Cybersecurity researchers have detailed two new methods that can be used to destroy cryptocurrency mining botnets.
The method utilizes the design of various common mining topologies to close the mining process, Akamai said in a new report published today.
“We have developed two methods by leveraging mining topology and pooling policies, which reduces the effectiveness of CryptoMiner Botnet to the point where it completely shuts down.
The technology relies on misusing layer mining protocols to prevent attackers’ mining proxy or wallets and effectively disrupt operations, according to web infrastructure companies.
The first of two approaches called bad stocks involves banning mining proxy from the network. This will shut down the entire operation and cause the victim’s CPU usage to plummet from 100% to 0%.
Mining proxy acts as an intermediary, shields attacker mining pools and even protects wallet addresses, but by interfering with normal functionality, it becomes a single point of failure.
“The idea is simple. By connecting to a malicious proxy as a minor, you can bypass proxy verification and submit invalid mining job results (bad stocks) that are submitted to the pool,” Dahan explained. “Same-substantial bad stocks will ultimately ban the proxy and effectively stop mining operations across the cryptographic botnet.”
This involves using an in-house development tool called Xmrogue to impersonate a miner, connect to a mining proxy, send consecutive bad stocks, and ultimately ban mining proxy from the pool.
The second method conceived by Akamai takes advantage of the fact that victim miners can explore scenarios where they are connected directly to public pools and use a proxy to ban wallet addresses for an hour if the pool has more than 1,000 workers.
In other words, using the attacker’s wallet simultaneously to initiate more than 1,000 login requests will cause the pool to ban the attacker’s wallet. However, please note that this is not a permanent solution as accounts can stage recovery as soon as multiple login connections stop.
Akamai has used the above method to target Monero Cryptocurrency Miners, but noted that it could be extended to other cryptocurrencies.
“The above techniques demonstrate how defenders can effectively shut down malicious Cryptominer campaigns without using pool policies to disrupt legitimate pool operations,” Dahan said.
“A legitimate miners can easily change their IP or wallet locally, allowing them to recover quickly from this type of attack. This task is much more difficult for malicious cryptominers as they require changing the entire botnet.
Source link
