Meet Fbot, the friendly botnet. Not only is Fbot not malicious, but it seems that its purpose is the discovery and removal of the crypto-mining malware of a particular type.
Normally, a collection of devices connected over the Internet, each of them running one or several bots of its own, aka botnet, acts as an aggressive predator in the virtual jungle. It performs DDoS attacks, sends spam, and steals data. Botnets are a relatively new threat: the first one that we know of was officially brought to light in 2001 by a U.S. company EarthLink in the course of a lawsuit filed against Khan C. Smith. Since 2000, Smith used ErthLink’s network for sending junk emails and had managed to send about 1.25 billion of these. The lawsuit resulted in one of the largest spam judgments in history: the company won $24.8 million. At that time, Smith’s botnet was held accountable for approximately 25% of all junk mail.
The amount of malware aimed at crypto mining has grown dramatically. Systems of every scale and size have been affected, from small individual ones to those belonging to governments. In August 2018, it was reported that the attacks have spiked by more than 950% compared to the previous year. According to Skybox Security, mining malware has now replaced ransomware as the biggest cyber threat: “Cryptocurrency miners may be the new kid on the block, but they’re taking over.”
On September 13th, 360Netlab’s team discovered an interesting botnet the sole purpose of which, according to a blog post by Hui Wang, appears to be “just going after and removing another botnet com.ufo.miner.”
Fbot has an interesting lineage: it appears to be a variation of a Satori botnet. Satori is based on a program used for performing DDoS attacks. However, Fbot’s DDoS module was deactivated. Its new role is to search for a specific malware, a version of ADB.Miner, responsible for crypto-jacking. Once the prey has been detected in a system, Fbot installs itself over it on the infected device and then self-destructs. The vigilante botnet uses EmerDNS, a decentralized domain name system, instead of the traditional DNS, which makes tracking the addresses more difficult. As the 360Netllab blog explains: “it raised the bar for security researchers to find and track the botnet (Security systems will fail if they only look for traditional DNS names).”
There is still no information on whether this interesting new botnet was intended for good or if it is simply a means to eliminate competition and clear the way for another attacker.