Early this February, more than half a million computing devices were hijacked by a cryptocurrency miner botnet called Smominru, forcing the various devices to mine nearly 9,000 Monero cryptocoins without the knowledge of the devices' owners, according to technology portal ZDNet.
Welcome to the malicious world of botnets - a collection of various internet-connected computing devices, which may include desktops, servers, handheld mobile devices, and devices compatible with Internet of Things (IoT), that are purposefully infected and controlled by a common type of malware. The working mechanism of such botnets ensures that the device owners mostly remain unaware that a botnet infected and now controls their system.
The system allows the creators to rake in cryptocash at the expense of the ignorant device owners who don’t have any idea that their machines are being used to produce cryptocoins.
How do Botnets Work?
A botnet system is akin to standard computer malware. Computer malware is like any other computer program, but it is designed to use a computer for nefarious activities like corrupting the system, destroying and/or stealing data, or using it for illegal activities which have a detrimental effect on the device, data, and the network. Unless caught by anti-virus/anti-malware programs installed on the device, such malware continues to run without the owner’s knowledge and is capable of replicating itself to the other connected devices on the network.
Similarly, botnets are automated programs developed as lines of code by their creators and are made to sneak on to a user’s computing device. Botnets use the machine’s processing power, electricity, and the Internet bandwidth, to mine a particular cryptocurrency. (For more, see How Does Bitcoin Mining Work?)
The botnets are usually released on a private network of interconnected computers so that the cumulative power of the various devices can result in more computational power for mining cryptocurrency, thereby boosting mining output and the corresponding rewards for the botnet creators.
Smominru Miner Botnet Case Study
The Smominru miner botnet that was created around May 2017 had successfully mined around 9,000 Monero tokens worth around $3.6 million by February 2018. Researchers at cybersecurity company Proofpoint claim that the botnet includes “more than 526,000 infected Windows hosts, most of which we believe are servers.”
Due to its resilient nature and ability to keep regenerating itself, it has been a difficult task to contain its spread despite all the efforts to take it down. Geographically, the nodes of the Smominru miner botnet are observed to be distributed across the globe, and the bulk of them are found in Russia, India and Taiwan.
After its investigations and analysis, Proofpoint requested that a prominent Monero mining pool, MineXMR, ban the address linked to Smominru. Though this resulted in the operators apparently losing control over one-third of the botnet, they quickly registered new domains and started mining to a new address on the same pool.
Monero seems to be the hot favorite cryptocurrency to be mined through such botnets, owing to its anonymity and privacy-rich features which make it difficult to track the destination address to which the mined tokens are transferred. (For more, see What Is Monero (XMR) Cryptocurrency?)
Bigger Rewards for Less Work?
The methods of mining various cryptocurrencies are becoming more and more complicated and resource intensive with each passing day. Instead of focusing on the hard, yet honest road to benefit from cryptocurrency mining rewards, the operators of such botnets flourish by abusing all available modes to expand their botnet across more and more devices, and concentrate their efforts and energies on developing such pre-programmed systems. Additionally, they continue to devise multiple ways to make the botnet more robust.
Given the significant profit promised by such botnets, their number and ill-effects are expected to grow.
“Taking down the botnet is very difficult given its distributed nature and the persistence of its operators. For businesses, preventing infection through robust patching regimens and layered security is the best protection from potentially disruptive impacts on critical infrastructure,” ProofPoint’s VP of Threat Operations, Kevin Epstein, told News.com.au.
In June 2017, another similar exploit named DoublePulsar was used to install Monero mining malware on various devices. In late January 2018, the security firm TrendMicro reported that Alphabet Inc’s Google's (GOOGL) DoubleClick ad services were used to distribute cryptocurrency mining malware to a number of users in Europe and Asia.
The Bottom Line
While the cryptocurrency infrastructure is still evolving, such threats loom large over nascent networks. Though it may be difficult to contain the menace at the individual user level, regular monitoring of the various processes running on individual devices may help. (See also, Bitcoin Price Drops After "WannaCry" Ransomware Taint.)
Investing in cryptocurrencies and Initial Coin Offerings ("ICOs") is highly risky and speculative, and this article is not a recommendation by Investopedia or the writer to invest in cryptocurrencies or ICOs. Since each individual's situation is unique, a qualified professional should always be consulted before making any financial decisions. Investopedia makes no representations or warranties as to the accuracy or timeliness of the information contained herein. As of the date this article was written, the author owns no cryptocurrencies.