The Malware Hunter

Avoiding malware, which can invade your computer via phishing emails or malicious sites, is a common preoccupation. You only have to click on the wrong thing and you’ve caught a ‘botnet’ that may attack your business website or spread a virus.

But, now it looks like help is on the way, albeit in a rather unusual, roundabout way. Netlab 360 has identified a type of botnet that can search for specific malware infections without harming your computer. What is more, once it has hunted down and eliminated the ‘bad botnet’, it deletes itself from your computer.

Netlab 360 engineer, Hui Wang, has called it ‘Fbot’, although nobody knows who created it, which is one of the interesting parts of this story. But, whoever is responsible for it, has basically designed a bot that does a much-needed job.

The way it works is like this, according to Jon Christian writing in “Fbot first infects computers that leave a specific port vulnerable to attack. Then it searches its new hosts for a piece of malware called com.ufo.miner, which uses infected computers to mine the cryptocurrency Monero — and eradicates it.”

Wang says, “So far, the only purpose of this botnet looks to be just going after and removing another botnet.” Other unusual aspects of the bot are:

· The bot does not use traditional DNS to communicate with the C2, instead, it utilises blockchain DNS to resolve the non-stand C2 name musl.lib.

· It appears to have strong links to the original satori botnet.

Coindesk has also commented on the new discovery, saying “Unusually, the botnet code is linked to a domain name accessible, not through a standard domain name system (DNS), but a decentralized alternative called EmerDNS that makes addresses harder to trace and shut down.”

And researchers also pointed out: “The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (security systems will fail if they only look for traditional DNS names).”

Either way, everyone is extremely curious about who is behind the botnet — is it somebody working with good intentions, or is it a hacker trying to remove the competition. Perhaps we will never know.