Security Architecture, Application security, Application security, Endpoint/Device Security, IoT, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Quirky Fbot IoT botnet kills rival, communicates via blockchain-based DNS

There's an odd new addition to the extended family of Mirai-inspired IoT botnets, and so far its only obvious victim is a competing botnet whose malware is targeted for removal from any infected devices.

Dubbed Fbot, the malware is also unusual because rather than using standard DNS to communicate with the command-and-control server, it instead uses blockchain-based DNS, according to a blog post from researchers at Qihoo 360's Netlab division.

Upon infection, Fbot is designed to specifically uninstall com.ufo.miner, a variant of the ADB.Miner cryptomining botnet that was discovered earlier this year infecting various devices such as mobile phones, media players and smart TVs.

Is it possible Fbot's authors are doing this out of sheer benevolence? Qihoo 360 noted that Fbot propagates itself the same way ADB.Miner does -- by abusing the Android Debug Bridge interface after scanning port TCP 5555 for ADB service. So one distinct possibility is that Fbot is simply knocking com.ufo.miner out of the picture in order to make way for its own malicious functionality, which may reveal itself in the future.

In the course of their analysis, the researchers also discovered that Fbot's C&C domain, musl.lib, is resolved not via traditional DNS but rather through EmerDNS, a decentralized blockchain-based DNS system from Emercoin.com. (In fact, the domain is not even registered with ICANN.)

"The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting," Qihoo 360 reported in its blog post. "It raised the bar for security researcher[s] to find and track the botnet" and also made it "harder to sinkhole the C2 domain."

Among all the various Mirai offshoots, Fbot appears to share several key C&C architectural links with Satori, a wormable botnet that emerged late last year, Qihoo has reported. The DDoS component from the original Mirai is also present in the code, but so far hasn't been used in a known attack.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.