DDG Botnet

The DDG Botnet is a relatively new project that has been observed by malware researchers closely ever since it first appeared on the radar at the beginning of 2018. This botnet is used for Monero mining almost exclusively, and its authors have not added modules that would enable the botnet to launch Distributed-Denial-of-Service (DDoS) attacks or participate in other activity typical for botnets. However, while the DDG Botnet features might not be very rich, this botnet has one very unique property – it is able to use peer-to-peer communication in case the primary Command and Control servers get taken down. This redundancy would allow the DDG Botnet to continue to operate and grow, even if the attacker's main servers are taken down for some reason.

The current size of the botnet is approximate to be around 20,000 devices, and its peak activity was reached in February 2019. However, the project appears to be receiving regular updates, and one of the latest things to be changed was adding the ability to use peer-to-peer communication to continue the botnet's operation.

Every enslaved system that is part of the DDG Botnet can now communicate with 200 random botnet nodes to transmit/receive commands. The infected hosts are able to share instructions, configuration files, and even distribute new botnet payloads to each other. For example, if bot A needs to update its payload, it may contact bot B to see if it get it from there. If bot B cannot fulfill the request, it will keep sending the message to bot C, and the same task will be completed until the request is fulfilled. The same communication technique is used for each node that requires some update and cannot contact the DDG Botnet's control server for some reason.

The relatively large size of the DDG Botnet is surprising considering the method it uses to infect new hosts – it scans the Internet for accessible SSH connections, and then tries to log in by using the username 'root' paired with a list of 17,907 passwords.