According to a recent Kaspersky Labs study, the number of users affected by hidden mining is only growing. Perhaps the reason for this is the “new generation” of botnets that specialize in mining cryptocurrencies. What are the weaknesses of security systems used by malicious bots, and the inhabitants of which countries are most vulnerable to their attacks? Read all about it in our material.

Bad and Good Botnets

A botnet is a network of devices connected via the Internet and coordinated to perform specific tasks. For example, they can connect computers that run a repeating set of commands to keep sites running.

This technology, however, can also be used by attackers. In this case, the botnet software will “enslave” the devices and perform the tasks they need on them. Malicious software can infect any device connected to the Internet: computers, tablets, mobile phones, servers, and the Internet-of-Things wearables.

The task of a botnet is to add your device to its network. It can be attacked directly or with the help of a spider program, which “crawls” across the Internet in search of a security loophole and, if it is detected, hacks a poorly protected device automatically. Infection can occur under a drive-by download script if you visit a hacked website or open an infected HTML message from your inbox, or a malicious program can penetrate the system as a Trojan horse, that is, disguised as secure software.

When the malware is downloaded, the botnet will tell the host computer that everything is ready. Now your device is entirely under the control of the person who runs the botnet.

Tasks performed by botnets usually include:

 Using the power of your device to participate in DDoS attacks;


 Generation of fake Internet traffic on a third-party site for financial gain;

 Replacing an advertising banner in your browser by the one targeting you;

 A pop-up ad that asks you to pay for a fake antivirus that supposedly removes a botnet.

Botnets Mastering New Professions

On November 28, the cybersecurity company Kaspersky Labs issued a warning saying that botnets were increasingly used to distribute hidden mining (or cryptojacking) software. Analysts believe that a significant drop in the number of DDoS attacks may be due to “reprofiling botnets from DDoS attacks to cryptocurrency mining.”

“Evidence suggests that the owners of many well-known botnets have changed the attack vector to mining. For example, the DDoS activity of the Yoyo botnet has decreased significantly, although there is no evidence that it was stopped,” as the experts at Kaspersky Labs state.

According to the study, the number of unique users who became victims of malicious mining programs increased significantly in the first three months of 2018. At the same time, even more users were infected in September than in January, and “the threat is still relevant,” although it is unclear whether the current market downturn will affect the level of infection.

The employees of Kaspersky Labs also tried to identify a pattern in connection with which this type of malware is more often used in some countries than in others and concluded that states with weak regulations regarding pirated and illegally distributed software are much more likely to become victims of cryptojacking. “The more freely unlicensed software is distributed, the more mining software there is. This is confirmed by our statistics, from which it can be seen that most mining programs come to the user’s computer together with pirated software,” the document says.

The analysis was conducted among those countries where there are more than 500,000 Kaspersky Labs clients. Residents of the United States were the least exposed to such attacks, as the botnets found in the United States accounted for only 1.33% of the total number of botnets. Switzerland (1.56%) and U.K. (1.66%) ranked 2nd and 3rd among the safest countries, respectively. Most often, botnets hit devices from users in Kazakhstan (16.75%), Vietnam (13%), Indonesia (12.87%), Ukraine (11.19%), and Russia (10.71%).

Top 10 countries affected by malware mining software from January to October 2018. Source.

The analysts stressed that electricity prices, which usually play an important role in choosing a location for mining, do not affect the statistics of cryptojacking victims since the attackers use third parties rather than their own power and do not care about their cost.



Mirai is a botnet for the Internet of Things, which exploits the vulnerability of devices, namely, the manufacturer’s pre-set password, which users often do not change. Mirai became famous after two major DDoS attacks in the fall of 2016 on the site of journalist Brian Krebs, who wrote about the groups that sell botnet services, and the site of the domain name system provider Dyn.

After the source code of the malware appeared in the public domain, all new versions of Mirai began to surface. And, as the IBM X Force experts discovered in April 2017, one of them, ELF Linux/Mirai, was programmed to mine Bitcoin.

Senior security threat researcher at IBM Managed Security Services, Dave McMillen, said that IBM X Force staff suspected unhealthy activity in a surge in command input, which was signaled by their own tracking device. “Mirai has the ability to infect thousands of machines at the same time, so there is a possibility that Bitcoin mining software on infected devices will work as one large mining consortium. We have not yet determined the likelihood of this, but we came to the conclusion that this is an interesting, although disturbing, opportunity,” the report said. McMillen also noted that the program could not get a single coin (probably, given the Bitcoin hash rate of the Bitcoin network, the power of the botnet was insufficient).


The fact that this botnet had been operating on the Monero network since May 2017 became known only in February 2018. During this time, hidden mining software infiltrated more than 526,000 Windows servers and extracted 8,900 Monero coins, which today is about $500,000. The Windows servers used by Smominru are ideal hosts since they are always turned on and have more processing power than a personal computer. Botnet controlled servers all over the world, but the maximum affected servers were located in Russia, India, and Taiwan.

The botnet used the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) and shared by the hacker group Shadow Brokers last year. It is curious that the famous extortion virus WannaCry also used EternalBlue. And in September, the non-profit organization Cyber ​​Threat Alliance published a report that showed that this year, the number of cryptojacking cases increased by 459% thanks to the access to the EternalBlue exploit.


Satori is a family of malware that infects computers and other devices connected to the Internet, making them part of botnets.

In January 2018, researchers at Netlab 360 security company reported that the version of Satori, released on January 8, used the vulnerabilities of the mining software Claymore Miner. After hacking the equipment, the malicious miner replaces the address of the owner of the wallet to which the mined coins arrive with the address controlled by the hacker. At the same time, the user remains in ignorance until they check the program settings or decide to withdraw funds.

The statistics of the Dwarfpool pool showed that the wallet controlled by the hacker was able to withdraw more than 1 Ether. Today, the corresponding account is frozen. The hash rate of 2.1 billion hashes per second, at the disposal of the hacker, was equivalent to mining with the help of 85 computers, each of which run an AMD Radeon RX 480, or 1,135 computers with an Nvidia GeForce GTX 560M.

Twitter Is Another Battlefield

In August, the cybersecurity company Duo Security published an analysis of botnet activity on Twitter, revealing more than 15,000 bots, which lured users of cryptocurrency, masquerading as well-known crypto influencers.

When the bot’s “prototype” in the form of the real user published a post, the bot automatically published a post with an announcement of the distribution of tokens, or a giveaway, and to participate in them, users needed to send a small amount of cryptocurrency (and in exchange, supposedly get much more of it).

The report showed that the structure of such bots is becoming more complex: they like the posts of other bots to increase the credibility of the network and make small changes to avatars so that they cannot be tracked using face recognition software. Botnets “steal identities” not only from crypto entrepreneurs: in May, Bloomberg journalists Olga Kharif and Lili Katz also discovered their Twitter doppelgängers.

Good Crypto Botnets

In September, researchers at Netlab 360 discovered the Fbot botnet, which hunts for hidden mining software and removes it. It searches the network for one of the elements of the mining software, com.ufo.miner, and when this element is detected, the botnet is self-installed on top of the malware and then self-destructs.

A botnet is associated with a domain name that is accessible only through the EmerDNS decentralized domain name system, which makes it difficult to track and destroy the botnet’s IP address.

Precautionary Measures

Experts note that the rules for protection against botnets are general rules for ensuring the security of your device. These include: the presence of antivirus software; timely updates of the operating system and applications (since hackers may exploit vulnerabilities that were in older versions); do not download attachments or follow links in emails sent from unfamiliar addresses; install a firewall when using the Internet; and don’t visit sites which have proven to be distributors of malware.