Cybersecurity researchers have developed two groundbreaking methods that exploit inherent weaknesses in mining topologies and pool policies to disrupt cryptominer botnets. These approaches focus on undermining the mining proxies and wallets that serve as critical infrastructure for attackers’ operations.
By targeting these components, defenders can drastically reduce botnet effectiveness, forcing attackers to either overhaul their infrastructure or abandon their campaigns altogether.
Bad Shares Method Disables Mining Proxies
The first technique, known as the fraudulent shares method, involves submitting invalid mining job results to a malicious mining proxy. This proxy acts as an intermediary, shielding the attacker’s mining pool and wallet addresses but also becoming a single point of failure.
By impersonating a miner and submitting consecutive negative shares, defenders can trigger the mining pool to ban the proxy. This ban effectively halts mining operations for the entire botnet, causing victim CPU usage to drop from 100% to zero.
Did you know?
Monero’s mining protocol, Stratum, is widely used across mining pools and incorporates policies that can be leveraged defensively to disrupt malicious mining operations without affecting legitimate users.
XMRogue Tool Enables Proxy Banning
Central to the bad shares approach is XMRogue, an in-house developed tool that impersonates miners to connect to mining proxies. XMRogue automates the submission of invalid shares, accelerating the banning process and disrupting the attacker’s mining infrastructure.
This tool represents a significant advancement in active defense, enabling security teams to take the offensive against cryptomining botnets without impacting legitimate miners.
ALSO READ | Tokenized US Treasurys Amplify Liquidity and Geopolitical Risks in Crypto and Traditional Markets
Exploiting Pool Policies to Ban Wallet Addresses
The second method targets scenarios where victim miners connect directly to public mining pools without proxies. Mining pools can ban wallet addresses temporarily if they detect more than 1,000 concurrent workers associated with a single wallet.
By initiating a flood of login requests using the attacker’s wallet, defenders can force the pool to ban that wallet for an hour. While this ban is temporary, it disrupts mining activities and imposes operational costs on attackers.
Broader Implications and Future Prospects
Although these techniques have primarily targeted Monero miners, researchers note their applicability to other cryptocurrencies. The methods leverage existing pool policies without disrupting legitimate mining operations, offering a scalable and precise defense mechanism.
Legitimate miners can quickly recover by modifying IP addresses or wallets, whereas malicious cryptominers face the daunting task of reconfiguring entire botnets. For less sophisticated attackers, these defenses may prove decisive in disabling their campaigns.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!