Unusual IoT Botnet Removes Cryptomining Malware from Devices

Security researchers have come across an unusual new botnet that infects Android devices over the debugging interface then searches for and removes cryptocurrency malware.

The new botnet, dubbed Fbot by researchers from Qihoo 360’s Netlab team, is related to another malware program called Satori, whose source code was leaked online in January. Satori itself is based on Mirai, one of the largest and most damaging IoT botnets in history.

“So far the only purpose of this botnet looks to be just going after and removing another botnet com.ufo.miner,” a variant of the ADB.Miner malware family that propagates over the Android debugging bridge (ADB), the researchers said in a blog post.

Fbot might have been created by an internet vigilante with the sole purpose of removing cryptomining malware. If that’s the case, it wouldn’t be the first time when a vigilante botnet was created.

However, it wouldn’t be the first time a cybercriminal decided to remove the competition’s malware, either. In fact, this is quite common for IoT botnets, with some of them also closing the security holes that allowed them to infect the devices in the first place.

Fbot uses the same method of propagation as ADB.Miner, targeting devices who have their ADB interfaces exposed to the internet over port 5555 without authentication. Leaving ADB unprotected and accessible in this way is a misconfiguration that unfortunately seems to affect thousands of devices, including TV boxes.

After it gains access to a device, Fbot downloads and executes two scripts that fetch a payload from a remote server, kill processes associated with ADB.Miner and uninstalls the malware. The botnet still retains a Mirai/Satori module that can be used to launch distributed denial-of-service (DDoS) attacks, but the researchers haven’t observed it being used yet.

Another interesting aspect about Fbot is the way in which it determines the IP address of the command-and-control server. It does this by querying the DNS record for a non-standard domain called musl.lib.

The .lib TLD does not exist as a public domain extension registered with ICANN, so the musl.lib domain cannot be resolved through regular DNS. Because of this, Fbot uses the blockchain-based EmerDNS system, which is part of the Emercoin platform.

“The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting,” the researchers said. It raised the bar for security researchers to find and track the botnet — security systems will fail if they only look for traditional DNS names — and also makes it more difficult to sinkhole the C2 domain, they said.

IoT Malware Grew 3x this Year

The development of malware for smart devices is increasingly popular among cybercriminals, which causes the number of IoT threats to experience huge growth year over year.

According to a new report from Kaspersky Lab, the first six months of 2018 saw more than three times the number of IoT malware samples compared to the whole of last year. And 2017 was not a slow year for IoT malware either, with a growth rate of more than 10 times compared to 2016.

Bruteforcing default or weak credentials over Telnet remains the preferred attack vector for IoT malware and accounts for more than 75 percent of attacks, according to Kaspersky’s data. This is followed by bruteforce over SSH, with 11 percent, and other vectors, with a combined 13 percent.

Mirai remains the most popular IoT malware family, being used in 1 out of every 5 incidents. This is explained by the fact that Mirai’s source code was leaked in 2016 and served as a starting point for many other IoT botnets.

In terms of geographic distribution, Brazil was the most affected country during H1 2018, with 23 percent of infected devices. China (17 percent), Japan (9 percent), Russia (7 percent) and the United States (4 percent), complete the top five.

Unfortunately, the number of IoT devices connected to the internet continues to grow at a rapid pace, yet many manufacturers still don’t appear to prioritize security.

“Malware for smart devices is increasing not only in quantity but also quality,” the Kaspersky Lab researchers warned. “More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin