Botnets in the crypto sphere are almost always associated with illicit activities. The unsuspecting punters usually catch them by visiting shady websites or clicking on a link in a phishing email, which allows the malware to gain entry into the computer. Once inside, the malware hijacks the PC to do some dirty deed, like attacking a site via a distributed denial-of-service (DDoS) attack, spreading a virus or siphoning CPU resources to discreetly mine digital currencies for the malware owners.

However, it seems there is a new sheriff in town, trying to salvage the tarnished name of botnets. Labeled Fbot, the newly-discovered botnet is based on Mirai – a program usually associated with DDoS attacks. However, the DDoS module seems to be deactivated and Fbot appears to be tracking illicit crypto mining malware and removing it once it is located.

The botnet was discovered by a Chinese digital security company Qihoo 360Netlab. The researchers confirmed that Fbot scans the web looking for a specific crypto mining malware, named com.ufo.miner, a variant of Android-based monero miner ADB.Miner. After finding it, Fbot removes it by installing itself over the malware and then destroys itself.

Curiously, Fbot is linked to a domain name. However, as you would expect, tracking it is not that easy. Instead of using traditional domain name system (DNS), it instead utilizes EmerDNS, a decentralized blockchain-powered DNS alternative.

According to the researchers, “The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (security systems will fail if they only look for traditional DNS names).“

So far, Fbot has not been recorded to leave anything once it destroys itself, suggesting that its sole purpose is to get rid of the malware. However, it is definitely too early to be thankful as it is not yet clear whether Fbot was launched with good intentions or just to simply eliminate the competition by some rival malware developers. Building a botnet requires a lot of time and resources thus it seems too naive to believe that an anonymous do-gooder is working just to help people with no personal agenda.

The spread of crypto mining malware has been rapidly rising over the last year, with illicit software detected on systems owned by enterprises and governments, in addition to regular users. According to security company Trend Micro, crypto-jacking attacks skyrocketed by 956 percent from the first half of 2017 to 2018.

A couple of months ago, a group of malware developers was arrested in China, after infecting over 1 million computers to secretly mine digibyte, siacoin and decred tokens. The hackers hid the malware inside browser plug-ins and whenever the illicit software detected CPU utilization of less than 50 percent, it would start mining crypto. Over 26 million tokens were mined during the entire operation.

Image Source: “Pexels”