Using bots for Bitcoin mining
Cryptocurrencies would take over transactions in the future. Out of the cryptocurrencies that can be found out there, Bitcoin holds a prominent place. However, Bitcoin mining has become some sort of a challenge. This has tempted engineers to seek the assistance of latest technology for Bitcoin mining. That’s where they paid attention towards Internet of Things (IoT). However, the technological development is not just being used for the betterment of Bitcoin mining. It is being used by people for fraudulent activities. IBM recently discovered such an activity.
From a recent study conducted by IBM, the Mirai Internet of Things botnet is being used to install Bitcoin mining code on computers of the victims. With additional investigation, they figured out that the Botnet has been used for some of the bigger DDoS attacks taking place in the recent past. The takedown of the DynDNS is a perfect example for such an attack. According to the experts, this is the biggest attack of its kind yet.
The Mirai Internet of Things Botnet
The Mirai Internet of Things Botnet was discovered back in August 2016. A white hat security group called Malwaremustdie; Mirai was able to figure it out after conducting an extensive project. Mirai has the ability to transform the network devices that run on Linux into controlled zombies or bots, which can be used for DDoS attacks. However, it can only use the devices that are based on out of date versions of Linux. This accumulates a considerable amount of devices, which can be used to power up a large scale attack.
The Mirai IoT botnet was initially created by the team of engineers for two main purposes. These purposes were explained by Dave Mcmillen, who is a Senior Threat Researcher, working for Managed Security Services at IBM. The first objective out of them is to figure out and compromise the IoT devices in order to grow the Botnet. Secondly, the Botnet was intended to be used in order to launch DDoS attacks against predefined targets. A detailed explanation was given by Dave Mcmillen about these two objectives at a recently held meeting. X-Force is the security research and threat intelligence unit of IBM. It provides actionable insights and threat intelligence related information for IT leaders and businesses in need. Many businesses depend on the information provided to them by X-Force. X-Force has already informed them about this IoT powered botnet as well and they have started looking for actionable methods in order to mitigate the risks that can take place as a result of it.
What has been discovered up to now?
The first ever discovery about a botnet that spreads the Mirai bot variant was figured out back in January. However, this bot is not something new. As per the global research team at the Kaspersky Lab, it has been there for quite some time. Moreover, they added that the spreading method of Mirai through Windows Bots is limited when compared to the Linux bots. In fact, the Windows bots can just deliver a set of Mirai bots into a Linux host from the Windows host. However, from a study that was conducted by Kaspersky Lab, it was figured out that more than 500 unique systems have been attacked by February.
Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab, has made an official announcement about it. According to Kurt Baumgartner, the crossover between Windows and Linux has become a real concern. A Windows powered botnet that spreads IoT Mirai bots can facilitate the spread of Mirai to new devices. It can also spread to the available networks, which weren’t available before to the Mirai operators. Kurt Baumgartner believes this is just the beginning and we will have to experience a lot more negative effects associated with it in the future.
Deploying the Bitcoin Mining Code
A new version of the ELF Mirai Linux Malware was discovered last week by IBM X-Force. This variant comes along with a new twist. In other words, it consists of a built-in Bitcoin mining component. McMillen made an official announcement about this as well. The usage of Mirai along with the Bitcoin mining attack started on March 20th. It reached the spike on March 25th, but the activity of it existed for a period of 8 days.
McMillen and his team have not yet been able to find any evidences to indicate whether the attack is a short-lived one or a long-lived one. However, he says that it looks more like an event with a short cycle due to the indications of the campaigns.
The Bitcoin client has not been embedded into Mirai on its own. Instead, the Bitcoin miners play a major role behind the archival of files that can be found in the Mirai dropper. This dropper is a Linux shell or a Dofloo backdoor and it can work as a Bitcoin miner slave. Even though a lot of information about the attackers has not yet been uncovered, McMillen stated that most of the attacks came out of the Asia-Pacific region. They have analyzed the language used on the attack too and identified it to be based on Chinese. McMillen also stated that the team doesn’t have a clear understanding whether Bitcoins were actually mined during this attack or not. However, additional work needs to be done in order to figure out the capabilities of the new variant. At the moment, all stakeholders should take additional steps to enhance the security of their devices to mitigate the risks.