Cryptojacking: Smominru botnet infected already half a million servers, Windows
Monero and Ethereum is currently the most popular refreshed used in attacks on Internet users.
Whether it's a Bitcoin, Litecoin, Ethereum whether Monero, coal mining requires a high effort in "mining". Cyber criminals are looking for ways how to do it for free. And often it comes out, because the easiest way is to use computers to innocent users.
Refreshed were and are being used for illegal activities for many years. Yet once were an excellent means of payment on underground forums in the Tor network. Later have been made popular enough that their digging we found very interesting for ordinary citizens. Unlike the Bitcoin math Monero does not need specialized farm mining equipped with high-end graphics processors. A distributed botnet network can be a lucrative business for their operators.
Botnet Smominru has infected half a million PCs and servers
Employees of the company Proofpoint from end of may 2017 followed botnet Smominru. Its total processing power earned for botnet operators millions of dollars. At the height of under the control of criminals was about 526 000 computers and servers, with which each day was 24 Monero. A total of 8900 dug coins on a major amount of almost 3 000 000 dollars.
Most victims of malware spreading on port 445 for SMB located in Russia — almost 130 000 users. The second country to the number of infected IP addresses were India. In third place Taiwan. Botnet arrived also to Europe, including the Polish. Here, unfortunately we do not have accurate statistics, however, the following map allows you to figure out that the tentacles of a botnet can be traced back to our country.
Although today the botnet is not the end of taken off, it-as experts — operators lost control of the third part of the infected computers. Not much is with what you enjoy, because it still about 170 000 machines. The impact of increased consumption of CPU cycles on the potentially critical business infrastructure can be very high, as well as the cost of increased power consumption by servers.
Botnet Smominru how to protect?
Malware spreads via exploit EthernalBlue developed by the Agency of the NSA. It's the same as ransomware WannaCry and worm WannaMine, about which we reported two days ago. As for now, the infected computer is used for digging Monero, but chances are that operators on one of the malicious domains will replace the script "mining" other malware.
Both WannaMine and used malware in botnecie Smomintru, have several things in common. The first of them is a way of spreading by vulnerability
CVE-2017-0144 in SMB, which was patched by Microsoft, but unfortunately not in any system deployed. The other common denominator is the WMI system, to which the malware access — then starts in on scripts and communicates with the server C & c. Botnets such as Smominru will become more and more common. It has been proven that they can produce very high profits at low cost.
To protect against infection from the exploit EthernalBlue, disable SMB or take care of the security, including installing security updates and protect your endpoints. In the case of companies particularly useful is the implementation of a comprehensive security product, such as UTM/NGFW, which at the level of the gateway protects workstations and servers before the automatic attacks, such as this one.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.