A giant botnet is forcing Windows servers to mine cryptocurrency

The Smominru miner has infected at least half a million machines -- mostly consisting of Windows servers -- and spreads using the EternalBlue exploit.
Written by Danny Palmer, Senior Writer

A massive cyptocurrency mining botnet has taken over half a million machines, and may have made its cybercriminal controllers millions of dollars. The whole operation is powered by EternalBlue, the leaked NSA exploit which made the WannaCry ransomware outbreak so destructive.

The Smominru miner botnet turns infected machines into miners of the Monero cryptocurrency and is believed to have made its owners around $3.6m since it started operating in May 2017 -- about a month after EternalBlue leaked and around the same time as the WannaCry attack.

While it isn't uncommon for cybercriminals to leverage the power of hijacked networks of computers to acquire cryptocurrency, this particular network is significant due to its individual size -- double that of the Adylkuzz mining botnet.

Researchers at Proofpoint say the botnet was made up of 526,000 nodes at its peak. Despite efforts to take it down, the botnet is particularly resilient and keeps regenerating itself, and therefore remains a powerful Monero mining tool for its operators.

Such is the power of the Smominru, its operators have mined 8,900 Monero, which is currently valued between $2.8m and $3.6m, with around 24 Monero (around $8,500) currently added each day.

Part of Smominru's power lies in the types of machines it takes control of, with a large proportion of the nodes in the network consisting of Windows servers.

What makes the servers such an appealing target for cryptocurrency miners is their processing power and, because unlike a desktop computer -- which regularly gets turned off and is therefore prevented from mining -- the servers are always on, providing a continuous, lucrative stream of Monero.


The botnet puts Windows Servers to work in the cryptocurrency mines

srrdvd, Getty Images/iStockphoto

Meanwhile, organisations may remain unaware that their servers have become part of the Smominru botnet, despite the mining botnet potentially causing performance levels to drop and raising the costs of the energy used by the servers, which are suddenly operating far closer to capacity.

Researchers note that at least 25 of the infected hosts have been seen conducting additional attacks via EternalBlue, using its worm-like features to infect new nodes and increase the size of the botnet by attacking vulnerable machines with publically-available IP addresses.

Read: Cybersecurity in 2018: A roundup of predictions

Attacks have also been taking place via EsteemAudit, an exploit that leverages vulnerabilities in RDP on Windows Server 2003 and Windows XP.

While efforts have been made to shut down the botnet -- cybersecurity personnel have managed to take down about one-third of Smominru with sinkhole operations and banning IP addresses -- its operators have been able to recover.

It's the use of EternalBlue which helps the attackers regenerate their network so quickly, and could potentially allow it to grow to incorporate a larger network of devices than its current half a million.

The highest number of infected systems are found in Russia, India, and Taiwan. It's unlikely the attackers have targeted these countries specifically, but rather they simply represent areas of the globe where the patching of systems against the EternalBlue exploit has been lax.

"Robust patching regimens remain the best defense against EternalBlue. While we expect the number of vulnerable machines to decrease over time, obviously there are still many unpatched machines worldwide with SMB accessible by public IP," Kevin Epstein, vice president for threat operations at Proofpoint, told ZDNet.

Cybercriminals appear to be increasingly turning their attention to cryptocurrency miners as a means of easily making money.

While bitcoin remains the most popular form of cryptocurrency, many cybercriminals are turning towards alternatives like Monero for reasons ranging from increased privacy to being able to cash it out more quickly.

Related coverage

Android security: Coin miners show up in apps and sites to wear out your CPU

Expect to see more miners silently chewing up CPU resources through your browser.

Cryptocurrency miners: A replacement for ransomware

Attackers are turning away from ransomware in favor of fraudulent cryptocurrency mining -- and your IoT devices might be their future cash cows.


Editorial standards