Chinese security researchers from Qihoo 360 Netlab have discovered a savvy botnet that destroys illicit crypto mining malware rather than hacking victims’ PCs for its benefit.
The Benevolent ‘Cryptojacker’
The botnet, called Fbot, is based on the Satori Mirai program, which is typically used for DDoS attacks, according to Bleeping Computer, who first reported the news earlier this week.
According to the research, the Fbot scans the internet for devices infected with cryptojacking malware–specifically SMI, RIG and XIG processes–and replaces it in victims’ computers alongside disabling DDoS attack software.
By searching for devices with open ports, the strain targets the “com.ufo.miner” code form the Android-based Monero miner ADB.Miner, should any malware be found. Researchers say the program can scan, install and deploy itself over the malware and “self-destruct” once it fulfills its function.
Interestingly, the Fbot strain is linked to a decentralized domain service, called EmerDNS, instead of the usual domain name system (DNS) service, which makes it substantially harder for hackers to target the strain and shut down its servers.
Per the research:
“The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for a security researcher to find and track the botnet (security systems will fail if they only look for traditional DNS names).”
However, the researchers noted that it is not immediately clear if Fbot was conceived with good intent or serves as a vehicle to replace existing crypto miners and deploy its own.
The World Wakes Up to Mining Threats
As one of the fastest-growing cyber threats of 2018, illicit crypto mining has gained precedence over traditional hacking methods due to its ease-of-execution and high reward. Security teams across the globe have found miners prowling millions of computers including individual PCs, enterprise networks and government sites.
In August, security firm Trend Micro published a report regarding the extent of cryptojacking attacks in recent years and found a 956 percent increase from the first half of 2017 to the first half of 2018.
Enterprises and internet businesses are deploying various updates to protect themselves against the threat. Popular antivirus providers are also installing patches across all software versions and the Firefox browser revealed it would block all mining scripts found on its users’ computers automatically.
Additionally, the Opera browser launched comparable measures for mobile devices in early 2018, but other browsers like Chrome have yet to follow suit.