Novel Botnet Hunts Down and Destroys Crypto Mining Malware

Security researchers have discovered a new botnet that, rather than posing a threat, seems to be seeking out and destroying a type of crypto-mining malware.

Called Fbot, the botnet is a variant of one called Satori, which is in turn based on Mirai - a program normally used for DDoS attacks.

Unusually, the DDoS module seems to have been deactivated and instead Fbot searches for devices infected with a specific crypto-jacking malware and replaces it in the system, the report says.

Discovered by the team at Qihoo 360Netlab, the variant seeks out a malware form dubbed com.

Distributing itself by searching for devices with a specific open port, the botnet then uses a script to uninstall com.

Fbot is programmed to scan and propagate, install itself over the malware and ultimately self-destruct, the researchers say.

The botnet code is linked to a domain name accessible, not through a standard domain name system, but a decentralized alternative called EmerDNS that makes addresses harder to trace and shut down.

"The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet."

The prevalence of crypto mining malware has shot up in the last year, according to various security teams, and has been found globally on systems owned by enterprises and governments, as well as individuals.

Among current initiatives to counter the rising threat, Firefox said on Aug. 31 that its browsers will soon automatically block crypto mining malware scripts.