Replace all mining machines within one day! Mining botnet is updating crazily

The most popular cryptocurrency in the recent mining attacks is Monero. Recently, Monero, which has been very popular in the cryptocurrency circle, has updated its algorithm. After the update, the old version of the mining machine has become invalid, but the mining attacks have not stopped. Well-known web mining scripts such as Coin-Hive have supported the new Monero algorithm; at the same time, the mining botnet is also being updated rapidly, and a new round of mining attacks is about to begin.

Figure: Monero was updated to version v7 on April 6

Monero algorithm updated, mining Trojan temporarily shut down?

The mining Trojans mainly rely on mining Trojan botnets and web mining scripts to make money. Web mining scripts, as the name suggests, are mining scripts implanted in web pages, using the computer resources of users browsing the web pages to mine and make profits. The so-called mining botnet is a botnet built by hackers who invade other computers to implant mining Trojans, and then use the invaded computers to continue to implant mining Trojans in other computers.

The update of the Monero algorithm means that the old version of the mining machine can no longer be used, so many people believe that the mining Trojan will inevitably cease to exist, and the servers attacked by the mining botnet may also escape.

But this is not the case. Many open source Monero mining machines have been quickly updated. Among them, the well-known xmrig has been updated to v2.6.0, and xmr-stak has also been updated to v2.4.1. The well-known web mining script Coin-Hive has also been updated for the new algorithm of Monero. Web mining attacks using these scripts will continue uninterrupted.

Figure: Coin-Hive official Twitter announcement

At the same time, mining botnets are also updating rapidly. According to monitoring, the botnet "yamMiner", which has been active since 2016, has replaced all old mining machines with new ones within one day. From this, it can be seen that even if there are large fluctuations in the algorithm of Monero, it may be difficult to affect the control of these advanced botnets over servers and other equipment.

Figure: Recent changes in the number of infections of the botnet "yamMiner"

Mining zombies are updating frantically. How should your devices cope with this?

Mining botnets prefer to control servers and have the characteristics of fast updates, concealment, and strong survivability. Once the equipment is compromised, it will cause a huge loss of resources and it will be difficult to escape control.

Faced with the rapidly updated mining Trojans, server administrators should avoid using weak passwords to effectively prevent weak password blasting initiated by zombie programs; and promptly patch the operating system and related services to prevent mining Trojan botnets from using vulnerabilities such as "Eternal Blue" to spread attacks; servers should also be maintained regularly to check for persistent mining Trojans from aspects such as CPU usage and suspicious items in task execution.

Ordinary users should also be careful and pay attention to CPU usage when browsing the web. If users find that the computer CPU usage soars when browsing the web and most of the CPU usage comes from the browser, then the web page may be embedded with a mining script. Currently, 360 Security Guards has supported comprehensive defense against new versions of mining attacks. Here we remind users and device managers to use security software as much as possible to avoid being "enslaved" by malicious mining.

Figure: 360 Security Guard can fully defend against new versions of mining attacks