This article comes fromThis article comes from, authored by Aegis Traffic Security Analysis Team Pav1, reproduced with authorization.

secondary title

citation

In the first half of 2021, the news that the price of virtual cryptocurrency (Cryptocurrency, hereinafter referred to as "virtual currency") has repeatedly hit new highs has attracted people's attention again and again, among which Bitcoin is the most well-known virtual currency to the public. Tesla also made a high-profile announcement in February that it had purchased $1.5 billion worth of bitcoin, and plans to start accepting bitcoin as a payment method for its company's electric vehicle products[1].

secondary title

overview

overview

This feature of Monero has led to its massive use by hackers. At present, most of the mining scripts captured by the Aegis traffic security analysis system are mining Monero. Once a malicious server is implanted The most prominent performance of the Monero mining script is a significant increase in CPU usage.

image description

Figure 1 Monero mine pool page

In June 2021, the Aegis traffic security analysis system began to detect a type of mining script. After the script was implanted in the server, the CPU did not show a very high usage rate, but the hard disk was occupied. .

After in-depth understanding, it is found that there is a type of virtual currency that takes up hard disk space and network bandwidth for mining. The original design intention of this type of virtual currency is to achieve the goal of decentralized storage and communication. The more representative currencies are Filecoin, Chia, Swarm and Dfinity.

The main process of a typical Swarm mining script is as follows:

Figure 2 Swarm mining script flow chart

Figure 3 Swarm mining script - main function

secondary title

Introduction to Swarm

The popularity of the Swarm project is inseparable from Ethereum. The Swarm project is one of the official projects of Ethereum. It is led by the Ethereum Foundation and is a project personally supported by Vitalik (the founder of Ethereum).

At present, the data of many projects on the Ethereum network are still stored in the servers of traditional centralized cloud service providers. Once there is a problem with these servers, it means that the user's data and assets will also be lost. At this time, the advantages of projects such as Swarm are reflected, which can solve this problem through decentralized storage.

image description

Figure 4 Swarm official website

By reading the white paper [5] of the Swarm project, we can find that the nodes in the Swarm project together form a huge P2P network, in which each node can provide data storage and content distribution services.

To put it simply, if you want to use Swarm to store data, you need to use the token BZZ in the Swarm project. This BZZ token is also the income of Swarm mining.

If a node can provide greater storage space and bandwidth, then he will also get more BZZ tokens, that is, mining revenue.

Compared with existing products, Swarm's design makes it more like implementing a decentralized CDN (content distribution network) or online disk. In the past, we needed to go to various CDN or online disk providers to pay for their CDN or online disk services. , and now we only need to pay BZZ tokens on Swarm to obtain services similar to CDN or network disk.

Then this is a good understanding of the difference between mining Swarm token BZZ and mining Monero. Mining Monero consumes a lot of CPU resources, which will consume a lot of electricity, while mining BZZ does not require a lot of computing resources. Occupying storage space and bandwidth, you can get income, consume very little power, and it is a relatively environmentally friendly mining method.

image description

Figure 5 Kademlia network connections between Swarm nodes

A node will be fully connected to at least eight adjacent nodes,

Thus forming a huge and closely connected network structure

Features and Detection

While mining the Swarm token BZZ is not CPU-intensive, that doesn't mean we can't detect its presence.

During the mining process of Swarm token BZZ, the most important feature is the consumption of bandwidth and hard disk space. If you find that the hard disk space is suddenly occupied in a large amount and a program occupies a large amount of network bandwidth during daily use of the computer, Then you can check to see if the Swarm mining Trojan has been implanted.

At the same time, Swarm mining will also have the following specific characteristics for network security practitioners to judge:

1. Traffic characteristics

When mining Monero, the mining program needs to be connected to the mining pool, and the calculation results, blocks and other information are synchronized with the mining pool, which also includes the login process, so the traffic characteristics of Monero mining are very obvious.

The communication flow between the Swarm mining program and the XDAI blockchain node is as follows:

image description

Figure 6 Communication flow between the mining program and the exchange endpoint

As can be seen from the figure above, when the mining program communicates with the exchange endpoint, the jsonrpc protocol is also used, which is the same as Monero mining, and the strong characteristics of the data packet are obvious, which can target keywords or The structure in the packet is detected.

2. File Characteristics

The official mining software used by the Swarm project is Bee (https://github.com/ethersphere/bee). This software is written in go, supports linux, windows systems, and supports ARM, X86 and other architectures.

By running the official program to build the mining node of the Swarm project, it can be found that the following three directories will be created under the data-dir directory specified in the configuration file after running the program:

Keys directory: This directory will save the key generated during the node initialization process, which is the most important data in the entire node.

Statestore directory: This directory stores relevant information of the current node, such as block list, SWAP balance, etc.

Localstore directory: This directory contains the block data of the current node.

3. Port characteristics

The Swarm project uses the three ports 1633, 1634, and 1635 by default for data exchange during runtime.

Port 1633: It is the default HTTP API port, which can be accessed through the HTTP protocol to check the running status of the node, upload and download files, and other operations.

Port 1634: It is the default P2P port, and the P2P connection with external nodes needs to pass through this port.

Port 1635: It is the default debugging port. To open this port, you must configure debug-api-enable as True in the configuration file to open it.

By detecting the opening and connection of the above ports, it is also possible to know whether the host is running the Swarm mining program Bee.

Summary and Outlook

In the first half of this year, the Swarm project launched a test activity for mining without pledge, which attracted a large number of miners to participate, and there were also cases of cloud server providers selling Swarm nodes.

On June 22, the Swarm project ushered in the launch of the 1.0 mainnet [6], pushing the popularity of the project to a high point. Relying on the big V booth and the ecological blessing of Ethereum, the Swarm project has become a leader among the current distributed storage blockchain projects.