Known as Fbot, the botnet appears to be based on derivative software from Mirai, an application generally used in DDoS attacks. However, in this case, the DDoS module has been deactivated, with the botnet instead searching for cryptojacking malware before replacing its code, thereby neutering its bad effects.
In particular, the botnet searches for instances of the com.ufo.miner, a variation on the Android based ADB.Miner for privacy-centric altcoin Monero.
According to the Qihoo team, the botnet distributes itself by searching for open ports, before uninstalling the com.ufo.miner software where present. The botnet effectively installs itself over the malware, destroys its malicious code, and then self-destructs, according to a report published by the researchers.
The botnet is also linked to a domain name which is only accessible through EmerDNS, rather than the standard DNS system. This means it becomes harder to detect, with those scanning only traditional DNS names unable to access its records.
“The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (security systems will fail if they only look for traditional DNS names),” according to the Qihoo 360Netlab blog post.
It comes at a time when the numbers of cryptojacking and malware attacks have reached record highs, with the last few months seeing particularly elevated activity around these types of crypto scams.
Cryptojacking malware is now so prevalent that it has been identified across the systems of several large businesses and government agencies, as well as the countless individuals affected worldwide. According to security researchers, incidents of cryptojacking have increased by 956% over the last year.
This has even prompted Firefox to announce their latest browser will automatically detect and block cryptojacking scripts, in a bid to fight against this surge in their use.
At this stage, it remains unclear whether the botnet was created with the intention of cleaning up malware, or whether it has been launched by rival scammers to clear out competing malware.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.