The new botnet Fbot removes cryptomayers from infected devices.
Experts from Qihoo 360Netlab drew attention to a rather unusual botnet that appeared on the Internet. The botnet is based on a variant of the malicious Mirai software called Fbot. The specialists were surprised by the fact that despite the presence of the original DDoS-module, the activity of the botnet is still far from harmful – Fbot searches for devices infected with programs for extracting crypto currency and removes them. In particular, we are talking about com.ufo.miner – a well-known version of ADB.Miner, designed to run Monero on Android-devices.
Fbot scans the Network for devices with an open port 5555, used by the ADB service (Android Debug Bridge, debug bridge), and then loads the script via the ADB interface. One of the functions of the script is to remove com.ufo.miner, and the second one is to load the main Fbot module, into which the data for communication with the C & C server is sewn. The third function is responsible for self-destruction.
Another feature of the botnet is the use of the alternative decentralized system of domain names Emer DNS, which makes it difficult to track domains. According to experts, the management server uses a domain in the .lib zone (musl.lib), which is not registered by ICANN.
At present, it is not clear for what purpose botnet operators delete crypto-muners and instead download Fbot software. It is possible, so they intend to get rid of competitors.
Emer DNS is a decentralized domain name system based on the blockbuster EmerCoin, a platform that offers domain name registration services in .bazar, .coin, .emc, .lib alternative zones.