Botnet at large: Avast blocks Smominru miner
Threat Research

Botnet at large: Avast blocks Smominru miner

Martin Hron, 2 February 2018

The cryptominer botnet attacked over half a million Windows servers and computers so far...but that number is growing.

The good news is that Avast users are protected against cryptomining, which includes the current threat terrorizing the world’s Windows servers and computers. The Smominru botnet has torn through hundreds of thousands of servers and computers alike, hijacking their CPU power to mine the cryptocurrency Monero. ZDNet reports that the Smominru botnet mines 24 Monero ($8,500) a day, with a net total to date of 8,900 Monero ($2.8M - $3.6M).

Which brings us to the bad news — this botnet is still at large. Its strategically targets Windows machines and  servers, the latter of which gives it more power and the added benefit that servers never shut down. Smominru reproduces itself at an incredible rate and continues to regenerate. Its tactic is to exploit EternalBlue, the same vulnerability used to fuel the WannaCry attacks last year and spread in a worm-like manner.

Smominru attack learnings

As cybersecurity experts continue to learn more about this botnet, we can share what we know. Over the last two weeks, the Smominru miner attacks came in waves, hitting a peak of 30,000 attacks in a single day. There seems to be a pattern of regeneration and spreading.

Avast_protects_against_cryptomining_botnet_smominru.jpg

The hardest-hit countries, Russia, Ukraine, Taiwan, and Brazil, all experienced the most attacks and the most users targeted. This is likely not an instance of geo-targeting, but a simple case of finding Windows servers with the EternalBlue vulnerability. Machines in many countries around the world have been targeted.


AVAST_BLOCKS_SMOMINRU_BOTNET_BY_COUNTRY2.png


What can you do?

  • The best advice is to make sure your Windows software is updated. The irony with the EternalBlue vulnerability in Windows is that a patch was already available to the public before the WannaCry attacks hit. While there are legions of people who are averse or couldn’t be bothered to update their apps and operating systems, we strongly urge you not to be among them. Update your Windows software to the latest version, which protects you against vulnerabilities like EternalBlue.