I dont think Botnet mining will stay a big danger, in the long term.
Only the very worst botmasters, really choose to install crypto currency miners on their victim machines.
There are several other sources of income, like DDoS attacks, theft of confidential information, spam, phishing, SEO spam, click fraud and distribution of adware and malicious programs that are paying better in total and have better risk/reward-ratio mining.
Have a short look at:
http://old.securelist.com/en/analysis/204792068/The_economics_of_Botnets?print_mode=1http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/https://www.iseclab.org/papers/cutwail-LEET11.pdfhttp://arxiv.org/pdf/1309.0522v1.pdfBesides making way more money with other streams of generated income (with less work).
What are other reasons why is mining a bad choice to monetize your botnet?
- the big, permanent full CPU usage even noobs will notice (and raise infection concerns or lead to OS reinstall, buying new PC, bad because new install is not infected)
- the introduced new CPU usage from mining could harm other services or tools you run on the victims (that are not usable with new permanent usage load, like webcam spying, RDP usage on victim, ...)
- cooling problems
- it often slows the victims computer to strongly to be able to do general computer work
- antivirus software is actively searching for findings (files, traffic or process activites) are related to mining (adds big unessacry AV detection risk)
- risk of victims provider or mining pool admin noticing the botnet mining and informing the victim
- u cant run out-of-the-box mining software, because you need encrypt the well known binaries (obfuscate it so much) so you dont get dectected by AV software (i think with most working crypters that make your suspious binaries undetected by AV you lose at least factor 4 in performance vs. unencrypted standard mining software)
- botmasters want to automatization as much so possible, a mining operation on the big botnet is to much work (selling the coins, switching pools, avoiding bans by pools, advoiding frozen exchange accounts, finding correct time to sell the CC, updating mining software encryption, optimizing whats possible for you, choosing the right hype coin, which change often, ...)
- bad footprint on the mining network: because your clients arent using specific hardware options regular miners would turn on for there mining client (because you have to roll out a general setup that works everywhere)
- bad footprint on the mining network: you dont have the same hardware power as the general legitime CPU miners in average per machine,
the majority of botnet-member have old, slow hardware vs. the global average of deployed CPU - because the majority of botnet-members are old computers with old hardware (win 2000, win xp, vista) and in a typical botnet the majority of install are in poor underdeveloped countries (china, india, brasil, poor regions of turkey, ....) -> no money -> no fast pc
(another factor why alot installs are in poor countries because people use pirated windows the cant update -> security holes stay open forever)
- crypting is expensive; adding a miner to your current intalled malware will encrease monthly crypting costs (can be big jump, if u for example are currently reencrypt your malware every 7 days to stay undected and now with an added cryptocurrency miner you need now to encrypt daily, -> 7x your current crypting-costs)
- costs of changing your crypting-setup (establishing are working configuration & testing),
in most cases with more re-encrypts you need to invest in more botnet-infostructure, more C&C-servers to handle the increased work load (doing more encryption, serving it) and new proxy-server to roll out the new crypts (because increased traffics, avoid IDS dections by to often using the same proxies, which were enough, when there were old longer crypting-setup with with less routinly connections) needed with the new demands
- maybe your subscribed favourite crypting-service or software solutions doesnt even offer the possibility of your new encryption demand (alot have unchangable rules like: "re-encrypt only ever 72 h" or stuff like "only 4 re-encrypts per month")
- added of work managing thousands of different mining pools accounts or setting & running your own pool
- there are some AV-industry & IT-Security-people that actively fight mining botnet, because they want to support CryptoCurrency in general or a specific coin they support) a significant increased risk losing your whole botnet, vs. the small added benefits of adding mining software
- over 90% of botnet-members are multi-infected with typically being member from average 3 botnets and bad unpatched PCs that are members 7 or more botnets
---> mining cant get popular as income stream for botnets, because the victim has one CPU but alot of infections
I think you get idea why long running mining operation in big botnets are very unlikely.
--> there always will be kids that are new to boting scene, that fool around and may run mining on their new SMALL botnet for 4 weeks or maybe 3 months before removing mining from there setup or giving up botting for various reasons (botnet get sold to serious operator or becomes inactive/be turned off)
--> no serious botnet-operation (the ones running the huge ones) will pick up mining because its endangeres their whole botnet, often being an $$$$$$$$$$-business they depent on and have certain responsabilites to third cybercrime partys they do business with
The result
In an scenario with Monero mainstream adoption they legitime miners will strongly outnumber the number botnet miners in the network.
Because the number of botnet miners is strongly limited by the fact that only small, new botnets with newb botmasters (kids) will mining clients on their victims computers for a small very limited amount of time.
(Also see, not all botnet miners will mine Monero, AFAIK the most profitable CPU-mineable coins often changes and is on alot of days not Monero)
Big text. I hope I did add some useful information to thread.
