Botnet Coin Mining: What to Do

TL;DR

Your network is likely infected with a botnet that’s secretly using your computers to mine cryptocurrency. This guide explains how to identify the problem, contain it, and remove the malware. It covers scanning for infections, blocking malicious connections, and improving security.

1. Confirm the Infection

1. Check Resource Usage: Open Task Manager (Windows) or Activity Monitor (macOS). Look for processes using high CPU even when you’re not running demanding applications. Unusual process names are a red flag.
2. Network Monitoring: Use a network monitoring tool (like Wireshark, tcpdump, or your router’s built-in tools) to see where traffic is going. Look for connections to known coin mining pools (see resources at the end).
3. Firewall Logs: Examine your firewall logs for frequent outbound connections to unfamiliar IP addresses and ports.
4. Antivirus Scan: Run a full system scan with an up-to-date antivirus program. While not always effective against botnets, it’s a good first step.

2. Contain the Infection

1. Isolate Infected Machines: Disconnect infected computers from the network to prevent further spread and communication with the command-and-control server.
2. Change Passwords: Change passwords for all user accounts, especially those with administrative privileges. Assume they may have been compromised.
3. Block Malicious IPs/Domains: Identify the IP addresses and domains your network is connecting to (from step 1). Block these at your firewall or router level.

   # Example using iptables on Linux:
   # Replace <IP_ADDRESS> with the actual IP address
   iptables -A OUTPUT -d <IP_ADDRESS> -j DROP

3. Remove the Malware

1. Boot into Safe Mode: Restart infected computers in Safe Mode (Windows) or Recovery Mode (macOS). This limits what malware can run during removal.
2. Run a Dedicated Anti-Malware Scanner: Use a specialized anti-malware scanner designed to detect and remove botnet infections (e.g., Malwarebytes, HitmanPro). These are often more effective than standard antivirus programs.

   # Example using Malwarebytes CLI (command line interface):
   mbam --scan --clean

3. Rootkit Scan: Run a rootkit scanner to detect and remove deeply embedded malware.
4. Reinstall Operating System (Last Resort): If removal fails, consider reinstalling the operating system from scratch. This is the most reliable way to ensure complete eradication but requires backing up important data first.

4. Improve Network Security

1. Update Software: Keep all software (operating systems, browsers, plugins) updated with the latest security patches.
2. Strong Passwords: Enforce strong, unique passwords for all accounts. Use a password manager.
3. Firewall Configuration: Configure your firewall to block unnecessary ports and services.
4. Network Segmentation: Segment your network to isolate critical systems from less secure ones.
5. Intrusion Detection/Prevention System (IDS/IPS): Consider implementing an IDS/IPS to detect and prevent malicious activity on your network.
6. Regular Backups: Regularly back up important data to a separate, offline location.

Resources

• Coin Mining Pool Lists: Cryptocompare, WhatToMine
• Malwarebytes: https://www.malwarebytes.com/
• HitmanPro: https://www.hitmanpro.com/