Botnets have facilitated different types of cybercrime for years. This concept designates a multitude of Internet-connected devices, including personal computers, servers, mobile gadgets and IoT objects, controlled by threat actors beyond users’ awareness.
Malicious code injected into ‘zombie’ machines allows crooks to gain a foothold on these hosts and invoke certain commands remotely at any time. The most common use cases revolve around DDoS (Distributed Denial of Service) attacks and massive spam campaigns.
However, things are starting to change.
The ongoing cryptocurrency boom has incentivized botnet operators to repurpose their networks of enslaved machines. They have apparently realized that the aggregate processing power of their botnets is a godsend when it comes to mining digital coins. Consequently, this segment of cybercrime is shifting toward a paradigm where botnets do not DDoS or spam – they mine cryptocurrencies.
Interestingly, Bitcoin is no more the number one coin among cybercriminals. It is slow and requires high transaction fees. Monero has become very popular for its easy mining, and Dash is the best coin for ransomware authors.
Here are the top 3 crypto mining botnets:
1) Smominru, the Biggest Mining Botnet to Date
Also referred to as MyKings, Smominru is a gigantic Monero-mining botnet consisting of at least 520,000 ‘zombie’ devices. It targets computers and servers running Windows operating system. This well-orchestrated campaign took root in late May 2017 and has since grown massive due to sophisticated payload delivery mechanisms.
Smominru operators reportedly utilize two exploits, EternalBlue and EsteemAudit, to contaminate machines on a large scale. The former is part of the notorious NSA surveillance toolkit leaked by The Shadow Brokers hacking group last year. The latter is a notorious Windows remote desktop exploit. Both allow for malware injection beyond user involvement.
Most of the infected nodes are located in Taiwan, India, Brazil, Ukraine, and Russia. The perpetrators have taken advantage of the hefty army of plagued machines to mine a whopping 8,900 Monero, which is worth more than $2.5 million at the time of this writing. According to security analysts, the unscrupulous proprietors of the Smominru botnet are most likely based in China.
2) DDG Botnet Targeting Servers
A botnet codenamed DDG has mined about $1.5 million worth of Monero by harnessing the processing capacity of more than 4,000 infected OrientDB and Redis database servers.
This one has been active since March 2017. The crooks zero in on servers for a reason – this type of equipment has much more CPU than PCs, which translates to a higher mining power.
The vectors of compromise include credentials brute-force attacks in the case of Redis servers and the exploitation of OriendDB remote code execution bug cataloged as CVE-2017-11467. The majority of breached servers (73%) are located in China, with 11% being in the United States and the remaining 16% scattered across other parts of the globe.
The infection chain involves the DDG core function module that, once executed, downloads the miner application called wnTKYg. According to researchers’ findings, this botnet’s architecture is very flexible as it uses a script named i.sh that allows the felons to download and deploy arbitrary malicious code on compromised servers, not necessarily a miner.
Given the influx of these onslaughts, as Monero price is climbing, the admins of OrientDB databases should patch known vulnerabilities as soon as possible, and the owners of Redis servers are strongly recommended to strengthen their authentication practices so that dictionary attacks end up futile.
3) ADB.Miner, a Threat to Android Devices
In early February 2018, a new botnet was discovered that stands out from the crowd. Its operators are trying their hand at enslaving Android devices to mine Monero cryptocurrency.
The intended set of victims is rather strange, given the relatively low CPU power they have on board. However, it looks like the crooks are attempting to compensate this by the number of infected nodes, which reached 7,000 over the first couple of days and doubles every 12 hours. Furthermore, the botnet primarily hits smart TVs that are equipped with more powerful processing units than smartphones.
The entry point for the malicious code is port 5555, the one used by the command-line tool called Android Debug Bridge (ADB), hence the name of the botnet. This port is normally disabled by default, so only devices whose users enabled it manually are at risk. Incidentally, the exploitation of open ports resembles the modus operandi of computer worms, so the perpetrating code is a hybrid combining the properties of different malware strains.
Another noteworthy feature of ADB.Miner is that its authors appear to have borrowed the network scanning module and core structure from the notorious Mirai botnet targeting IoT devices.
The majority of victims are located in China (39%) and South Korea (39%). The routine of obtaining XMR tokens involves two mining pools that share the same Monero wallet. As of February 4, this wallet had no coins in it, but that was just the dawn of the campaign.
Cybercriminals follow the money. The use of botnets for outright old-school attacks, even DDoS for ransom, isn’t nearly as profitable and effective as surreptitious cryptocurrency mining. Furthermore, botnet-powered spam campaigns and DDoS make a lot of noise and attract too much attention of the law enforcement.
Botnets are extremely difficult to take down due to their distributed essence and robust Command and Control infrastructure.
- The only viable method to prevent a device from becoming a submissive bot is to implement defenses proactively. The owners of PCs, mobile devices and servers should run regular software updates that include patches for known vulnerabilities and thwart remote code execution.
- Another important tip is to use strong access credentials that cannot be cracked easily. Also, a reputable security suite is quite likely to detect botnet-related malware and stop the attack in its tracks.
- Users should additionally look for red flags that may indicate unauthorized mining activity. If a device’s CPU usage is constantly at its peak, it’s an unambiguous call to action and about time to check the system for malware traces.
- Another giveaway lies in the very gist of a botnet: it lives as long as there are communications with the Command and Control server. This way, zombie machines get instructions and submit data to the C2. Abnormal inbound and outbound traffic, including concurrent identical DNS requests, is therefore a likely symptom of botnet activity.
Unfortunately, end users who aren’t very tech-savvy may fail to notice this going on in the background. A reliable Internet security suite will help identify this type of suspicious traffic along with concomitant malware and stop it in its tracks.
About David Balaban
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.