There’s an odd new addition to the extended family of Mirai-inspired IoT botnets, and so far its only obvious victim is a competing botnet whose malware is targeted for removal from any infected devices.
Dubbed Fbot, the malware is also unusual because rather than using standard DNS to communicate with the command-and-control server, it instead uses blockchain-based DNS, according to a blog post from researchers at Qihoo 360’s Netlab division.
Upon infection, Fbot is designed to specifically uninstall com.ufo.miner, a variant of the ADB.Miner cryptomining botnet that was discovered earlier this year infecting various devices such as mobile phones, media players and smart TVs.
Is it possible Fbot’s authors are doing this out of sheer benevolence? Qihoo 360 noted that Fbot propagates itself the same way ADB.Miner does — by abusing the Android Debug Bridge interface after scanning port TCP 5555 for ADB service. So one distinct possibility is that Fbot is simply knocking com.ufo.miner out of the picture in order to make way for its own malicious functionality, which may reveal itself in the future.
In the course of their analysis, the researchers also discovered that Fbot’s C&C domain, musl.lib, is resolved not via traditional DNS but rather through EmerDNS, a decentralised blockchain-based DNS system from Emercoin.com. (In fact, the domain is not even registered with ICANN.)
"The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting," Qihoo 360 reported in its blog post. "It raised the bar for security researcher[s] to find and track the botnet" and also made it "harder to sinkhole the C2 domain."
Among all the various Mirai offshoots, Fbot appears to share several key C&C architectural links with Satori, a wormable botnet that emerged late last year, Qihoo has reported. The DDoS component from the original Mirai is also present in the code, but so far hasn’t been used in a known attack.