By Richard Arneson
If you’ve never seen video of it, it’s happened a few times. Two pugilists—in this case MMA fighters—knock each other out simultaneously. You can see it for yourself, it’s good for a chuckle—go 35 seconds in—https://www.youtube.com/watch?v=keZLvsXs-sQ.
This is exactly what you’d like to see when two (2) botnets do battle—yes, that very thing is happening. And the spoils these botnet gangs are fighting over are unsecured Android devices to help them mine cryptocurrency (get a refresher on mining cryptocurrency here; specifically, paragraph 6).
Let’s get ready to rumble!!
In the red corner, sharing code with the Satori DDoS malware…Fbot! And in the blue corner, the current champion of digital malevolence, and formerly known as ADB Miner…Trinity!
Actually, it should be Let’s continue the rumble!!
Based on reports from several cybersecurity firms, it’s estimated that the battle royale between Fbot and Trinity began about a month ago. An up-and-comer was trying to knock the big dog off the hill. Fbot, that up-and-comer in question, has had a singular focus—spread to as many Android devices as possible while kicking Trinity off devices it has already, and successfully, infected.
Fbot has code that searches for Trinity’s filename (com.ufo.miner) and, once found, tosses Trinity aside. Fbot shares code with Satori IoT DDoS, which was unleashed by a 20-year-old charmer from Washington state. The good news? He was indicted in September on federal hacking charges for infecting hundreds of thousands of IoT devices and wireless routers. If you look up his picture, his crime starts to make sense.
Why Android devices?
The botnet creators discovered that on Android devices owners need to turn off a feature hosted on port 5555 called Android Debug Bridge (ADB). It’s supposed to come disabled from the manufacturer and is disabled on the majority of devices. However, it was discovered that it wasn’t disabled on tens of thousands by accident in, it’s opined by security analysts, the manufacturing or testing process—or in the event the user launched the ADB and left it enabled, which provides a wide-open back door into their device. It’s estimated that roughly 35,000 devices have open ADB ports each day. And if the port is open, that device becomes the perfect launching pad for new infections of other Android devices.
While Trinity has been mining cryptocurrency—and apparently made a hefty profit at it—Fbot, thankfully, has yet to do so. Here’s hoping that the Android manufacturers will soon block all inbound network traffic that targets port 5555—if done, it’ll solve this issue. But don’t worry, there will be others.
Botnet Questions? Turn to the Security Experts
Conducting a security check-up might not sound exciting, but it’s a pay-me-now-or-pay-me-later scenario. That’s why talking to experts like the security analysts at GDT is probably your best course of action. They manage GDT’s 24x7x365 Security Operations Center (SOC) and oversee the network security of some of the most noted enterprise organizations and government entities in the world. Contact them today at firstname.lastname@example.org. They’d love to hear from you.
Read more about network security here: