Analyzing Bitcoin Mining Botnets (Minerbots) – How Can We Shield Our Systems Against Minerbots?

Botnets have recently become one of the most serious forms of malicious tools used by cybercriminals to launch a myriad of attacks not only on individuals, but also on servers belonging to large organizations. Botnets can be used to perform a variety of malicious attacks including DDoS attacks, email spamming, phishing of private data, identity theft, bitcoin mining and others. Most recently, cybercriminals have been using botnets to exploit the computational power of victim’s machines in pooled bitcoin mining. Such forms of botnets are referred to as “miner botnets”.

A recently published paper discussed how miner botnets are used to mine bitcoin via compromised machines. The authors of the paper also examined the network flow of two miner botnets known as “ZeroAccess” and “Neris”, providing a DNS relationship that aids in identification of the botnets. They also proposed a security algorithm and framework that can protect an OS from being compromised by a miner botnet. Throughout this article, we will review this study and its interesting results.

How Miner Botnets Work:

A botnet represents a network of compromised machines that are controlled by the botmaster via a central Command Control (CC) server. The botmaster communicates with his/her network of bots, i.e. infected machines, via the CC server(s). These central CC servers represent a major vulnerability of the framework of a botnet, as once the CC server is taken down, the botnet is successfully defeated. To mitigate this issue, botmasters started utilizing a more complicated peer-to-peer (P2P) network structure for their CC servers. Due to the distributed nature of such P2P networks, disruption of the botnet becomes harder to accomplish.

Nowadays, botmasters use the Tor network to render their CC servers anonymous and almost impossible to trace. Miner botnets mostly rely on CC servers which are hosted on the Tor network in the form of hidden services. Via pooled bitcoin mining, botmasters can covertly exploit the computational power of victims’ machines to mine bitcoins. The miner bot accomplishes this via silently installing mining software, e.g. CGMiner, on the compromised machines. Once installed, it runs quiescently in the background of the OS of the infected machine and uses the processing power of the CPU and GPU to mine bitcoin. The mining software is setup to join a bitcoin mining pool; a public pool, or a dark pool. On a public mining pool, there is a considerable chance that the botnet will be detected and banned, while on a dark pool, the chance of detection is much lower, yet the botmaster will have to pay for the fees of maintenance of the dark pool. Once the mining pool has been joined, all bots will start mining bitcoin and will save the mined coins to the botmaster’s wallet.

Methods Used For Minerbot Analysis:

To analyze miner botnets, the researchers utilized a five step process:

1. Setting up a virtual environment: This involved creation of a virtual machine, or a virtual operating system OS, using a program such as VMware, in order to be able to capture the malware without inducing any damage to the true OS.

2. Executing the malware: This involved executing the malware on the virtual machine and capturing its activity using Wireshark and the Advanced Task Manager.

3. Data analysis: This involved analyzing the data captured in the previous step for anomalous traffic, packets sent to suspicious IP addresses,…etc.

4. Results: Results were obtained via data analysis. They were posted as results of the research study.

5. Conclusion: The conclusion of the study was based on all the information extracted from all the above steps.

The study involved analysis of the Pcap files of two minerbots; ZeroAccess and Neris. It was found that botmasters of these miner bots use multiple CC servers whose IP addresses are routed to the bot in the form of a reply to its DNS query. As such, when a DNS reply includes 7-8 answers, i.e. 7-8 IP addresses, in the answer field, this mostly represents a DNS query of a botnet that has been generated by an infected machine (bot) as shown on the below figure of a Neris miner bot.

Proposed Idea For Protection Against Miner Bots:

The researchers found out there are similarities between the packets requested by most botnet infected systems. For example, DNS replies to a DNS query of a miner bot included more IP addresses than the threshold limit (7-8 addresses) in the answer field. They proposed a framework which is presented in the below figure to prevent our systems from being infected by botnets, especially miner bots.

The framework begins by capturing packets from the TCP/IP stack. This is followed by applying white paper and black paper filtering, as white paper filtering will include all genuine IPs, while black paper filtering will include IPs of already known cyber attackers and malware. The framework utilizes the DNS threshold algorithm, which acts to quarantine packets whose DNS replies include more answers in the answer field than the predefined threshold (7-8 answers, or IP addresses). Eliminating such packets will prevent the miner bot running on the machine from interacting with the CC server; thus, prevent it from exploiting the machine’s processing power in bitcoin mining.