Novel Botnet Hunts Down and Destroys Crypto Mining Malware

A newly discovered botnet is seeking out and removing crypto-mining malware, but why it has been created is still unknown.

AccessTimeIconSep 18, 2018 at 12:00 p.m. UTC
Updated Sep 13, 2021 at 8:23 a.m. UTC

Security researchers have discovered a new botnet that, rather than posing a threat, seems to be seeking out and destroying a type of crypto-mining malware.

Called Fbot, the botnet is a variant of one called Satori, which is in turn based on Mirai – a program normally used for DDoS attacks. Unusually, the DDoS module seems to have been deactivated and instead Fbot searches for devices infected with a specific crypto-jacking malware and replaces it in the system, the report says.

Discovered by the team at Qihoo 360Netlab, the variant seeks out a malware form dubbed com.ufo.miner – a variant of Android-based monero miner ADB.Miner.

Distributing itself by searching for devices with a specific open port, the botnet then uses a script to uninstall com.ufo.miner, if found. Fbot is programmed to scan and propagate, install itself over the malware and ultimately self-destruct, the researchers say.

Also unusually, the botnet code is linked to a domain name accessible, not through a standard domain name system (DNS), but a decentralized alternative called EmerDNS that makes addresses harder to trace and shut down.

The researchers said:

"The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (security systems will fail if they only look for traditional DNS names)."

It is not yet clear if Fbot has been set up by someone with good intentions or by a rival crypto-jacker seeking to remove the competition.

The prevalence of crypto mining malware has shot up in the last year, according to various security teams, and has been found globally on systems owned by enterprises and governments, as well as individuals. Further, the previous crybercrime tool of choice, ransomware, has now taken a back seat amid the surge.

Indeed, IT security firm Trend Micro reported in late August, crypto-jacking attacks spiked by 956 percent from the first half of 2017 to the first half of 2018.

Among current initiatives to counter the rising threat, Firefox said on Aug. 31 that its browsers will soon automatically block crypto mining malware scripts. The Opera browser launched similar protection for mobile devices in January.

Cat and prey image via Shutterstock

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Trending

1
CoinDesk - Unknown
Three Arrows Paper Trail Leads to Trading Desk Obscured Via Offshore Entities

As Three Arrows Capital collapsed under market pressure, its much-lesser known trading desk, TPS Capital, remained active, sources say. But a complex ownership structure might frustrate creditors' efforts to collect.

CoinDesk - Unknown
2
CoinDesk - Unknown
June Was Bitcoin’s Worst Month Ever

Plus, European crypto regulation comes into view.

CoinDesk - Unknown
3
CoinDesk - Unknown
What Traders Are Saying About Bitcoin's Biggest Monthly Loss in 11 Years

Poor macroeconomic sentiment, fears of inflation and systemic risks from the crypto market pushed the cryptocurrency below 2017’s highs.

CoinDesk - Unknown
4
CoinDesk - Unknown
Three Arrows Capital Files for Bankruptcy in New York Tied to British Virgin Islands Proceeding

A British Virgin Islands court ordered Three Arrows' BVI branch into liquidation earlier this week.

CoinDesk - Unknown