Qualys Malware Research Labs recently released the Qualys BrowserCheck CoinBlocker Chrome Extension. We have seen enthusiastic adoption from users across the globe in the first week since its release, which has given us enough telemetry data to indicate success in protecting users from popular cryptojacking attacks. This blog post details these detection statistics and analyzes a few interesting cryptojacking campaigns uncovered by Qualys BrowserCheck CoinBlocker.
About Qualys BrowserCheck CoinBlocker
Qualys BrowserCheck CoinBlocker protects users from browser-based coin-mining attacks. Along with blacklisting & whitelisting of domains, it also supports advanced JavaScript scanning to identify & block malicious JavaScript functions. The extension can also identify & block malicious coin-mining advertisements loaded inside iframes by third-party ads.
The world heat map below shows the geographical distribution of mining threats as a percentage of detections blocked by Qualys BrowserCheck CoinBlocker. The Top 5 countries where mining threats are detected and blocked are Bulgaria (33%) topped the list followed by India (18%), the United States (16%), Argentina (10%) and Thailand (9%).
Qualys Malware Research Labs is announcing the release of Qualys BrowserCheck CoinBlocker Chrome extension to detect and block browser-based cryptocurrency mining, aka cryptojacking.
Cryptojacking
Cryptojacking attacks leverage the victim system’s resources via malicious JavaScript to mine certain cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Any visitor to such sites will download the JavaScript and unknowingly contribute its system resources to mine a cryptocurrency that is added to the attacker’s wallet. The resource-intensive mining process is carried out on victim systems typically consumes more than 70% of CPU, that reduces system performance, increases power consumption and can cause possible permanent damage to the system.
Yesterday Adobe published the second update (APSB14-26) of Adobe Flash this month, an out of band release. After addressing 18 CVEs in the November 11 update (APSB14-24), the new version of Flash has only a single fix for CVE-2014-8439. Adobe does not say why this CVE is so important that it warrants this unexpected release, but points out that a mitigation for this problem had been introduced already in APSB14-22 in October.
They acknowledge the work of a trio of security researchers that are all quite involved in malware detections in the wild (Sébastien Duquette of ESET, Timo Hirvonen of F-Secure and Kafeine from malware.dontneedcoffee.com) which makes me think that they have seen the initial signs of exploitation attempts. I would address the flaw as quickly as possible.
Internet Explorer 10 and 11 and Google Chrome will autoupdate Flash; on other browsers you will have to run the update yourself. You can use our free BrowserCheck tool to get a quick overview of the security situation on your desktop or laptop. With the BrowserCheck Business Edition you can even control a small network and see how your users are keeping their machines at the latest level.
Updating your computer software for security purposes should be a no-brainer, after all we have been working on this issue for the last 10+ years and it should be a solved problem. Nevertheless, many people use their PCs basically as they received it, ignoring patch warnings, thinking it does not apply to them:
(from a recent dialogue that I had on a news/comment site) or believe they have more important things to do:
At the RSA conference a few weeks ago, we introduced a new free service – the Top 4 Control audit. This service focuses on how to help computer end users and small- to medium-sized companies implement the top 4 security measures first suggested by the Australian government’s ASD division. In their internal forensics, using the four measures were able to prevent over 85% of the incidents that had occurred in the government agencies that they were responsible for. In the last year, the Top 4 controls have been starting to gain acceptance, with both the SANS Institute and the Council on CyberSecurity supporting their implementation. CSIS’s Jim Lewis gave them a very favorable mention in his 2013 paper “Raising the Bar for Cybersecurity”.
With Thanksgiving falling close to Christmas this year, online shopping will be a great way to avoid the crowds and take advantage of retail incentives, including free shipping and returns, and Cyber Monday deals. In fact, industry analyst firm Forrester reports that online holiday sales are expected to reach an all-time high.
Java security has been in the spotlight this year, first because of hackers’ frequent use of Java applets to get onto end-user systems (Microsoft reported in 2013 that over 30% of all web based attacks make use of Java applets). Also, there are concerns about the end-of-life of Java 6, whose public version is now frozen at Java 6u45 from April 2013. Most recently, security researchers at F-Secure reported on the discovery of the first public exploits against vulnerabilities (CVE-2013-2463 and CVE-2013-2470) present in Java 6u45, but they remain unfixed due to its end-of-life status.
Network World recently named Qualys BrowserCheck one of the hottest products at the recently concluded RSA conference 2013. BrowserCheck has been widely adopted by individuals and businesses concerned about attacks that exploit vulnerabilities in browsers and their plugins, especially given trends towards increased remote workers and BYOD. By keeping browsers and their plugins up-to-date with the latest security patches, Qualys BrowserCheck helps secure end-users and keep them safe when they surf the web.
New features in BrowserCheck now make it even easier for IT administrators to continuously monitor user machines remotely and effectively, so that their employees don’t have to worry.
Qualys BrowserCheck (www.qualys.com/browsercheck), our free “online checkup” service, now makes it easier for individuals and businesses to know whether their computers are up-to-date and safe for surfing the web.
With BrowserCheck, not only can you see whether or not your browsers and plugins are current with vendors’ latest releases, now you can also check your Windows PCs for any missing Microsoft Security Updates. In addition, businesses can have this scanning happen automatically, without any user intervention.
IT administrators can now use the enhanced web console in BrowserCheck Business Edition to:
Set how often users’ machines are automatically scanned (such as daily, weekly, or monthly).
Get easy instructions for connecting users’ computers to BrowserCheck.
Continuously track which browsers and plugins are installed on each machine.
Verify that crucial OS security settings are enabled and that OS security updates are being received.
View at-a-glance dashboards and drill down into per-machine status.
BrowserCheck End User Enhancements
Users who visit BrowserCheck directly will now see:
Advanced Scanning for missing Microsoft Windows Security Updates. This release provides a simpler way for users on Windows PCs to choose how deeply they would like their computers to be scanned. Instead of having to pick among specific scanning features, users now can simply select a type of scan from a drop-down menu:
Basic– Scan just the browser that is currently being used and its plugins. This is the default type of scan and is like the scan done on non-Windows platforms which can’t use the BrowserCheck plugin. Previously, this was performed when none of the “Scan Options” check boxes were selected.
Intermediate– Scan all browsers installed on this PC as well as their associated plugins (even ones that are disabled). This also checks whether important OS settings are enabled, such as anti-virus, firewall, Windows Update and DNS-changer malware. In the previous release, this was performed when both of the “Scan Options” check boxes were selected.
Advanced (new in this release) – In addition to the checks listed above, this option causes BrowserCheck to identify any missing Microsoft Windows security updates. This is very powerful, but may take several minutes to perform.
Automated scanning. The web-based management console provided by BrowserCheck Business Edition now gives IT administrators the ability to have corporate PCs scanned every day, week or month. Users on PCs no longer have to manually revisit browsercheck.qualys.com; the BrowserCheck plugin will automatically re-scan their computer at the appropriate time. Note that the BrowserCheck plugin is still very lightweight; it only runs when the user’s browser is open, unlike heavyweight agents that run in the background all the time. This approach gives administrators an efficient, reliable way to keep track of what’s installed on each machine and whether it’s still current with vendors’ releases – without interrupting the user.
Easier-to-use lists of scans. The Scans tab now follows the layout used in the Assets tab, making it easier for administrators to drill down into specific scans done on specific machines.
Faster. Switching among different tabs to examine data in different ways is now significantly faster than before.
Give it a try
If you haven’t already used BrowserCheck, go to www.qualys.com/browsercheck to try it yourself or sign up for a free BrowserCheck Business Edition account.
Last week USENIX held its 20th Security Symposiumin San Francisco, and I attended a number of interesting and inspiring presentations.
On Monday during the WOOT 11 workshop Chris Kanich from UCSD gave a talk that was closely related to our own BrowserCheck work here at Qualys, but used some very creative means to gain access to test subjects. He and his fellow researchers, Stephen Checkoway and Keaton Mowery, used Amazon’s Mechanical Turk crowdsourcing service to advertise a task and then fingerprint the security of the browsers used by the interested workers. Amazon’s Mechanical Turk is a “crowdsourcing” marketplace for tasks that are best solved with or even require human intelligence. An example might be the identification and labeling of an image, the translation of a foreign text or the categorization of a website. These tasks are called HITs (Human Intelligence Tasks) and are coded by the HIT requestor as webpages. They are labeled with both an expected duration for each HIT (often less than a minute) and also the offered pay for each HIT (often in the cents range). The workers (“turkers”) use normal web browsers to navigate the site and select HITs that they feel competent to complete. At the end of a paycycle, Amazon’s payment system charges requestors and pays turkers. The UCSD team put up a very simple HIT that consisted of typing in the name of the Antivirus (AV) program used by the user, and offered to pay 1 cent for the answer. When the turker accepted the HIT, the webpage prompted for the name of the AV in use and also ran JavaScript code to identify the browser and its installed plugins. Once the HIT is executed, the turker is offered another task, slightly more complex (download and run a script) and better paid (between 5 and 15 cents). The script to execute has roughly the same purpose – record the security status of the workstation in use. The results mirror very closely our data from BrowserCheck – over 80% of all participating turkers have at least one vulnerable plugin that could be used to take over the machine: Looking at the data from the more complex follow-up HIT, where the turker ran a script to provide more detail on the machine configuration, confirmed the vulnerability data gathered by JavaScript and provided an additional insight into the AV configurations in use: over 90 percent of all turkers have AV installed, but many of them are using outdated AV definitions. The US is particularly disappointing: over 75 percent have outdated AV definition files on their machines, a fact that the researchers attribute to the common pre-installation of “teaser” AV installations that come with a newly purchased PC, but that stop updating after six months unless the user buys a full subscription. “Up to date” percentages that are in such a low range make me question whether we (the internet´s users as a whole) would not be better off if PC manufacturers refrained from including commercial AV packages in their standard builds for consumers. Future versions of our BrowserCheck initiative will add an “AV updated” check and we will see if we can confirm this tendency in both the end user version (https://browsercheck.qualys.com) and also for the users of the Business Edition (www.qualys.com/browser).
BTW, the real purpose of the research was to determine if Amazon’s Mechanical Turk can provide an efficient way to install malware on machines, i.e. to see if a botnet could be constructed that way. Answer: it depends. Read the full paper “Putting Out a HIT: Crowdsourcing Malware Installs” itself for a detailed answer to the question and more insight into this fascinating experiment.
