Breaking WebAssembly Crypto Miner Detection by Obfuscation

Sammanfattning: Blockchain-based cryptocurrencies is a fairly new concept with a worldwide spread, and there is a massive amount of currencies. Several of them involve so-called currency mining, a feature of Proof-of-Work based blockchains. One problem with currency mining is that it can be performed when visiting websites in the user's browser, exploiting the user's resources and consuming energy. This has spawned a wide variety of crypto mining detection algorithms in the research. A particular issue that can make detection difficult is if the code of the miner has been obfuscated. Because of the limited research on detecting obfuscated miners, this thesis selects a state-of-the-art detection algorithm and uses it to analyze crypto miners obfuscated with various obfuscation techniques. A dataset of Wasm binaries is constructed by filtering out miners with the help of the detection algorithm. The result indicates that multiple obfuscation techniques, all trivial to implement with basic find-and-replacement, are highly effective at hindering the miner detector. Some techniques lower the detection rate by 100% on the dataset. The effectiveness seems to depend primarily on how many lines are modified in the program, and secondly on what modifications exactly are performed. Also, the obfuscated samples do not take a longer time to analyze, on the contrary, the mean execution time of the detection algorithm becomes primarily shorter. The conclusion is that more research must be done in constructing detection algorithms robust towards code obfuscation, and that the detection rate of today's algorithms might be misleading if there is a large amount of obfuscated miners on the web.