Research: New Botnet Scanning the Web to Shut Down Illicit Cryptominers

Chinese security researchers from Qihoo 360 Netlab have discovered a savvy botnet that destroys illicit crypto mining malware rather than hacking victims' PCs for its benefit.

The botnet, called Fbot, is based on the Satori Mirai program, which is typically used for DDoS attacks, according to Bleeping Computer, who first reported the news earlier this week.

According to the research, the Fbot scans the internet for devices infected with cryptojacking malware-specifically SMI, RIG and XIG processes-and replaces it in victims' computers alongside disabling DDoS attack software.

Researchers say the program can scan, install and deploy itself over the malware and "Self-destruct" once it fulfills its function.

Interestingly, the Fbot strain is linked to a decentralized domain service, called EmerDNS, instead of the usual domain name system service, which makes it substantially harder for hackers to target the strain and shut down its servers.

"The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for a security researcher to find and track the botnet."

The researchers noted that it is not immediately clear if Fbot was conceived with good intent or serves as a vehicle to replace existing crypto miners and deploy its own.

As one of the fastest-growing cyber threats of 2018, illicit crypto mining has gained precedence over traditional hacking methods due to its ease-of-execution and high reward.

Security teams across the globe have found miners prowling millions of computers including individual PCs, enterprise networks and government sites.

Popular antivirus providers are also installing patches across all software versions and the Firefox browser revealed it would block all mining scripts found on its users' computers automatically.