Criminals using your servers to make money

If you thought Ransomware was the worst thing to happen to your servers think again. Your server can now be hijacked and used as part of a botnet to mine cryptocurrencies. This horror story scenario is exactly what is happening with the Smominru botnet which has infected more than half a million servers around the world. These hijacked servers have been used to mine the cryptocurrency Monero and since the botnet first appeared in May 2017 it is estimated that the botnet has mined 8,900 monero tokens. At current exchange rates Monero is valued at $323.55, which brings the total amount of money made to $2.8 million (R32.7 million).

The botnet used an exploit developed for the US National Security Agency called EternalBlue. The exploit which affects Windows machines was leaked last year. This is not the first time EternalBlue has been used to compromise systems. In May 2017 it was used in conjunction with another exploited (also from the NSA) called DoublePulsar to spread the WannaCry ransomware which infection the UK NHS systems. So far attempts to bring down the botnet have failed due to its resilience, and due to the anonymous nature of the Monero blockchain it is impossible to see who the money is going to.

Servers are the ideal target for such attacks because they are always on and are far more powerful than the average home computer. The downside for the owners of these servers is the increased power consumption and heat generated, this can have the further negative impact of reducing the lifespan of the components inside the server.

So what can you do to protect yourself or reduce the impact if you do get infected? Well the first step is to always have an up-to-date antivirus. IT Windows recommends ESET Endpoint Antivirus for all our business clients (ESET Endpoint Security for the road warriors); and one of the various ESET server products to protect servers. It is also important to ensure that Windows machines are kept up-to-date with the latest patches, especially zero-day patches, since the vulnerability exploited was patched last year. Our technicians check our clients' servers on a regular basis to ensure that they are running well. Such routine checks ensure that we can spot when a server is not behaving properly and then investigate the cause.