Quite the peculiar botnet was detected in the wild by Qihoo researchers. The botnet, dubbed Fbot and based on the code of Satori, appears to be “just going after and removing another botnet com.ufo.miner”. Fbot is displaying other forms of unusual behavior. It doesn’t use traditional DNS to communicate with its command and control server.
Instead, it uses blockchain DNS to resolve the non-stand C2 name known as musl.lib, the researchers said. Finally, the botnet has strong links to the original Satori botnet.
Satori is a botnet that exploits a flaw in Huawei and a bug in Realtek SDK-based devices. These vulnerabilities have been exploited to attack and infect computers. The botnet itself was written on top of the devastating Mirai IoT botnet. Satori’s operators exploited two particular vulnerabilities to successfully target hundreds of devices.
It should also be noted that Satori’s code was released to the public in January this year. The botnet operators later turned to cryptocurrency mining. This Satori variant hacked into various mining hosts on the internet through their management port 3333 that runs the Claymore Miner software. The malware then replaced the wallet address on the hosts with its own wallet address. The compromised devices were mostly running Windows.
Botnets are usually malicious in character. However, Fbot is quite different. As reported, Fbot is chasing down systems infected by the com.ufo.miner, which is a variant of ADB.Miner. ADB.Miner was described as the first worm for Android that reused the scanning code used in the infamous IoT Mirai botnet.
ADB.Miner was designed to scan for various types of Android devices ranging from smartphones and smart TVs to TV set-top boxes. The only specification is that these devices should be with publicly accessible ADB debug interface using port 5555 to run. Once located, the worm infects them with the mining module of the malware which seeks to mine Monero cryptocurrency.
Having said that, there’s a similarity in the way that Fbot and ADB are being distributed, and it involves Port TCP 5555. The port is scanned and, in case it is open, a payload will execute scripts which download and execute malware. The difference is that Fbot uninstalls the ADB mining scripts and cleans the infected system.
Another peculiar feature of this benevolent botnet is the use of non-traditional DNS. In most cases, DNS is the standard for the command and control structure but not this time.
The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (Security systems will fail if they only look for traditional DNS names), also it make it harder to sinkhole the C2 domain, at least not applicable for a ICANN members, the researchers explained.
Is there a reason for Fbot’s non-typical botnet behavior?
One reason that may explain why the botnet is cleaning infected hosts is that it’s simply obliterating the competition and clear the way for its future infections.