Proofpoint researchers have been tracking the Smominru botnet which is being used to mine the Monero cryptocurrency. It is reported that the botnet has earned millions for its operators. As cryptocurrencies get more expensive to mine, Smominru shows just how effective hijacking other people’s computers can be.
Smominru uses EternalBlue, the exploit that came to prominence last year with the release of the NSA hacking tools. It is also the same exploit used by other malware such as WannaCry. The fact that it is still operating and growing shows how ineffective end-user security is and the problems with getting patches onto machines.
Proofpoint say that they first started tracking Smominru last year. The behaviour of the Smominru botnet has been recorded by a number of security vendors. Since discovery it is reported to have mined around 8,900 Monero. Every week that number increases by 24 Monero.
As of time of writing, coinmarketcap.com had the value of Monero as $217.82. It had peaked at over $490 earlier this year but like all cryptocurrencies it has been a wild ride lately. Even at today’s valuation, Smominru has earned around $1.938 million. That might be small In cryptocurrency terms but with no real costs to the operators, it’s effectively free money.
Smominru constantly growing
There are now 526,000 nodes in the Smominru botnet. Proofpoint enlisted the aid of abuse.ch and the ShadowServer Foundation to track the location of the nodes. The three top locations are Russia, India and Taiwan. However, the research provided doesn’t appear to show any details on whether these are home or business machines.
The researchers identified 25 hosts actively launching attacks via EternalBlue. They also report other researchers seeing attacks on unprotected SQL Server installations. A third attack vector appears to be the EsteemAudit vulnerability.
This active work to increase the size of the botnet shows that the attackers see this as a business. This is something that is often overlooked. Cybercriminals are investing in their own infrastructure, creating their own companies and maintaining their tools and attacks. The details published last week around the Zirconium malvertising attack shows the corporate skills some cybercriminals possess.
Stopping a botnet is not easy
What is surprising here is the differing responses when Proofpoint attempted to stop Smominru. The command and control (C&C) servers are being hosted by SharkTech. Despite being notified, it seems that SharkTech has not responded to the abuse notification. This is surprising and it remains to be seen if either Proofpoint or SharkTech will make a further statement on this.
The researchers had more success, albeit temporary, with MineXMR. They requested the current Monero address associated with Smominru be banned. Although it took some time, this appeared to happen. However, the operators of Smominru were quick to register new domains and simply moved their mining to a new address. This has had an impact on the botnet. Proofpoint reports that it believes they lost control of one third of the botnet.
What does this mean
There are a number of takeaways from this report. Perhaps the most worrying is that almost a year on from EternalBlue being made public it is still highly active. There could be reasons for this in that the machines infected are not running security software or have not been patched. This is where more needs to be done to improve security by vendors.
The next is that botnets are not static things. They evolve and their owners will constantly seek to increase their size. This is not casual hacking, it is a business. They have a clearly defined infrastructure and over the last three years there have been very successful campaigns to disrupt that infrastructure.
In that sense, it is highly surprising that SharkTech has not reacted to the abuse notification from Proofpoint. The industry has its own channels for this sort of reporting and reaction but it seems that not everyone is using them. MineXMR did respond and while the operators of Smominru reacted, it has cost them dearly in terms of their botnet size. However, we also know that in other cases, botnets have been able to recover lost nodes and that may happen here.
This is a business for cybercriminals not a hobby. IT security has to treat them as the highly organised attackers that they are. It means speeding up patch deployment of all machines inside the organisation and of any BYOD devices. Where possible, IT should monitor power and network usage out of hours. This will show spikes that could be related to a cryptocurrency attack. Users also need to be educated to detect the signs their device is being used at part of a botnet.
