A mysterious vigilante botnet has been discovered by security researcher Qihoo 360Netlab which appears to target malware carrying illicit cryptocurrency mining code for the purpose of cryptojacking. While botnets are usually perceived as security threats used to promote scams and covertly infiltrate computer networks in order to hijack their computing power, this particular botnet seems to be doing the exact opposite.

Botnet’s “Kamikaze” Strategy

Known as Fbot, the botnet apparently searches the web, hunting down cryptojacking malware by finding a particular malware file called com.ufo.miner. After identifying the malware, Fbot then executes an installation process that attaches it to the malware, and then destroys itself along with the malware.

In essence, where cryptojacking malware functions by finding a computer network “host” to feed parasitically on, using system resources to mine cryptocurrencies like Monero, Fbot functions as the malware’s own parasite, seeking it out and attaching itself to it. Instead of co-opting the malware to carry out another set of instructions, Fbot simply triggers a self destruct command that destroys itself and the malware program together.

Efforts to establish contact with Fbot’s maker have proved abortive as the botnet’s linked domain name cannot be accessed via a conventional Domain Name System (DNS), but can only be accessed through a decentralised DNS called EmerDNS.

Mystery of Fbot Origin

As yet, it is almost impossible to find out exactly who is behind Fbot and for what reason. While there is a possibility that an altruistic malware developer created the botnet and released it into the “wild” of the internet, it is also possible that Fbot was developed by a rival malware maker looking to thin out the competition before introducing a new generation of cryptojacking malware.

Cryptojacking remains a growing global problem, as revealed by a Trend Micro report released in August. The report stated that cryptojacking attacks went up more than 100 percent in the first half of 2018. More recently in September, CryptoGlobe reported that almost a million computers and networks online are vulnerable to the “Wannamine” cryptojacking malware.

For now, the identity of Fbot’s maker, whether as a good actor or a bad actor in cybersecurity remains to be seen.