Fbot: The Botnet That Cleans Out Cryptominers

Cybersecurity experts from Qihoo 360Netlab have discovered an unusual new botnet on the internet. Named Fbot, this botnet is based on a variant of the infamous Mirai malware. What sets Fbot apart is its current activity: instead of launching attacks, it searches for devices infected with cryptocurrency mining software and removes them.

How Fbot Works

Fbot specifically targets devices infected with com.ufo.miner, a well-known version of ADB.Miner designed to mine Monero cryptocurrency on Android devices. The botnet scans the internet for devices with port 5555 open, which is used by the Android Debug Bridge (ADB) service. Once it finds a vulnerable device, Fbot uploads a script through the ADB interface.

The script performs three main functions:

• Removes the com.ufo.miner cryptominer.
• Downloads the main Fbot module, which contains information for communicating with the command and control (C&C) server.
• Initiates self-destruction to remove traces of its activity.

Decentralized Domain Name System

Another unique feature of Fbot is its use of the decentralized EmerDNS system, which makes it harder to track the botnet’s domains. According to experts, the C&C server uses a domain in the .lib zone (musl.lib), which is not registered with ICANN.

Motives Remain Unclear

It is still unknown why the operators of Fbot are removing cryptominers and replacing them with their own software. One possible explanation is that they are trying to eliminate competitors from infected devices.

About EmerDNS

EmerDNS is a decentralized domain name system built on the EmerCoin blockchain platform. It offers domain registration services in alternative zones such as .bazar, .coin, .emc, and .lib.