A strange anti-cryptominer malware botnet is prowling the Internet
That's not something you see every day.
Crypto mining malware is a common feature of the Internet these days – an exceedingly common feature, in fact. Cryptojackers, as they're sometimes called, accounted for only 7% of attacks in the second half of 2017. But just a few months later, in the first half of 2018, they were making up a third or more of malware findings.
A new cryptojacker viral strain is nothing new. This one is a clear exception though.
The new botnet, dubbed Fbot by its discoverers at Netlab360, is an evolution of previous mining botnets.
But instead of infecting its victims with cryptojacking malware, it hunts down and eliminates any existing cryptominers it discovers.
It has three curious features, Netlab360 notes. The first and most obvious is that its sole purpose seems to be to remove other botnet miners. It doesn't seem to do anything else. When it infects a victim, it digs around in their computer for existing mining malware and removes it. Then when it's all done, it removes itself.
This isn't entirely unheard of. Previous strains of cryptomining malware have also been known to kill off rivals, but in those cases it was for the purpose of eliminating competition to keep more of the victim's juicy computing power for itself. This one just eliminates other malware then disappears.
One probably shouldn't assume it's altruistic though. It is still an unwanted infection, and could be a test run or might be setting the table for follow-ups similar to other competitive cryptojacking malware.
The second curious feature Netlab360 notes is that it runs through the Emercoin blockchain, rather than following more traditional methods. This isn't unheard of for malware. Decentralised networks such as Emercoin are naturally well suited to nefarious purposes as well as legitimate ones.
"The choice of Fbot using EmerDNS [Emercoin addresses] other than traditional DNS [domain name servers - web hosters basically] is pretty interesting, it raised the bar for security researcher to find and track the botnet (Security systems will fail if they only look for traditional DNS names)." Netlab360 says.
The third curious element is that Netlab360 is confident that Fbot has strong ties to the Satori botnet, in the form of related IPs, domain names, URLs and other ties. The Satori botnet came to life as an evolution of another botnet called Mirai, which managed to spread far and fast by exploiting security holes in hardware. It has since kicked around the Internet in various forms, occasionally resurfacing to do things like conduct mass scans for vulnerable Ethereum miners.
That something with such close ties to the Satori botnet is now running around and eliminating cryptomining malware is unusual. It's still too early to say whether Fbot is an Internet vigilante bot or a new breed of thief bot scoping out its victims.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.