Increased competition in the “DDos-attack-for-sale” market and sometimes attractive cryptocurrency prices are inclining botnet commanders to switch their priorities towards the dissemination of crypto mining malware, cybersecurity researchers at Kaspersky Lab (KL) claim.
In a DDos attack, an infected network of computers called a botnet sends an overwhelming number of data requests to a targeted site until the site is incapacitated.
According to Cloudflare, botnet attacks can commandeer the computing power of any internet connected device, including cameras and baby monitors.
Botnets were used in 2016 to attack Dyn, a domain name service company that links users and websites via search.
The attack affected AirBnB, Netflix, PayPal, Visa, Amazon, The New York TImes, Reddit, and GitHub.
The source of the attack on Dyn has never been conclusively identified. Some believe it may have been executed by “hacktivists” angry when Equador cut off Wikileak’s founder Julian Assange’s access to the Internet after he was accused of interfering in the 2016 US election. Others say a disgruntled gamer was to blame.
A botnet attack can be bought on the Dark Net, but a recent glut of operators capable of executing a DDos attack, says Kaspersky, has brought the price of a down and made them less lucrative for operators.
Some enterprising botnet commanders have switched to using their botnets to amplify dissemination of crypto-mining malware.
In a crypto-mining attack (also known as “cryptojacking”) a targeted system is surreptitiously infected with malware designed to zombify it and engage most of its processing power in the mining of cryptocurrencies. Proceeds are sent to the attacker.
Crypto-jacking malware has historically been disseminated through infected adware, pirated games and other pirated content.
Large commercial networks at governments or corporations are favoured targets in these types of attacks.
Now, however, botnets can help attackers more efficiently create non-institutional crypto-jacking networks, ones with far less administrative oversight.
Kaspersky adds that, “if executed properly, (a cryptomining attack) can be impossible…to detect, and thus the chances of encountering the cyberpolice are far lower.”
Prolonged cryptojacking attacks can run down a system and damage its processers while running up electricity costs to a business or entity.
Kaspersky says, “Hidden mining software was very popular among botnet owners, as confirmed by our statistics on files downloaded by zombie networks: Q1 2018 saw a boom in cryptominers, and the share of this malware in the first half of the year was 4.6% of the total number of files downloaded by botnets.”
Another interesting feature of the latest Kaspersky report about cryptojacking is that researchers say that malware is also been aimed at cryptomining affiliate programs, mining pools and miner builders.
According to Kaspersky, one piece of malware being proliferated through affiliate sites now is the, “previously adware only PBot.”
In this case, a user of an affiliate crypto mining network (essentially a program that ‘rents’ crypto-mining services and sends a percentage of proceeds to the renter) can be infected with PBot by clicking anywhere on the infected affiliate’s page.
Kaspersky identified the countries with the worst rates of cryptojacking infections, and found that local prohibition/permission of the sector seems to have no impact on the rate of infections.
According to KL, the top ten countries with the most cryptojacking infections to date are (listed most to least):
- Kazakhstan
- Vietnam
- Indonesia
- Ukraine
- Russia
- Algeria
- Iran
- India
- Thailand
- Taiwan