FBot, a "useful" botnet that tracks cryptojacking malware discovered by 360Netlab
FBot is a new botnet that has a unique feature of destroy a type of crypto-mining malware rather than causing damage to the mining process. The new botnet finds cryptographic malware in the process of mining and replaces it on the system preventing damage to the system.
FBot is a "useful" botnet that searches for cryptocurrency malware and replaces it. The botnet was discovered by the Qihoo development team 360Netlab last week and its unusual functionality has raised eyebrows through the cryptocurrency mining communities.
FBot has three key characteristics that define it as behaving in a unique way unlike other botnets. First of all, it seems that the botnet is only monitoring and removing malware "botnet" com.ufo.miner . In addition, it does not use traditional DNS to communicate with C2, but uses DNS block-chain to resolve the non-stand name musl.lib C2. Finally, the botnet is a variant of the Satori botnet that was built on Mirai. However, FBot does not prevent DDoS attacks as its ancestors do, in fact the DDoS module is deactivated.
The report released by Qihoo 360Netlab explained the use of FBot as exclusively to handle "com.ufo .miner" malware for the loading of cryptocurrency.
How the unique nature of FBot replaces the threat of "com.ufo.miner"
How we established the use of FBot as the only problem with com.ufo.miner, also a variant of the miner Monero based on Android ADB.Miner. The Qihoo 360Netlab team found that by distributing itself looking for devices with a specific open port, the botnet then uses a script to uninstall com.ufo.miner, if found.
FBot is programmed for scanning and propagation, installs on malware and eventually self-destructs.
The EmerDNS domain system
Most botnets are usually linked to a botnet code linked to a domain name accessible through a system of standard domain names (DNS). However, FBot is unique in that it does not follow the standard DNS but a decentralized system called EmerDNS. This system of domain names makes it more difficult to trace and turn off addresses.
"The choice of Fbot that uses EmerDNS other than traditional DNS is quite interesting, has raised the security researcher bar to find and trace the botnet (security systems fail if they only look for traditional DNS names. "
The number of crypto-jacking attacks has increased by more than 950% from the first half of 2017 to the first half of 2018, as reported by Trend Micro IT security firm in August. Total number of scams and frauds in the cryptocurrency industry has increased significantly as reported by a number of security companies.Ransomware has once again had a wave as cryptographic cryptography of choice among hackers.
The unauthorized extraction of cryptocurrencies is strongly avoided from the moment that a greater number of browsers launch malware blocks of cryptocurrency scripts Mozilla Firefox should install its blocks later in the year as did Opera to the mobile device browser in January.
Among the current initiatives to counter the growing threat, Firefox said on August 31 that its browsers will soon automatically block malware encryption malware scripts. The Opera browser launched similar protection for mobile devices in January.