A new botnet captured the attention of security researchers through its harmless behavior and the use of an original communication channel with its command and control server.
Fbot is a peculiar variant of Mirai that preserves the original DDoS module but does not appear to use it. This is not the oddest thing yet because its purpose at the moment is to search for devices infected with a cryptomining malware and clean them.
Security researchers from Qihoo's 360Netlab discovered the new strain and noticed that it hunted down a botnet malware called 'com.ufo.miner,' a known variant of ADB.Miner that mines for Monero on Android devices (smartphones, smart TVs, set-top boxes).
Fbot spreads by scanning for devices with an open port 5555, used by the ADB (Android Debug Bridge) service on Android, and then retrieving a script via the ADB interface.
One of the script's functions is to uninstall 'com.ufo.miner' malware. Another is to download the main payload, Fbot, which comes embedded with details on contacting the command and control (C2) server. The third function is to self-destruct.
Fbot appears to have a positive impact on a system previously infected with com.ufo.miner, as it looks for processes (SMI, RIG, XIG) associated with cryptomining activity and kills them.
According to the researchers, Fbot's maker chose for the C2 server a domain name accessible through a decentralized Domain Name System (DNS), which shares domains over a peer-to-peer network and makes them more difficult to track and take down.
"The C2 domain musl.lib is not a standard DNS domain name. Its top-level domain .lib is NOT registered to ICANN and cannot be resolute by the traditional DNS system," 360Netlab details.
The domain name is resolved through EmerDNS, the blockchain-based DNS of EmerCoin - a platform that offers registering domain names from the EMC, COIN, LIB and BAZAR namespaces, making them available through its own DNS server.
EmerCoin now has a peering agreement with OpenNIC, the largest alternative to the traditional Top-Level Domain registries, to resolve their domain names.
"The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (Security systems will fail if they only look for traditional DNS names), also it make it harder to sinkhole the C2 domain, at least not applicable for a ICANN members," the researchers note.
Fbot's technical details are intriguing, and it is unclear if it is the work of a do-gooder or an adversary looking to get rid of competition. However, some of the methods used may become more popular with cybercriminals looking to protect their business. What is sure at the moment is that Fbot eliminates a cryptomining malware and takes its place on the victim system.