Finder makes money from featured partners, but editorial opinions are our own.

A strange anti-cryptominer malware botnet is prowling the Internet

shutterstock robot arm wrestling 450x250

That's not something you see every day.

Crypto mining malware is a common feature of the Internet these days – an exceedingly common feature, in fact. Cryptojackers, as they're sometimes called, accounted for only 7% of attacks in the second half of 2017. But just a few months later, in the first half of 2018, they were making up a third or more of malware findings.

A new cryptojacker viral strain is nothing new. This one is a clear exception though.


The new botnet, dubbed Fbot by its discoverers at Netlab360, is an evolution of previous mining botnets.

juicy crypto words

But instead of infecting its victims with cryptojacking malware, it hunts down and eliminates any existing cryptominers it discovers.

It has three curious features, Netlab360 notes. The first and most obvious is that its sole purpose seems to be to remove other botnet miners. It doesn't seem to do anything else. When it infects a victim, it digs around in their computer for existing mining malware and removes it. Then when it's all done, it removes itself.

This isn't entirely unheard of. Previous strains of cryptomining malware have also been known to kill off rivals, but in those cases it was for the purpose of eliminating competition to keep more of the victim's juicy computing power for itself. This one just eliminates other malware then disappears.

One probably shouldn't assume it's altruistic though. It is still an unwanted infection, and could be a test run or might be setting the table for follow-ups similar to other competitive cryptojacking malware.

The second curious feature Netlab360 notes is that it runs through the Emercoin blockchain, rather than following more traditional methods. This isn't unheard of for malware. Decentralised networks such as Emercoin are naturally well suited to nefarious purposes as well as legitimate ones.

"The choice of Fbot using EmerDNS [Emercoin addresses] other than traditional DNS [domain name servers - web hosters basically] is pretty interesting, it raised the bar for security researcher to find and track the botnet (Security systems will fail if they only look for traditional DNS names)." Netlab360 says.

The third curious element is that Netlab360 is confident that Fbot has strong ties to the Satori botnet, in the form of related IPs, domain names, URLs and other ties. The Satori botnet came to life as an evolution of another botnet called Mirai, which managed to spread far and fast by exploiting security holes in hardware. It has since kicked around the Internet in various forms, occasionally resurfacing to do things like conduct mass scans for vulnerable Ethereum miners.

That something with such close ties to the Satori botnet is now running around and eliminating cryptomining malware is unusual. It's still too early to say whether Fbot is an Internet vigilante bot or a new breed of thief bot scoping out its victims.

Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get started with crypto

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and 6. Finder Group Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Go to site