The new Fbot botnet is using Block-chain DNS system

Qihoo Security Lab recently discovered a botnet formed by a variant of MIRAI, Fbot botnet. The harmless behaviour and communication methods of the network attracted the attention of researchers.

The Fbot botnet looks for botnet mining software called UFO on the open network, finds it after trying to infect the device and then removes the mining software.

The mining software called UFO mainly infects Android devices, including Android smartphones, Android set-top boxes, Android smart TVs, and Android photo frames.

Since the device infected with the UFO mining software will open the Android ADB 5555 port, the new MIRAI variant will be reinfected through the 5555 port.

 

Remove mining software immediately after infection:

The new MIRAI variant will quickly clear the UFO mining software after successfully infecting the device. This behaviour has occurred many times in previous attacks.

Every hacker wants the infected device to be controlled only by himself, but the strange MIRAI variant has an attack module but no new action after clearing the mining software.

Of course, don’t think that this MIARI variant is kind because if the hacker needs it, he can execute the new action by issuing the command remotely.

For example, loading other mining software to mine or infect other devices through the internal LAN, or even listening to user network traffic sniffing passwords and so on.

Communication using blockchain fog is difficult to track:

Most malware uses either a fixed IP address or a malicious domain name to communicate, but this MIARI variant hides behind the blockchain fog.

Developers of this variant use the decentralised domain name system for domain name access, which is not accessible through public DNS through point-to-point shared domain names.

This decentralised domain name system is a blockchain-based DNS system that makes it harder for security researchers to track viruses because it is not directly accessible.

Since there is no new action for this MIRAI variant, it is not sure what the attacker will do next, but this anonymisation scheme is estimated to be more and more.

Via: netlab