CFAA in the US? I don't know how (if) that applies.