Experimental Evaluation of Browser-Based Cryptojacking Detection and Prevention Tools

Experimental Evaluation of Browser-Based Cryptojacking Detection and Prevention Tools

This project evaluates the effectiveness and practicality of browser-based cryptojacking detection and prevention tools in a controlled VM lab environment. The lab uses a Web VM that hosts test websites via nginx and a Victim VM that visits them using Firefox. The test set includes benign pages, CPU-heavy but legitimate pages, synthetic “miner-like” pages using a WebWorker (CPU load + optional periodic /ping requests), and a real cryptomining sample site. The goal is to measure (1) whether each tool blocks miner-like or real mining activity, (2) whether it produces false positives on benign content, and (3) what exactly is blocked (script, domain/WebSocket endpoint, worker load, etc.), including detection latency.

Setup

Host Machine: Windows with VirtualBox Web VM (Ubuntu): nginx web server hosting the test pages Victim VM (Ubuntu): Firefox browser used to access the pages Network: Host-only network between the two VMs (example: 192.168.56.0/24) Web VM IP: 192.168.56.10 (host-only interface) Victim VM IP: 192.168.56.107 (host-only interface) Web root (project): /var/www/crypto-test (nginx site: crypto-test)

Test pages (hosted by nginx)

benign.html — baseline normal page (no script)

heavy-benign.html — CPU-heavy but legitimate (stress false-positive test)

synthetic-miner.html — synthetic miner-like behavior (CPU-heavy WebWorker + optional /ping)

miner-known.html — synthetic miner-like page using known miner script name (signature test)

benign-coinhive-name.html — benign page that loads a coinhive-named script (name-based false-positive control)

monero-webminer/ — real cryptomining sample -> https://github.com/NajmAjmal/monero-webminer/tree/main

Scripts / worker variants

pow-worker.js — synthetic PoW-style workload (CPU-only; used by synthetic-miner.html)

coinhive.min.js — renamed/copy variant used as a “known miner signature” bait (used by miner-known.html)

coinhive.js — benign “coinhive-like name” control script (used by benign-coinhive-name.html)

script.js — real mining client script (used by monero-webminer/)

Tools being tested

MinerBlock

AdGuard

Malwarebytes

uBlock Origin

Implementation

1) Prepare connectivity between VMs

On Web VM: confirm IP address (ip a) and note host-only address (192.168.56.10)

On Victim VM: confirm IP address (ip a) and ensure it can reach the web VM:

• • ping 192.168.56.10

2) Host the test pages on the Web VM (nginx)

Confirm the nginx site root used for this project:

• • grep -R "root " /etc/nginx/sites-enabled/ /etc/nginx/sites-available/ | head

Place pages and scripts under the configured root (example: /var/www/crypto-test)

Confirm each page is reachable from the Victim VM:

• • curl -I http://192.168.56.10/benign.html

• • curl -I http://192.168.56.10/heavy-benign.html

• • curl -I http://192.168.56.10/synthetic-miner.html

• • curl -I http://192.168.56.10/miner-known.html

• • curl -I http://192.168.56.10/benign-coinhive-name.html

• • curl -I http://192.168.56.10/monero-webminer/

3) Measurement procedure (repeatable)

Each tool is tested against each page with the same procedure:

Open a Private Window (or clear cache/site data between runs)

Open DevTools → Network, enable “Disable cache”

Load the page (Ctrl+Shift+R to force reload)

If the page has Start/Stop controls, click Start and observe:

• • Blocked? (Y/N)
  • Detection latency (approx. seconds or measured via timestamps)
  • False positive? (Y/N) for benign and heavy-benign and benign-coinhive-name
  • What was blocked (script URL, worker load, domain/WebSocket endpoint, host)

Capture evidence screenshots

4) data collection

• Screenshots (PDF)

Results

Results table for all tools and test pages.

Baseline benign pages (benign.html, heavy-benign.html) loaded normally for all tools tested (no false positives observed in initial pass).

Name-based control (benign-coinhive-name.html using coinhive.js) was not blocked in the initial pass for most tools, indicating that simple substring matching is not universal; however, signature-like names can still trigger blocking depending on the exact filename/list.

Synthetic miner (synthetic-miner.html using pow-worker.js) was not blocked by several tools in the initial pass, suggesting limited behavioral detection for purely CPU-based worker workloads.

Known-signature miner (miner-known.html using coinhive.min.js) was blocked by tools that rely on known miner indicators/lists; the block was visible as a blocked script request and/or extension UI warning.

Real mining sample (monero-webminer/) produced WebSocket connections to an external endpoint (101 Switching Protocols) when not blocked; some tools blocked the mining client script and prevented mining from starting, while others did not detect it in the initial pass.