Smominru botnet helped the attackers earn more than $ 3.6 million

Cryptocurrency viruses are no longer uncommon. The main task that they perform is mining cryptocurrency on user devices. Some infect the PCs themselves, others - the pages of sites visited and not so much. One of the most effective botnets, so to speak, is Smominru . He helped earn his owners more than $ 3.6 million in dollar equivalent. It is clear that the cryptocurrency of the malicious mine is not in Fiat, but in Monero - anonymous cryptomonet, which is becoming increasingly popular.

As for the period for which the attackers received such a large amount, it is about 9-10 months. It all started in May 2017, when Smominru began to spread actively. Since then, he has infected more than 526 thousand cars.

“Bitcoin has become not very profitable cryptocurrency from the point of view of mining, the main production facilities for its mining are concentrated on mining farms. As a result, the intruders' interest in Monero has increased many times, ”said one of the network security researchers with the nickname Kafeine. His post is published on the website of a company specializing in network security, called Proofpoint.

“Of course, Monero cannot be mined in large quantities on home PCs. But distributed botnets like Smominru are quite capable of that, ”the researcher continues. In addition to this botnet, there are Adylkuzz and Zealot. All of them have one thing in common - a code developed in the depths of the NDA and laid out a year and a half ago by the hacker group Shadow Brokers. Until now, this code is relevant and allows attackers to hack IoT systems, personal computers and perform other actions.

In order to infect computers, Smominru uses exploits. One of them is EternalBlue . The virus works with it in order to spread from machine to machine inside the infected network. In addition, this vulnerability is used on computers where other hacking methods do not work. Of course, this vulnerability will only work on systems without a patch installed. Smominru also uses the Windows Management interface.

The botnet itself is harmless, as mentioned above. But if it infects a network of companies, then enterprises suffer losses. The problem is that mining is a resource-intensive process that takes free resources from machines. As a result, many work operations either begin to slow down or stop altogether. The problem is also that during mining electricity is consumed, and this is a direct loss for companies. Work costs, and energy is consumed.

The botnet works with the mining pool Monero MineXMR. Now network security experts are trying to eliminate the botnet and the network pools with which it is associated.

There are other mining botnets, like WannaMine. They all look alike and exploit almost the same vulnerabilities. They are dangerous because they work without downloading any files, in addition, they use “legitimate” software like WMI and PowerShell, which makes mining viruses difficult to detect. Probably, to completely block them, new types of antiviruses are needed, which will take into account the features of such malicious programs when working.

Mining uses not only crypto viruses, but also various kinds of popular resources. For example, The Pirate Bay torrent tracker regularly adds a crypto miner script to its pages. This was first reported on September 17. It was then that the resource first tested the miner as an alternative to advertising banners on the site. Nobody hacked the resource, this tracker administration decided to get some additional funds to support the tracker. True, this was done without warning, nobody asked the users for their consent.

Miner was found because the computer on which the page was loaded with a special script, began to work more slowly. Then the tracker administration installed the code with the new settings, which ensured much less load on the client systems, so that users might not suspect anything.

The fight against cryptomines are many network organizations. One of them is the Cloudflare CDN provider. Previously, this company froze the account of another torrent tracker, and just for the same reason - working with cryptomines. Most likely, over time, crypto viruses will spread more and more and will be harder to detect.