Monero concept art

Cryptocurrency mining botnet spreads to half a million computers

Image credit: Dreamstime

A cryptocurrency miner botnet, Smominru, has been using hundreds of thousands of computers to mine cryptocurrency worth approximately £2.5m, a report has found.

Cryptocurrencies are supported by miners, who dedicate colossal amounts of CPU (central processing unit) resource to breaking complex cryptographic problems in order to verify transactions and add them to a public ledger: a blockchain. Miners are rewarded with newly issued cryptocurrency for their efforts.

The botnet was investigated by ProofPoint, a security company, which conducted an operation to estimate the size of its network.

At its peak, Smominru had infected more than 526,000 Windows servers, with the majority of infected machines located in Russia, India and the Republic of China (Taiwan). Windows servers are most vulnerable as targets, the ProofPoint report explained, as they are always switched on (unlike PCs) and have more processing power than PCs.

“While Monero can no longer be mined effectively on desktop computers, a distributed botnet […] can prove quite lucrative for its operators”, the report said.

The botnet spreads using EternalBlue, a tool which exploits a vulnerability in Microsoft’s implementation of its Server Message Block protocol. EternalBlue was developed by the US National Security Agency (NSA) and revealed by the Shadow Brokers hacker group in April 2017. It was exploited in the May 2017 WannaCry attack and in the June 2017 NetPetya attack.

So far, efforts to quash Smominru have failed to eradicate it, with the botnet recovering following ProofPoint’s attempts at sinkholing: redirecting traffic to a chosen destination (the ‘sinkhole’). This is due to the botnet essentially regenerating itself using EternalBlue.

At least 25 of the host servers infected by Smominru have been used to further the scope of the network using EternalBlue to spread the script to other computers with publically available IP addresses.

Since its emergence in May 2017, Smominru is estimated to have mined 8900 Monero tokens worth approximately £2.5m.

Monero – an open-source cryptocurrency focused on privacy and anonymity – has made headlines in the past year largely through its association with dishonest cryptocurrency mining. In a growing trend, website owners have been hijacking visitors’ CPU to mine cryptocurrency, slowing their machines and mounting energy bills as they crunch through complex cryptographic problems.

A Monero mining script, Coinhive, was found to be operating on 2.2 per cent of the Alexa top 100,000 websites within a month of its launch.

Last week, it was reported that ads containing cryptocurrency mining scripts like Coinhive had been discovered on some of the world’s most popular websites including YouTube, through Google’s DoubleClick ad delivery platform.

Meanwhile, amid concerns about the volatile value of cryptocurrencies and moves by national and international leaders to regulate trading, Lloyds Banking Group has banned the purchase of Bitcoin with credit cards. The virtual currency has more than halved in value in a matter of weeks, falling from a high of approximately $20,000 (£14,500) in December.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles