[HN Gopher] Detecting Monero Miners with Bpftrace
___________________________________________________________________
Detecting Monero Miners with Bpftrace
Author : philkuz
Score : 115 points
Date : 2022-02-22 17:59 UTC (5 hours ago)
(HTM) web link (blog.px.dev)
(TXT) w3m dump (blog.px.dev)
| unnouinceput wrote:
| Title is somehow misleading. This is not about uncovering Monero
| users in the wild and exposing them which are criminals, as I
| first believed when reading the title. This is about detecting
| unwanted Monero miner on your system. But if you're already pwned
| that an unwanted process is already running on your system, a
| Monero miner is the least of your worries.
| jakelazaroff wrote:
| That's not necessarily true. You could be a cloud provider
| offering compute resources within a container, for example.
| garaetjjte wrote:
| >If these cryptojackers were to mine Bitcoin or Ethereum, their
| transaction details would be open to the public, making it
| possible for law enforcement to track them down
|
| That doesn't actually matter at all. Monero is used for these
| purposes probably just because it's mineable only on CPU, thus
| viable to mine on ordinary hardware. (Bitcoin requires ASIC and
| Ethereum high-end GPU)
| anonporridge wrote:
| Yep. Monero is explicitly designed to remain CPU mineable, so
| that theoretically it remains more decentralized and mined by
| individuals rather than an industrial complex like bitcoin and
| ethereum have become.
|
| Counterintuitively, I think this also makes it more susceptible
| to nation state attacks, since you can easily deputize fleets
| of existing CPUs to 51% attack the network, whereas no nation
| state on the planet can easily get enough sha256 ASIC miners to
| attack bitcoin, not even accounting for the enormous
| electricity requirements to sustain a destructive attack.
|
| Then again, the consolidation of bitcoin mining as an industry
| is also a systemic risk compared to millions of individuals in
| the network mining. Tradeoffs.
| technofiend wrote:
| >Monero is explicitly designed to remain CPU mineable
|
| You're not wrong, but it can be and is mined on GPUs. Not
| sure about the payback period though because it is very CPU
| sensitive and the top benchmarks are for AMD's EPYC
| processors which don't come cheap. An i9-12k handily mines
| several times more than an Nvidia GPU so GPU mining payback
| is also potentially slow.
|
| At least according to the online guides it's also a losing
| proposition relative to the costs of electricity. So then
| allegedly the only way to profitably mine it is on someone
| else's energy and maybe their hardware too. For anyone truly
| seeking anonymity it seems like far less work to buy Monero
| from a localcoin vendor rather than mint your own, unless you
| have a lot of free time and hardware on your hands. Which may
| explain why antivirus software assumes if you're mining with
| xmrig, you've been pwned.
| rspeele wrote:
| > no nation state on the planet can easily get enough sha256
| ASIC miners to attack bitcoin
|
| What if you set up several sock puppet mining pools, all
| supposedly independent and in competition with each other,
| and beat the existing pools on fees by enough that miners
| join you en masse? That would take some investment on your
| end as you would have to run pool infrastructure at a loss.
| But if you are a nation state, it's not a huge investment.
| You don't need to have any mining hardware of your own if you
| offer miners better returns for the use of their hardware
| than the other pools do.
|
| Once your pools, taken together, have a dominant share of
| miners, I would think you could run a 51% attack without ever
| acquiring a single ASIC. The reputation of your pools will
| not survive but I think you could complete a 1 hour attack
| (reversing 6-conf transactions) before you lose the miners.
|
| Would this work?
| NavinF wrote:
| It would work until people notice what happened and
| everyone updates their software to fork the chain. Similar
| grifts have happened and led to forks.
| thebean11 wrote:
| If a pool were withholding blocks to attempt this the
| miners would notice super quickly, they would stop making
| money long before your attack was successful.
|
| Even if this was a realistic way to cause a 6 block re
| org..it seems like tons of work for a relatively small
| attack
| anonporridge wrote:
| Andreas Antonopoulos has a good monologue on the risk of a
| 51% attack, https://www.youtube.com/watch?v=ncPyMUfNyVM
| anonporridge wrote:
| No.
|
| You're still relying on this pool of independent miners to
| not defect after you initiate your attack.
|
| Also a 6 block re-org is not unheard of and does happen
| naturally with the standard consensus rules on rare
| occasion. That's not enough to cause massive destruction of
| confidence. Security and confidence in your transaction's
| immutability has always been a continuous function of how
| much work has been piled on top of it, and how much energy
| it would take to redo that work. If you are transacting a
| very large amount of money, it behooves you to give it even
| more than 6 blocks for real confidence.
| bduerst wrote:
| That's based on the pretty big assumption that there's a lot
| of under-utilized hardware being slaved to some central
| government authority, which by definition it probably isn't.
|
| I would bet more on cloud infrastructure providers being able
| to do better than nation-states in a CPU takeover of an ASIC-
| resistant network like Monero.
|
| Motivations aside, it still comes down to cost though, and
| without any handwaving, Monero just isn't that important to
| take over.
| anonporridge wrote:
| I agree. If anything, a nation state would likely have to
| deputize AWS to run the attack.
|
| But also, this would a purely destructive attack. A 51%
| attack isn't something that would ever allow a single
| entity to actually take control of the network, because you
| either a) obliterate public confidence and crash the value
| of the token, making mining a pure cost and the network
| worthless, or b) you incentivize the honest network
| participants to fork the network away from your
| computational dominance, leaving you with a ton of wasted
| money and possibly a worthless fleet of miners.
| 22c wrote:
| Supposedly one of the "worst kept secrets" of Monero is that
| a lot of the network is being "secured" by, essentially,
| botnets. Miners who are unaware that they are participating
| in the network.
|
| I guess the controllers of these botnets seem to agree that
| there's no reason to kill the cash cow and (aside from the
| fact that they're running a botnet) don't tend to act
| maliciously towards the network.
| latchkey wrote:
| ETH doesn't require a high end gpu. It is typically more ROI
| efficient with something like a RX470 8gb, which is a 5 year
| old piece of tech.
|
| ethash, the algo ETH uses, is memory controller bound (aka:
| memory hardness), not compute bound.
|
| https://www.vijaypradeep.com/blog/2017-04-28-ethereums-memor...
| wanderer_ wrote:
| Now they just need to do it with the chip's EM signature like in
| that PoC a few weeks ago...
|
| https://hackaday.com/2022/01/19/identifying-malware-by-sniff...
| m00dy wrote:
| How can we detect it inside the browser ?
| crecker wrote:
| I do not think it's possible to mine using RandomX and a
| browser.
|
| From docs: > Web mining is infeasible due to the large memory
| requirement and the lack of directed rounding support for
| floating point operations in both Javascript and WebAssembly.
|
| So you can do whatever you want, but you will end with nothing.
| dmitrygr wrote:
| So? implement soft float and round any way you please. Slow?
| Sure. But don't say "infeasible".
| blacksmith_tb wrote:
| Detect, or block? There are a few options for blocking, if you
| run uBlock Origin[1] the Resource Abuse list covers many.
|
| 1: https://github.com/gorhill/uBlock
| m00dy wrote:
| Detect. How can we detect js-implemented monero miner inside
| a browser ? E.g. Is chrome dev tools exposing vm internals
| like in the blog post ?
| devops000 wrote:
| Monero is not anonymous anymore as soon as you want to convert to
| fiat.
| vmception wrote:
| It's been over half a decade since that stopped mattering, for
| me.
|
| I've bought goods and services directly with Monero plenty of
| times. I've paid invoices that the merchant put in Bitcoin,
| while using a third party to pay in Monero, which the third
| party then paid in Bitcoin.
|
| Now in the 2020s I can swap Monero directly to SECRET network,
| a Tindermint/Cosmos blockchain where all smart contract
| executions are private (such as the amount and quantity of your
| erc20-style wrapped Monero), allowing further bridging over to
| the EVM ecosystem for all the liquid DeFi trading activities,
| and Tornado cash if desired.
|
| and the times when I use KYC to convert it to fiat, I haven't
| cared either. I like that the OTC desk or exchange doesn't even
| receive the address I sent from, much more similar to wiring
| from another bank account, where the receiving bank can't look
| at all your prior records and balances at the source of money
| and just has to assume the other place is compliant. it should
| be obvious that someone with an illicit source of their Monero
| will need to reintegrate their value into the broader economy
| first, so that they can account for it properly. with access to
| the entire DeFi ecosystem now, that is extremely easy.
|
| all crypto users should restore that level of privacy.
| devops000 wrote:
| What are advantages of doing all those steps using Monero
| instead Fiat? I understand that you can hide your trances but
| if you buy legits things, who cares?
| vmception wrote:
| to the edited version of your question:
|
| > What are advantages of doing all those steps using Monero
| instead Fiat? I understand that you can hide your trances
| but if you buy legits things, who cares?
|
| I had a balance of Monero. It was convenient. Online
| payments are a lot easier when you don't have to fill in a
| bunch of information, what "steps" were you imagining? I
| didn't have to go get Monero, I had already accumulated it.
| Just like the Miners in the article have already
| accumulated it, just like anybody earning for Monero by
| providing a service had already accumulated it.
|
| in any case, compared to attempting to pay with fiat, a
| crypto payment form typically lacks:
|
| - First Name,
|
| - Last name,
|
| - Company Name,
|
| - Street Address,
|
| - City,
|
| - State,
|
| - Postal Code
|
| - [] Is Billing Address the Same or Different.
|
| - Card Number
|
| - Security Code
|
| - Expiration Date
|
| Similar to how convenient Apple Pay is this decade. Crypto
| users had that last decade, Monero users had that and less
| leaking of their finances.
|
| Aside from the pared-down user experience, I also like that
| the merchant isn't storing all that personal information
| just to process a transaction, but thats just icing on the
| cake, not really a motivating factor.
| vmception wrote:
| > what are legit things you bought with Monero
|
| its been 8 years now, I guess off the top of my head:
|
| groceries, domain names, registered agent services, compute
| instances, graphic design, press releases
| djhn wrote:
| Any reading you could recommend on Monero? Beyond wiki,
| subreddit, etc. Looking for more of an economics angle
| than cryptography angle, without generic crypto hype.
| BbzzbB wrote:
| I have no insightful information to give you with regards
| to Monero, but to me what you're looking for is a good
| fit for Marginalia's text-centric search engine [0]. I
| get interesting results when I'm looking for authentic
| and elaborate opinions on given subjects outside the
| beaten path, which seems to be your goal. And especially
| useful when trying to flee the cesspool of results Google
| gives you when looking for topics with heavily financial
| undertones - good effing luck getting to a genuine
| article speaking of cryptocurrencies, stocks or any topic
| with financial incentives.
|
| 0: search.marginalia.nu
| vmception wrote:
| Not sure, one key aspect of the economics side in that
| community is "tail emission"
|
| So looking up
|
| Monero tail emission
|
| might help, but I don't think there is more formal
| literate that just focuses on that, maybe some
| enthusiasts in university have something on SSRN
| rosndo wrote:
| So? Monero also makes it trivial to create a fake paper trail
| for the origins of your money.
| devops000 wrote:
| When you will receive the bank wire from the exchange you
| need to provide to IRS the source of income. What will you
| say to them?
| Jerrrry wrote:
| Nothing, because of the 5th amendment.
|
| You pay taxes on stolen gains. The IRS is explicitly
| forbidden from reporting the gains themselves.
| CheezeIt wrote:
| They have broken this rule.
| dpacmittal wrote:
| Just sell an NFT to yourself.
| wnevets wrote:
| relevant
|
| https://fortune.com/2022/02/16/melania-trump-nft-auction/
| rosndo wrote:
| You provide them accounting from your fake business which
| accepts only monero payments for digital goods and doesn't
| keep access logs?
|
| This is really basic stuff. You will never be caught unless
| other evidence leads them from the original crime to you.
|
| Unless you fuck up it's not possible to link incoming
| Moneroj to any specific source, this means that you can
| fairly easily hide your money laundering activities even
| from somebody with full visibility into your business.
| 323 wrote:
| You live in some fantasy land if you think you can just
| say "oh, I just received 100 dollars worth of Monero from
| 1 million unknown entities, my $100 million is totally
| legit, fuck off".
|
| Unlike criminal law where you are "innocent until proven
| guilty", in most AML/KYC situations you are "guilty until
| proven innocent".
| rosndo wrote:
| You're being ridiculous. Nobody is going to look at you
| twice for selling 1000x$5000 cryptocurrency trading
| courses a year, or even double that.
|
| I've dealt with AML/KYC for cryptocurrency businesses
| with much higher volumes, nobody ever asked for anything
| crazy. Just basic accounting, website urls, linkedin
| profiles.
|
| > You live in some fantasy land if you think you can just
| say "oh, I just received 100 dollars worth of Monero from
| 1 million unknown entities, my $100 million is totally
| legit, fuck off"
|
| I think the only takeaway here is that "323" is too
| stupid and greedy to survive as a money launderer. Don't
| try to cash out $100M in monero at once, live a wonderful
| life with $5-10M a year.
| bduerst wrote:
| >I've dealt with AML/KYC for cryptocurrency businesses
| with much higher volumes, nobody ever asked for anything
| crazy.
|
| Were they legit businesses or illegal?
|
| It makes a difference because there's more than just you
| and the KYC exchanges reporting, and it's survivor bias
| to assume they appear the same.
| rosndo wrote:
| Legal businesses, receiving much larger individual
| payments from a limited number of clients.
|
| > It makes a difference because there's more than just
| you and the KYC exchanges reporting, and it's survivor
| bias to assume they appear the same.
|
| Exchanges are usually the least of your problems, it's
| the banks.
|
| Even very high risk businesses don't face scrutiny which
| isn't easily overcome when all of your incoming payments
| are anonymous and untraceable. It's really not hard to
| create a fake ecommerce business that would be entirely
| indistinguishable from a real one.
| Scoundreller wrote:
| My employer does a pretty good job of giving us terrible hardware
| so the thought of mining on it is self-discouraging.
|
| They have no problems giving us space heaters though.
|
| As largely a joke, I sometimes fire up monero mining on my laptop
| at home because the average proceeds exceed electricity cost,
| even though it'll take me about a decade to ever get a block. The
| heat is just cake icing.
___________________________________________________________________
(page generated 2022-02-22 23:00 UTC)