360 Security: DDG Collected Over 3,395 XMR, the 2nd largest mining botnet
In October 2017, the 360 Cyber Security Institute monitored a large-scale attack on the OrientDB database server, rigging botnet to mine Monero (XMR). The botnet was named DDG Mining Botnet(hereinafter referred to as DDG). The number of XMR accumulated by the DDG was relatively large. By February 2018, it was confirmed that the botnet collected over 3,395 XMR, equivalent to more than RMB 5.8 million. DDG became the second largest mining botnet after MyKings. Below is some excerpts from the 360 security report.
Starting on 2017-10-25, 360 Security detected massive scanning of the OrientDB database server on the Internet. Further analysis revealed that this is a long-running botnet whose main goal is to mine Monero (XMR). We named it the DDG Mining Botnet (hereinafter referred to as DDG), mainly because the name of its core functional module is DDG.
The number of Monero accumulated by DDG is relatively large. At present, we can confirm that the botnet has accumulated more than 3,395 Monero, equivalent to RMB 5,821,657 at the current price. In addition, due to the problem of the mining pool accounting system, 2,428 XMRs could not fully confirm whether they belonged to DDG, equivalent to RMB 4,163,179 at the current price. DDG is currently the second largest botnet in our field of view, and the largest is the MyKings botnet we previously reported.
In addition to the commonly-seen C2 and bots in the botnet, the structure of DDG has a very interesting setting: HUB, which is a set of IP or domain name used to provide download of mining binaries. During the ongoing DDG update process, two domain names were listed but not registered in the v2011 version of the HUB list. We preemptively registered and sinkhole these two domains. Although we cannot use the two domains to take over the botnet, we can make an accurate measurement of the size of the entire DDG botnet based on sinkhole data.
DDG’s mining pool:
Three XMR address that DDG used:
Wallet #1 4AxgKJtp8TTN9Ab9JLnvg7BxZ7Hnw4hxigg35LrDVXbKdUxmcsXPEKU3SEUQxeSFV3bo2zCD7AiCzP2kQ6VHouK3KwnTKYg
Wallet #2 45XyPEnJ6c2STDwe8GXYqZTccoHmscoNSDiTisvzzekwDSXyahCUmh19Mh2ewv1XDk3xPj3mN2CoDRjd3vLi1hrz6imWBR1
Wallet #3 44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM
Among them, Wallet #3 is the first active wallet address, the peak period of which is from 2017.02 to 2017-03. The Wallet #1 took the lead, which has been active for 2017 full year; Wallet #2 is the most recent one, which has been detected for the first time on 3 January, 2018.
The income of all three wallets is shown in the table below, with a total of 3,395 or 5760 Monero. These tokens are worth 5.8 million yuan or 9.8 million yuan at current price.
Note: In the second wallet payment record, “Total Paid” is not consistent with the “Amount Summary” accumulated for each transaction. We have no way of confirming which number is more accurate, so both numbers are recorded.
Recently, 360 noticed that the family released a new version 3011, which caused abnormal scan traffic on port 7379 and related ports during the deployment of this newer version. The new wallet was enabled in this version, and its cumulative revenue in two mining pools has exceeded 1,419 XMR, equivalent to nearly RMB 1.8 million. So far, the long-operated DDG’s mining revenue from database servers has reached nearly RMB 8 million.
DDG 3011 might be on beta stage or a beta version. DDG 3011 has activated a new XMR wallet: