Andromeda botnet malware is still an infection issue Watch Now

Good guy vigilante, or error in coding? A strange botnet has appeared on the scene which instead of infecting devices in order to enslave them, appears to be actually wiping them clean of cryptocurrency mining malware.

On Monday, researchers from Qihoo's 360Netlab said that Fbot, a botnet based on Satori botnet coding, is demonstrating some extremely odd behavior for such a system.

Satori is a botnet variant based on Mirai, the infamous botnet which was able to take down online services across an entire country.

Satori's code was released to the public in January. Since then, we have seen variants which target mining rigs for cryptojacking purposes; those which come equipped with exploits for router compromise, and others which focus on deploying Trojan payloads.

Botnets are generally bad news. They enslave vulnerable devices, such as mobile devices, Internet of Things (IoT) products, and routers, and then these devices are enslaved in their droves to drive everything from automatic spam campaigns to distributed denial-of-service (DDoS) attacks.

See also: IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day

However, Fbot is not characteristic of your typical botnet.

The researchers say that Fbot appeared on the radar last week and it appears the only job this botnet has is to chase down systems infected by another botnet, com.ufo.miner, a variant of ADB.Miner.

ADB.Miner has been active of late. The botnet targets Android devices -- including smartphones, the Amazon Fire TV, and set-top boxes -- for the purpose of cryptojacking and covertly mining for Monero (XMR) with the help of the Coinhive mining script.

The way Fbot and ADB spread is very similar. Port TCP 5555 is scanned and, if open, a payload executes scripts which download and execute malware, as well as establish a channel to the operator's command and control (C2) server.

However, in Fbot's case, the payload uninstalls ADB mining scripts and cleans the system.

CNET: We can't stop botnet attacks alone, says US government report

After the botnet has tracked down ADB malware processes, killed them, and scrubbed away any trace of the former infection, the botnet deletes itself.

While Fbot does have DDoS modules inherited from Mirai, the researchers have not logged any DDoS attacks from the botnet.

The botnet is very interesting for another reason -- the system does not use a traditional C2 structure to communicate. Usually, DNS is the standard, but Fbot has selected blockchain DNS protocols instead.

TechRepublic: The 6 reasons why we've failed to stop botnets

The C2 domain musl.lib is a top-level domain which is not registered with ICANN, and therefore cannot be resolved through traditional DNS. Instead, the botnet uses EmerDNS, Emercoin.com's decentralized blockchain-based DNS system.

"The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher[s] to find and track the botnet (security systems will fail if they only look for traditional DNS names), also it make[s] it harder to sinkhole the C2 domain, at least not applicable for ICANN members," the researchers note.

Fbot is a highly unusual botnet variant. However, it may not be a good-guy vigilante at work simply seeking to clean up our infected systems.

An alternative reason for the botnet's cleaning duties may be to wipe away the competition and infect devices with its own cryptojacking scripts or malware in the future. Either way, Fbot is a botnet worth keeping an eye on.

Previous and related coverage