FBot, a 360Netlab Discoverey, Helps Seek and Destroy Cryptojacking Mining Malware
FBot, a ‘helpful’ botnet tracking down crypto jacking malware discovered by 360Netlab
FBot is a new botnet that has a unique characteristic of destroying a type of crypto-mining malware rather than causing harm to the mining process. The new botnet finds the crypto jacking malware on mining and replaces it on the system preventing harm to the system.
The FBot botnet
The FBot is a ‘helpful’ botnet that searches for crypto-mining malware and replaces it. The botnet was discovered by the Qihoo 360Netlab development team last week and its unusual functionality has raised eyebrows through the cryptocurrency mining communities.
FBot has three key characteristics defining it as it behaves in a unique way unlike other botnets. First, the botnet seems to be only tracking and removing the “com.ufo.miner” botnet malware. It also does not use traditional DNS to communicate with the C2, instead, it utilizes block-chain DNS to resolve the non-stand C2 name musl.lib. Lastly, the botnet is a variant from the Satori botnet which is built on Mirai. However, FBot does not prevent DDoS attacks as its ancestors do, actually the DDoS module is deactivated.
The report released by Qihoo 360Netlab explained the use of FBot as solely to deal with the “com.ufo.miner” cryptocurrency jacking malware.
How FBot’s unique nature replaces threat of “com.ufo.miner”
As we have established the use of FBot as only dealing with the threat from com.ufo.miner, also a variant of Android- based Monero miner ADB.Miner. The team at Qihoo 360Netlab discovered that by Distributing itself by searching for devices with a specific open port, the botnet then uses a script to uninstall com.ufo.miner, if found.
FBot is programmed to scan and propagate, install itself over the malware and ultimately self-destruct.
The EmerDNS domain system
Most of the botnets are usually connected to a botnet code that is linked to a domain name accessible through a standard domain name system (DNS). However, FBot is unique as it doesn’t follow the standard DNS but a decentralized system named EmerDNS. This domain name system makes it harder for addresses to trace and shut down.
“The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (security systems will fail if they only look for traditional DNS names).”
The number of crypto jacking attacks have increased by over 950% from the first half of 2017 to the first half of 2018 as reported by, IT security firm Trend Micro in August. This comes as no surprise as the overall number of scams and frauds in the cryptocurrency industry has increased significantly as reported by a number of security firms. Ransomware has once again experienced a surge as the crypto cybercrime of choice amongst the hackers.
Unauthorized mining of cryptocurrencies is heavily being avoided as more browsers initiate blocks to cryptocurrency mining scripts malware. Mozilla Firefox is expected to install its blocks later in the year as Opera did to their mobile devices browser in January.
Among current initiatives to counter the rising threat, Firefox said on Aug. 31 that its browsers will soon automatically block crypto mining malware scripts. The Opera browser launched similar protection for mobile devices in January.