Tencent released its first big data report on the cryptocurrency industry: Monero surpassed Bitcoin as the first choice for mining

As digital cryptocurrencies continue to gain popularity in the global market, the number of mining Trojans has also increased dramatically. Recently, Tencent Security Anti-Virus Lab combined its own security big data to conduct a comprehensive analysis of the types, propagation methods, and attack characteristics of mining Trojans, and provided professional advice on how to defend against mining Trojan attacks.

The first big data of the cryptocurrency circle is released: Monero is the most popular cryptocurrency among domestic mining Trojans

It is understood that mining Trojans mainly exist in the form of PC clients and web scripts. They sneak into users' computers and regularly start mining programs for calculations, consuming a large amount of user computer resources, causing abnormal heating of users' computers, lower performance, slower running speeds, shorter service life, etc.

After conducting big data analysis on recently discovered mining Trojans, Tencent Security Anti-Virus Lab pointed out that the process names used by mining Trojans during the mining process usually correspond to system files. This is because mining Trojans use system files as process puppets to mine by process injection. For example, the top-ranked process name conhost corresponds to the system's notepad program notepad.exe in many cases. Other process names such as EthDcrMiner64, minerd, xig, ETHSC, xmrig, etc. are all standard mining Trojans.

(Figure: Process name corresponding to the mining trojan)

Tencent Security Anti-Virus Lab used its self-developed Hubble analysis system to analyze the working process of mining Trojans and counted the mining pool addresses to which these mining Trojans are connected. It was found that the mining pool address most popular among domestic mining users is pool.minexmr.com, and the corresponding currency mined is Monero.

It is worth noting that the currency most favored by mining Trojans is Monero, followed by Ethereum, Bitcoin Diamond, Dogecoin, and SuperCash. Other currencies are very rare. Although Bitcoin is well-known, there are very few virus Trojans that directly mine Bitcoin. The reason may be that Bitcoin mining is too difficult, and it is not as profitable as mining Monero, which is easier to obtain.

(Figure: Addresses of active mining pools for domestic mining trojans)

Usually, users can use ports to help determine whether a computer is engaged in mining. Tencent Security Anti-Virus Lab counted the port numbers corresponding to the mining pool addresses of mining Trojans. The data showed that port 3333 is the most popular port used by mining Trojans, accounting for about 12% of all mining pool connection ports. From the perspective of port range, ports between 3000-3999 are the most commonly used port range for mining Trojans, and ports in this range account for 38.7% of mining ports.

(Figure: Port ratio of mining trojan pools)

Mining Trojans target corporate users, Tencent Yujie advanced threat monitoring system fully protects against them

In terms of propagation methods, Tencent Security Anti-Virus Lab found that, except for some mining Trojan worms and software hijacking that spread using MS17-010, most mining Trojans prefer to use Web-based remote code execution vulnerabilities to scan hosts. After the vulnerability is successfully exploited, the mining Trojans are delivered to the victim host.

In this regard, Tencent's enterprise security technology experts recommend that individual users should ensure that their systems are updated in a timely manner and use Tencent Computer Manager to install the latest security patches to fix known security vulnerabilities, which can greatly reduce risks. Enterprise users need to patch server operating systems, Web servers, and open services in a timely manner to resist attacks by hackers who exploit scanning-based vulnerabilities to spread mining Trojans.

Tencent's enterprise security technology experts pointed out that no matter what method of dissemination is used, the mining income of hackers depends on the number and performance of the victim hosts attacked, so enterprise users are more likely to become targets of criminals. The Yujie advanced threat detection system launched by Tencent Security for enterprise users is a unique threat intelligence and malicious detection model system developed based on the security capabilities of Tencent Security Anti-Virus Laboratory and relying on Tencent's massive data in the cloud and terminals. By analyzing the network traffic at the boundary of the enterprise's internal and external networks, the use and attack of mining Trojans can be perceived in a timely manner, effectively protecting the enterprise's network security.

(Photo: Tencent Yujie Advanced Threat Monitoring System)

In the face of the rampant mining Trojans, Tencent's enterprise security technology experts said that enterprises and individual users should develop good computer usage habits and strengthen their awareness of network security prevention: use strong passwords to protect server accounts; do not visit malicious websites marked as high-risk, and do not open files from unknown sources and suspicious links at will; for suspicious files, use security software such as Tencent Computer Manager to scan, or upload files to the Hubble analysis system to check whether the files are risky. In addition, Tencent Computer Manager's "Anti-Mining Protection" function has covered all versions of users, which can intercept and warn the operation of various mining Trojan programs and web pages containing mining js scripts in real time, ensuring that users' computer resources are not occupied and have a light Internet experience.