Security researchers have discovered a new botnet that, rather than posing a threat, seems to seek and destroy a type of crypto-mining malware.
Called Fbot, the botnet is a variant of one called Satori, which is itself based on Mirai – a program normally used for DDoS attacks. Unusually, the DDoS module seems to have been disabled and instead Fbot searches for devices infected by a specific encrypted malware and replaces it in the system, the report states.
Discovered by the team of Qihoo 360Netlab, the variant looks for a dubbed malware module com.ufo.miner – a variant of the mine miner based on Android ADB.Miner.
By distributing itself looking for devices with a specific open port, the botnet then uses a script to uninstall com.ufo.miner, if found. Fbot is programmed to scan and propagate, install on malware and eventually self-destruct, the researchers say.
Furthermore, unusually, the botnet code is linked to an accessible domain name, not through a standard DNS (Domain Name System), but a decentralized alternative called EmerDNS which makes the addresses more difficult to track and stop.
"The choice of Fbot that uses EmerDNS other than traditional DNS is quite interesting, has raised the level for those looking for security to find and trace the botnet (security systems will fail if they only look for traditional DNS names ). "  It is still unclear whether Fbot was created by someone with good intentions or a rival crypto-jacker who tries to remove the competition.
The prevalence of crypto-mining malware has increased in the last year, according to various security teams, and has been found globally on systems owned by corporations and governments, as well as by individuals. In addition, the previous Crybercrime tool of choice, ransomware, has now moved into the background.
Indeed, the IT security firm Trend Micro reported encryption attacks of 956 percent at the end of August from the first half of 2017 to the first half of 2018.
Among the initiatives underway to counter the growing threat, on August 31, Firefox said that its browsers will soon automatically block cryptographic malware scripts. The Opera browser launched similar protection for mobile devices in January.
Hat tip Bleeping Computer.
Cat and prey image via Shutterstock