At 360Netlab, we are continuously analyzing DNS traffic. Based on this, we have established a DNSMon detection system that analyzes various anomalies and correlations in DNS traffic.
We reported a few web mining sites such as openload.co in previous article. After that, we try to use DNSMon to further analyze web mining on the entire Internet level. This article describes what we have seen so far.
- 0.2% websites have web mining code embedded in their homepage: 241 (0.24%) out of Alexa Top 100,000 websites, and 629 (0.21%) out of Alexa Top 300,000 websites
- Pornographic related websites constitute the main body, accounting for 49% . Others include fraud (8%), advertising (7%), mining (7%), film and television (6%) and other categories
- 10+ sites offer technical capacity for mining. The largest of them is coinhive.com, accounting for about 57% of the share, followed by coin-hive.com (8%), load.jsecoin.com (7%), webmine.pro (4%), authedmine.com (4%) and others
Web mining has currently become a market, including the following roles:
- End users: currently their interests are neglected
- Mining sites: new players, providing the scripts and capability for web mining
- Content / traffic website: these are existing websites with large user base, but lack the means for monetization. Now they are directing their previously unprofitable traffic to the mining sites, and are making money by web mining using the visitors' computers. Recently some content sites have built their own mining capacity, so that they no longer need to share their profit with the mining sites.
600+ Content / Traffic Websites
In Alexa Top 300,000 sites, by checking their homepage, we found 628 websites have embedded mining code. We map the keywords of these domain names below, so the readers can have a visual impression. Due to the particularity of pornography, we will not publish these domain names.
The contents of these websites fall into the following categories
10+ Mining Sites
Market Share Ranking of Mining Sites
Content sites will try to monetize their user traffic through mining sites.
According to the usages by content sites, we see the Top 10 mining sites on 2018-02-06 as follow:
One thing to note is that while there are only 628 content sites in total, mining sites are used 728 times. This is because some content sites use two or more mining sites at the same time, which is common in this market.
Families of Mining Sites
All of these mining sites can be attributed to several different families. Some known families include:
- coinhive: coinhive.com, coin-hive.com, and a series of related
- jsecoin: load.jsecoin.com
- webmine: webmine.cz
- cryptoloot: crypto-loot.com, cryptoloot.pro, webmine.pro and a series of related
- coinhave: coin-have.com, ws.cab217f6.space series, api.cab217f6.space series
Traffic Trend of Mining Sites
DNS traffic of mining sites are shown in the following figure
We can see that:
- The market started around 2017-09, coin-hive.com and coinhive.com are accessed massively since 2017-09-15 and 2017-09-28
- The market keeps growing, two boosts happened around 2017-10 and 2018-01.
- The biggest player is coinhive family, which is consistent with the above ranking statistics. As a representative, the popularity ranking of coinhive.com has arised to Top 20k.
- More and more mining site providers are entering the market
On the other side, we recently observed that the traffic of coinhave family's main site is shrinking as it starts to divert traffic into varieties of subsites for redundancy.
New Players and New Games
We also notice some new players show up in the market recently:
- Advertiser: mining behavior in some content sites are actually introduced by advertisers
- Shell link: some content sites use shell links to evade detection by source code auditing
- URL shortener: goobo.com.br is a URL shortener in Brazil. Its homepage as well as the shortened URLs it generate will load coinhive mining script when being visited.
- Supply chain pollution: www.midijs.net is a JS based MIDI file player, whose source code is embedded with coinhive script
- Self-built mine pool: there is an opensource project on github which can be used to set up private mine pool.
- End user aware web mining: authedmine.com is a new mining site, which declares only mining under user's permission
The Mechanism and Advantage of Detecting Web Mining Through DNSMon
We have been using DNSMon to monitor websites that launch web mining. The monitoring works effectively because:
- when user opens a content website that loads mining site (like coinhive.com) subsequently, such relation between the content site domain and mining site domain are recorded by our DNSMon system.
- in this case, we can identify related content websites by investigating coinhive.com's correlation
- content sites may switch mining sites occasionally, and we recorded all these changes. In this way, we can draw the whole picture of the market.
Using DNSMon to detect mining websites has its own advantage and disadvantage:
- wide coverage
- near real-time
- high precision
- can use mining domain seeds to discover more new suspicious sites through domain correlation
- support the detection in the case of link hijacking, which is better than traditional web scanners
- only reveals the relations between domains, and requires other methods to confirm web page mining behavior
In summary, we can use DNSMon system to:
- discover suspicious sites in bulk
- identify mining website quickly
- locate mining sites that use techniques like code morphing or shell link
The tag graph in this blog is created via http://cloud.niucodata.com/