Akamai, a well-known name in cybersecurity and content delivery, has developed innovative techniques called "bad shares" and XMRogue to disrupt cryptomining botnets. These techniques exploit the pools’ operations and their usage of the Stratum protocol. Now that we understand all these techniques, it’s pretty simple to see how they work together to thoroughly defeat any bad faith cryptomining operations.

Cryptomining botnets are networks of compromised computers that mine cryptocurrencies without the computer owners’ knowledge or consent. Attackers can earn a very healthy return on their investment from these botnets. At the same time, victims are living with performance problems and increased energy use. Akamai's approach focuses on disrupting the botnets' ability to profit from their illicit activities. Similarly, Bad shares and XMRogue use different approaches to wreak havoc on the mining process and make the botnet’s work in vain.

The central concept behind “bad shares” is to overwhelm the mining pools with useless shares that the botnet has been submitting. Mining pools compensate miners when they submit shares that solve a hash below a predefined difficulty level. Not every share is a valid solution to the cryptographic puzzle. By deliberately sending a large number of false shares, Akamai’s method can activate abuse protections built into the mining pool. This prevents the botnet’s proxies or wallets from being able to participate in the pool, essentially banning their revenue stream.

XMRogue takes a novel approach by hijacking Stratum protocol. Packend this protocol provides a line of communication between miners and mining pools. XMRogue takes advantage of flaws in the ledger’s protocol. This interruption breaks the botnet’s access to the pool, flushing its resources down the drain through ineffective mining attempts. That does two things: it makes the botnet less profitable and therefore less attractive to build, and it makes the botnet more detectable and trackable.

Understanding the Attack Vectors

In order to appreciate just how effective Akamai’s techniques were, though, you need to know the attack vectors cryptomining botnets tend to prefer. These botnets usually depend on a network of hijacked PCs loaded with malware that secretly mines coins while a machine’s owner goes about their business. The malware then proceeds to connect to a mining pool and submit shares using the attacker’s account.

One of the biggest vulnerabilities these botnets have exploited is the Stratum V1 protocol. As pointed out last year by Ruben Recabarren, Stratum V1 is vulnerable to man-in-the-middle attacks. This allows an attacker to observe the communication between the miner and the mining pool and alter it. Either it can be exploited to steal the miner’s hashrate or alternatively, inject malicious code into the mining process.

Akamai's "bad shares" technique directly targets the mining pool's policies for handling invalid shares. Mining pools typically have mechanisms in place to detect and penalize miners who submit a high percentage of invalid shares. Akamai purposely floods the pool with invalid shares. This action causes algorithms to kick in that blacklist the botnet’s proxies or wallets. XMRogue takes advantage of flaws in the Stratum protocol to sever the botnet’s link to the pool. This can include injecting arbitrary code into the communication stream or changing the protocol in a way that causes the system to fail.

Defense Advantages and Stratum V2

Akamai’s “bad shares” and XMRogue techniques provide multiple benefits in the battle against cryptomining botnets. First, they are more straightforward to plan and roll out. They don't require any changes to the mining pool's software or infrastructure. Second, they are extremely good at interrupting the botnet’s business operations. If Akamai can get the botnet’s proxies or wallets banned from the pool, this greatly lowers its profitability. Third, these techniques can be used to collect intelligence about the botnet’s operation. Akamai keeps track of the invalid shares that the botnet is submitting. This helps them get a bead on the botnet’s IP addresses, wallet addresses, and more such vital details.

Because Stratum V1 has several security vulnerabilities, the primary goal in developing Stratum V2 was to eliminate these vulnerabilities. Here's how Stratum V2 enhances security and miner autonomy:

  • Hashrate Hijacking Prevention: Stratum V2 includes features designed to prevent hashrate hijacking, a serious threat where attackers steal a miner's computational power.
  • Improved Security: Stratum V2 is built with enhanced security measures, making it more difficult for attackers to manipulate communication between miners and pools.
  • Miner Autonomy: Stratum V2 empowers miners by allowing them to construct their own block templates, increasing their control over mining activities and reducing reliance on pool operators.

Despite the clear advantages of Stratum V2, there hasn’t been a rush to adopt it. Unfortunately, most pools and miners have yet to adopt Stratum V2. Therefore, they’re still susceptible to these attacks. As the blockchain ecosystem continues to change, BlockchainShock is dedicated to providing regular news and analysis on developments in the industry.

Akamai’s Fisherman’s friend approach represents an incredibly innovative and powerful tool to combat cryptomining botnets. Second, we illustrate the importance of understanding protocol-level vulnerabilities as a means to develop effective defense strategies.