A giant mining botnet known as the Smominru miner has infected 526,000 Windows servers to mine digital currency Monero. According to ZDNet, the online news site for IT professionals, the botnet has mined over 8,900 Monero coins. The value of the coins lies between $2.8 and $3.6 million USD ($3.48 and $4.47 million CAD) today.

The botnet operation used a program designed to exploit Windows servers called Eternal Blue. Eternal Blue was initially developed by the US National Security Agency (NSA). However, the Shadow Brokers hacker group leaked Eternal Blue in 2017. The Smominru miner began operating in May 2017, the same time as the WannaCry ransomware attack that hit computers across Russia, Taiwan, Ukraine, and Britain.  

The bot-infected Windows servers in Russia, India, and Taiwan. While it is highly unlikely for attackers to target these countries, the countries represent areas where the defence mechanisms against Windows exploits like the Eternal Blue are relatively weaker.

Although cryptojacking is fairly common, the Smominru miner took over 526,000 nodes at its peak, a fairly large number of nodes for size.

Windows servers: the botnet’s primary victims

According to a report by cybersecurity firm Proofpoint, the Smominru miner targeted Windows management infrastructure. In the past, botnets infected desktop PCs. Smominru represents a rare case where the botnet targeted servers instead.

Although servers are an unusual target, they are highly appealing for digital currency miners. Servers have higher processing power and are rarely if ever, turned off. Monero can, therefore, be mined extensively for longer periods of time.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers, running much closer to capacity,” indicated the Proofpoint report.

The researchers at Proofpoint also noted that at least 25 of the infected hosts had conducted additional attacks through Eternal Blue. Examples include using worm-like features to infect new nodes. Vulnerable machines with publicly available IP addresses also experienced botnet attacks.

Attempts to curtail the Smominru problem

Despite the attempts to fix the problem, cybersecurity workers have only had short-term success. Proofpoint, abuse.ch, and the ShadowServer Foundation have all attempted to remove the botnet using the sinkhole, a technique where dangerous traffic is diverted away from the network. They have managed to take down one third of Smominru mining bots. However, the bots quickly recovered. Thus far, the botnet has proven highly resilient and has been difficult to shut down.

“The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations,” noted the report.

“Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size.”

At the moment, “robust patching regimes remain the best defence against Eternal Blue,” said Kevin Epstein, Vice president for threat operations at Proofpoint as he told ZDNet. “While we expect the number of vulnerable machines to decrease over time, obviously there are still many unpatched machines worldwide with SMB accessible by public IP.”

 

Image credit: Monero Logo

 

Buy Bitcoin, Ethereum, XRP, and other cryptocurrencies on Coinsquare.

Buy Digital Currencies on Coinsquare

Share your comments below