Home / Archive / Vigilante Botnet Infects Computers to Remove Cryptocurrency Malware
3 min read

Vigilante Botnet Infects Computers to Remove Cryptocurrency Malware

Last Updated March 4, 2021 3:41 PM
Conor Maloney
Last Updated March 4, 2021 3:41 PM

Botnets have become increasingly powerful over the last few years, to the point where the US Department of Homeland Security admitted that they couldn’t face the problem alone  and needed help from the white hat community.

Botnets consist of dozens, hundreds, or even thousands of internet-connected devices which are then used to carry out to send spam messages en masse or to launch distributed denial-of-service (DDoS) attacks, crashing online services. CCN.com has reported before on how botnets infected millions of computers last year with cryptojacking software designed to siphon CPU power for and use it to secretly mine crypto for the malware owners.

A particularly notorious botnet called ‘Mirai’ famously hijacked IoT devices to mine Bitcoin – while IoT devices are individually extremely ineffective, Mirai is a particularly virulent piece of malware that infected thousands of devices in a short space of time to take small profits from all of them. While the term botnet understandably carries a malicious connotation, one botnet seems to be breaking the mold and is seemingly forcing its way into user computers without to infect them – with crypto antivirus software.

Security research firm Netlab released a report  describing the malware which they have dubbed ‘Fbot’, a variant of the legitimate ADBminer software designed to mine cryptocurrencies.

“There are 3 interesting aspects about this new botnet:

  • First, so far the only purpose of this botnet looks to be just going after and removing another botnet com.ufo.miner.
  • Second, the bot does not use traditional DNS to communicate with the C2, instead, it utilizes block-chain DNS to resolve the non-stand C2 name musl.lib. (see below for details)
  • Third, this bot appears to have strong links to the original satori botnet.”

The botnet cleanses the ‘infected’ computers of the notoriously widespread cryptojacking malware and so far doesn’t seem to be leaving anything behind in its place, leading some to believe that the botnet may even be designed with that single benign purpose in mind.

However, it’s possible that there’s more to the software that meets the eye, or that it’s simply the first phase of a larger plan. The botnet could potentially be clearing competing crypto-malware only to pave the way for a fresh wave of attacks of its own, systematically eliminating the competition. Botnets take time, effort, and funding to operate which makes it hard to believe that an anonymous botnet could be working out there simply to help people.

Whatever the case may be, the botnet is perhaps the first malware to ever target vast swathes of devices and delete other malware without most users ever knowing, and it’s certainly worth keeping an eye on as times goes by.

Featured image from Shutterstock.