Normally, the appearance of a new botnet rarely has positive implications. There are exceptions, however. As these swarms of devices are commonly used to launch massive computer attacks with few resources, there is evidence of extraordinary cases such as Hajime, which infects unsafe IoT devices to prevent their hijacking . Now a new example is added: Fbot, a network that fights against crypto-malware. Or that’s what it looks like.
The discovery of Fbot has been announced by researchers at 360Netlab (Qihoo), who describe it as a derivative of Satori, in turn based on Mirai. This last botnet came to occupy the news after a mysterious attack cut the accessto some of the most used pages and services in the world . Unlike Mirai, Fbot is superficially benign, and in fact exhibits an extremely strange performance.
According to the 360Netlab research, Fbot infects Android-based devices such as tablets and smartphones, but also streaming devices (which are occasionally authentic malware festivals and vulnerabilities) and other members of the Internet of Things. Its purpose is to find and eliminate com.ufo.miner, a botnet derived from the miner ADB.Miner.
Essentially Fbot performs a scan to check if TCP port 5555 is open. If that is the case, launch an attack to eliminate the ADB mining scripts, close the processes and leave the system completely clean. It is also a botnet of the most arranged, since once its attack is completed it deletes itself. Equally intriguing is the fact that the botnet is controlled by DNS blockchain protocols ( EmerDNS ), which makes it difficult to trace.
Initially the effects of Fbot seem to be benign. At least in appearance. The fact is that nobody has claimed their authorship and there is no way of knowing if it has any ulterior purpose, so it can not be ruled out that it is a tool created by a group of miners with the purpose of eliminating the competition. Likewise, Fbot does not stop being software installed without the user’s permission, with all that that implies.