The recently discovered Fbot, which finds systems infected with crypto-coin mining malware and scrubs them clean, may seem like a champion of good, but remember it is entering your system without your permission and modifying code and deleting files. We have seen other such ‘cleaner’ worms in the past, and the best advice is to be wary.
First, if this bot can infect your system then so can other malicious payloads. Second, if you are suffering from crypto-coin mining malware, you should address that with proper security tools and understand how your device was infected in the first place. Was it human error in clicking a bad link or perhaps a new app you installed? Whatever the reason, knowing the root-cause will help you avoid reinfection and protect your system from other attacks using the same vector.
Also know that Fbot is based upon code from an advanced IoT malware botnet called Satori. For such stealthy ingress, it is very difficult to know if one set of malware is being removed so another can be installed. We have seen this in the past where a group of hackers were infecting systems to replace a competing virus or botnet with their own. They even went as far as to patch the system’s vulnerabilities so they could not be easily evicted by others attempting to do the same.
Until we understand who is behind Fbot and what their motivation is, we cannot be certain if this is an attempt at being benign or acting strategically to the detriment of the system owner.
The enemy of your enemy is NOT your friend.