At 360Netlab, we are continuously analyzing DNS traffic. Based on this, we have established a DNSMon detection system that analyzes various anomalies and correlations in DNS traffic.

We reported a few web mining sites such as openload.co in previous article. After that, we try to use DNSMon to further analyze web mining on the entire Internet level. This article describes what we have seen so far.

At present:

0.2% websites have web mining code embedded in their homepage : 241 (0.24%) out of Alexa Top 100,000 websites, and 629 (0.21%) out of Alexa Top 300,000 websites

: 241 (0.24%) out of Alexa Top 100,000 websites, and 629 (0.21%) out of Alexa Top 300,000 websites Pornographic related websites constitute the main body , accounting for 49% . Others include fraud (8%), advertising (7%), mining (7%), film and television (6%) and other categories

, accounting for 49% . Others include fraud (8%), advertising (7%), mining (7%), film and television (6%) and other categories 10+ sites offer technical capacity for mining. The largest of them is coinhive.com, accounting for about 57% of the share, followed by coin-hive.com (8%), load.jsecoin.com (7%), webmine.pro (4%), authedmine.com (4%) and others

Web mining has currently become a market, including the following roles:

End users : currently their interests are neglected

: currently their interests are neglected Mining sites : new players, providing the scripts and capability for web mining

: new players, providing the scripts and capability for web mining Content / traffic website: these are existing websites with large user base, but lack the means for monetization. Now they are directing their previously unprofitable traffic to the mining sites, and are making money by web mining using the visitors' computers. Recently some content sites have built their own mining capacity, so that they no longer need to share their profit with the mining sites.

600+ Content / Traffic Websites

In Alexa Top 300,000 sites, by checking their homepage, we found 628 websites have embedded mining code. We map the keywords of these domain names below, so the readers can have a visual impression. Due to the particularity of pornography, we will not publish these domain names.

The contents of these websites fall into the following categories

10+ Mining Sites

Market Share Ranking of Mining Sites

Content sites will try to monetize their user traffic through mining sites.

According to the usages by content sites, we see the Top 10 mining sites on 2018-02-06 as follow:

One thing to note is that while there are only 628 content sites in total, mining sites are used 728 times. This is because some content sites use two or more mining sites at the same time, which is common in this market.

Families of Mining Sites

All of these mining sites can be attributed to several different families. Some known families include:

coinhive : coinhive.com, coin-hive.com, and a series of related

: coinhive.com, coin-hive.com, and a series of related jsecoin : load.jsecoin.com

: load.jsecoin.com webmine : webmine.cz

: webmine.cz cryptoloot : crypto-loot.com, cryptoloot.pro, webmine.pro and a series of related

: crypto-loot.com, cryptoloot.pro, webmine.pro and a series of related coinhave: coin-have.com, ws.cab217f6.space series, api.cab217f6.space series

Traffic Trend of Mining Sites

DNS traffic of mining sites are shown in the following figure

We can see that:

The market started around 2017-09 , coin-hive.com and coinhive.com are accessed massively since 2017-09-15 and 2017-09-28

, coin-hive.com and coinhive.com are accessed massively since 2017-09-15 and 2017-09-28 The market keeps growing , two boosts happened around 2017-10 and 2018-01.

, two boosts happened around 2017-10 and 2018-01. The biggest player is coinhive family , which is consistent with the above ranking statistics. As a representative, the popularity ranking of coinhive.com has arised to Top 20k.

, which is consistent with the above ranking statistics. As a representative, the popularity ranking of coinhive.com has arised to Top 20k. More and more mining site providers are entering the market

On the other side, we recently observed that the traffic of coinhave family's main site is shrinking as it starts to divert traffic into varieties of subsites for redundancy.

New Players and New Games

We also notice some new players show up in the market recently:

Advertiser : mining behavior in some content sites are actually introduced by advertisers

: mining behavior in some content sites are actually introduced by advertisers Shell link : some content sites use shell links to evade detection by source code auditing

: some content sites use shell links to evade detection by source code auditing URL shortener : goobo.com.br is a URL shortener in Brazil. Its homepage as well as the shortened URLs it generate will load coinhive mining script when being visited.

: goobo.com.br is a URL shortener in Brazil. Its homepage as well as the shortened URLs it generate will load coinhive mining script when being visited. Supply chain pollution : www.midijs.net is a JS based MIDI file player, whose source code is embedded with coinhive script

: www.midijs.net is a JS based MIDI file player, whose source code is embedded with coinhive script Self-built mine pool : there is an opensource project on github which can be used to set up private mine pool.

: there is an opensource project on github which can be used to set up private mine pool. End user aware web mining: authedmine.com is a new mining site, which declares only mining under user's permission

The Mechanism and Advantage of Detecting Web Mining Through DNSMon

We have been using DNSMon to monitor websites that launch web mining. The monitoring works effectively because:

when user opens a content website that loads mining site (like coinhive.com) subsequently, such relation between the content site domain and mining site domain are recorded by our DNSMon system.

in this case, we can identify related content websites by investigating coinhive.com's correlation

content sites may switch mining sites occasionally, and we recorded all these changes. In this way, we can draw the whole picture of the market.

Using DNSMon to detect mining websites has its own advantage and disadvantage:

Advantage

wide coverage

near real-time

high precision

can use mining domain seeds to discover more new suspicious sites through domain correlation

support the detection in the case of link hijacking, which is better than traditional web scanners

Disadvantage

only reveals the relations between domains, and requires other methods to confirm web page mining behavior

In summary, we can use DNSMon system to:

discover suspicious sites in bulk

identify mining website quickly

locate mining sites that use techniques like code morphing or shell link

Declaration

The tag graph in this blog is created via http://cloud.niucodata.com/