Raspberry Pi Malware Mines BitCoin

According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine BitCoins some form of cryptocurrency. The other trojan sets up a proxy server.

According to the site:

Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.

It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1”.

In addition, the malware searches for network machines with open port 22 and tries to log in using the default Raspberry Pi credentials to spread itself.

Embedded systems are a particularly inviting target for hackers. Sometimes it is for the value of the physical system they monitor or control. In others, it is just the compute power which can be used for denial of service attacks on others, spam, or — in the case — BitCoin mining. We wonder how large does your Raspberry Pi botnet needs to be to compete in the mining realm?

We hope you haven’t kept the default passwords on your Pi. In fact, we hope you’ve taken our previous advice and set up two factor authentication. You can do other things too, like change the ssh port, run fail2ban, or implement port knocking. Of course, if you use Samba to share Windows files and printers, you ought to read about that vulnerability, as well.

79 thoughts on “Raspberry Pi Malware Mines BitCoin

  1. This sounds like an incredible amount of work to steal a ridiculously small amount of value. Are there really _that_ many Raspberry Pi’s out there left running unattended growing this groups’ BTC assets 300 satoshis a day per device? [That’s a complete guess, I have no idea how much you could get with a device this small.]

    1. I suspect it’s more that you *know* there’s a million identically configured devices out there running identical systems, so it’s a dead easy target.

      As for whether it’s worthwhile – even a few hundred little things beavering away making you money for free is making you more than nothing. No single snowflake is to blame for the avalanche.

    2. Ok, the Model B got 0.2 MH/s, to be optimistic let say the 3.0 get’s a solid 0.5, so we need just 160,000 Raspberries to meet your 300 Satioshies/Day goal. Fun fact, that would be right now 3.14 Dollars/Year.

  2. I wish I hopped on the “insecure passwords” wagon a year or two earlier =D It seems, every hardware hackathon I visit has an unsecured Pi or two, and I’m sure there are a lot of fun things that can be done with them – especially during demos ;-)

    1. The whole point of a botnet is that it can automatically grow without bounds. The goal is probably 5 digit counts. At that point, surely it has some value. Though I would expect a spam operation would be more profitable than bitcoin mining at this point.

        1. Mining Bitcoins with GPUs hasn’t been profitable for years. You need ASICs, and even then it’s often touch and go. Unless somebody’s written some amazing code, they’re not getting the Raspi’s GPU involved, just the CPU, which means it’s even LESS profitable, probably to the point that it costs more to corrupt a machine than the pennies you can get mining it. Maybe some of the newer crypto-currencies have been able to keep their designs ASIC-hostile, but most of them have at least fallen to GPU mining.

  3. Learned about default passwords on Rpi the hard way…
    I’m not sure I ever used the Rpi account… one of the first things I did when setting it up was create my own account.

    When I opted to use the Rpi as my ssh server for the outside world and portal to my own network for me (via tunnels) I got hit with something… a reboot killed all the rouge processes and nothing started back up… but I ended up reimaging just to be sure… and deleted that stupid pi account completely.

      1. If you are on a UNIX OS you can generally mount the image file on loop back and make modifications. e.g.
        use “wget” to download the image file from where ever.
        unzip whatever_disk_image..zip
        fdisk -l whatever.img
        e.g.
        $ /sbin/fdisk -l whatever.img
        Disk whatever.img: 1.2 GiB, 1297862656 bytes, 2534888 sectors
        Units: sectors of 1 * 512 = 512 bytes
        Sector size (logical/physical): 512 bytes / 512 bytes
        I/O size (minimum/optimal): 512 bytes / 512 bytes
        Disklabel type: junk
        Disk identifier: 0xdeadbeef

        Device Boot Start End Sectors Size Id Type
        whatever.img1 8192 92159 83968 41M c W95 FAT32 (LBA)
        whatever.img2 92160 2534887 2442728 1.2G 83 Linux
        $
        With the above information multiply the start sector by 512 to get the offset in bytes so sector 8192 becomes 4194304 bytes in for the start for the vfat partition and sector 92160 becomes 47185920 bytes in for the start for the ext4 partition.

        $ mkdir -p /tmp/mnt/boot
        $ sudo mount -v -o offset=47185920 -t ext4 whatever.img /tmp/mnt
        mount: /dev/loop0 mounted on /tmp/mnt.
        $ sudo mount -v -o offset=4194304 -t vfat whatever.img /tmp/mnt/boot
        mount: /dev/loop1 mounted on /tmp/mnt/boot.

        And then use “passwd -r files -R /tmp/mnt pi” to modify the mounted passwd and shadow files ( /tmp/mnt/etc/passwd and /tmp/mnt/etc/shadow )

        And don’t forget to “sync && sudo umount /tmp/mnt/boot && sync && sudo umount /tmp/mnt” before writing the image file to an SD card.

        1. I skip all that complexity by just writing the default image then changing stuff directly on the SD card (before putting it into the Pi).

          That’s a great method if you want to deploy a batch with the same settings thought.

          1. Same here. I wish Youtubers would mention changing the default password in their vids, or better still, there be an enforced change after the first login on Pi distros.

            http://www.pibakery.org/ can make that a visual-flowchart-kinda-thing process for single machines. Only works with Raspbian though.

        2. Use losetup instead of directly mounting, it has the ability to automatically scan for partitions, like so:

          losetup -fP img.img
          losetup # find the loop-device used, assume loop0 here with 2 partitions.
          mount /dev/loop0p2 /mnt
          mount /dev/loop0p2 /mnt/boot

    1. Absolutely this. I have a VPS and use keys only for ssh (it doesn’t even let you *try* a password), but had to change the port number just to keep the logs from being dominated by script kiddies twisting doorknobs.

      1. Here seems to be as good as any place to spread the word on a technique I like to call “knocking harder.” Fail2ban and most xt_recent methods are reactive; they don’t hide the port and just slow down hack attempts. Port-knocking is proactive, but tedious and complex for both server and client.

        By configuring xt_recent to drop the first 3 SYN packets within 4 seconds, you’re forcing a real TCP stack to retransmit, but most scanners don’t. A real client will send the 4th SYN at around 3.5 seconds for most compliant TCP stacks, which is a manageable delay. See http://goo.gl/TvMKUO for details.

        I’ve found that with this in effect, brute force attempts drop to nothing, even on default ports. However, it still plays well with Fail2ban if an attacker does discover they need a real TCP stack. And you still need PKI or a strong password, of course.

  4. First, and many 2nd, generation custom ASIC miners are retired at this point. Mining difficulty vs time is best displayed in log scale.

    I imagine the sun would burn out before a pi found a block at this point.

      1. A trick like that, that early in the game, would doubtless tank the value of Bitcoins before they could even hold a value. You’d have to start the mining in 2012 to get anything of value, bonus points for preventing terrorist attacks by getting the coins before they can.

      2. Lots of ways you could make money easier if you could time travel.

        1) Go back and pick up a very small number of things like Superman comic #1 and other collectibles. Come back to present day and sell. But if you come back with 5,000 comics it will devalue them so you have to have different things.

        2) Find a major bank robbery that was never solved. Time travel to that night about an hour before the criminals arrive but after the bank closes. You can clearly move in space and time (unless your time machine leaves you floating in empty space) so you can easily materialize in the vault. If not, go way back before the bank was built, move the machine to the right spot, then go forward. Now what money you take will be blamed on the real thieves.

        3) Go back to buy stock in Microsoft, Apple, Google, etc. at predetermined times. Then sell them at other predetermined times.

        I have often wanted to build a time machine for data. You connect it to a printer and your reports come out before you run them. Just remember to run them or…. oh oh….

          1. Star Diarys by Stanislaw Lem. Jurney 7 when Ijon Tichy needs to repair his space vechicle and meets himself from future to help himself gives a lot to think about how many troubles you can cause by helping yourself in a past or future when only thing you need is second pair of hands.

        1. Better idea buy one Gold ring hold on to it now take it back in time so you have two. Pick them up and take them back in time. Each time a small time earlier.

          Eventually you have thousands sell .

          Rinse repeat.

        2. That’s an idea for a book: “The Time Traveller’s Almanac”.
          A listing of major disasters / crimes / financial movements, starting with [for example] the Titanic. Worldwide.

          Once you build the machine, you have a handy pocket reference – and the ethical dilemma begins. Do you allow history to play out, or do you intervene? Make sure the book lists the consequences linked to major events, so you know what’s at risk.

          Personally, I doubt I could stand by and let Sandy Hook happen. Or Columbine. Heck, I’d probably try to evacuate the WTC, on the off-chance my warning calls about hijackers were ignored.

          1. There is the thought that we are stuck on one out of many timelines where time travel has not been invented.

            Time to go back and rewatch Steins Gate…

  5. Are they sure it is a BITCOIN miner?? Not a Ether miner by any chance? To create mining malware for a ASIC proof altcoin ok i can understand, but bitcoin? You would need to infect thousands of RPis just to earn a single Satoshi per day!!

    I once had a bitcoin miner malware infection back when it was still profitable. It would try to be stealthy only running when my GPU wasn’t being used, but it didn’t stop me from noticing the Fans revving up suddenly time to time. I used wireshark to look for any suspicious packets and sure enough i spotted data going to a Mining Pool. Miner malware was new back then so none of my AV and AM knew of the strain i had.

    I quarantined the malware. Sent it off to any malware submission site and Contacted the mining pool being abused.
    Sure enough next day the malware was being included into detection lists and i was informed that the account used for mining was confiscated and with it a few thousand bitcoins. I felt proud that day. I rendered a Botnet useless, costed a hacker thousands of bitcoin and got it on the fast-track to being eradicated.

      1. I once tried mining earnhoney with a Pi 3. The return ended up pretty good at around $10/week, if you were around to reboot it when it crashes. And that unfortunately was enough to kill the idea.

        1. A friend had similar problem with a server. He made some AVR based “watchdog”. Everytime server did not send a restart signal the hardware cut off power for a second.

  6. I’d think that most Raspberry Pis out there ought to simply behind a good firewall.

    Yes, there are lots of reasons you might connect a Pi to the actual Internet (and if you do that, then you *really* need to take the security advice), but if you don’t *have* to ride your bicycle on the freeway, it’s a good idea to simply not do so.

    1. I used to stick a machine on the internet running a fakessh and log all attempted usernames, passwords. The first bang usually lands within a few minutes, then distributed analysis starts (how many attempts allowed before being disconnected, what is the allowed delay between each access), and finally a distributed swarm of bots amazingly synchronised go into a feeding frenzy for 24-72 hours. It is fun to watch for a while.

      1. And after the frenzy then it settles down to attempts to brute force mostly the root account.

        Oh and also running p0f to try and tell what OS the bots are running is fun. Not surprisingly most of the attacks were incoming from old 2.6 Linux kernels machines, and some windows 2008/2012 servers which I kind of thought was a bit odd, but they must have some form of ssh installed either by the people who own the servers (pay for electricity and networking) or the people who owned the servers.

    1. Delete the default account or change it’s password, don’t expose the pi to the internet on the standard ssh port, move it to a different one, and use fail2ban.

          1. Yep, otherwise I would have said decrypt/decode and not decode/decrypt. Never imagined anyone would try to use base64 to encrypt, imaginitive but where’s the key??? Does a good job at encoding though.
            Personally I use it all the time to send SHA256 encrypted MQTT messages from an ESP8266 to Node-Red via Mosquitto; messages need to be base64 encoded as raw data doesn’t travel too well, especially when you have nulls in the data…

  7. When you just assemble stuff developped by others, this is what you get.
    These systems (linux, winndows, etc.) have so many open doors that are never used even by programmers. Actually these accesses are used only by pirates.
    Like communication standards… They should never being used inside your house or business but only to reach the outside world. Create your own internal network to make your IoT. And use IP just for Internet. So if an hacker ass breaches into your house, his journey will stop right there, he will never be able to cross your internal network since it’s proprietary (and secret) protocol.

    1. Many people encourage me to do things by myself. They all give good arguments but I really can’t invent everything from scratch. It’s much easier to go with ready products and follow best practices.

  8. I remember a time early on where I heard of someone mining a bitcoin with an old Sharp Zaurus SL-5500 boasting a strongARM SA-1110 206mhz and the bitcoin faucets dropped five coins per click. I thought it was a waste of time and energy because bitcoins were worthless and always would be. I still don’t get the appeal, it ls like having money with the old library checkout card history in the back, no privacy of any kind, permanent fingerprints on the ‘coin’ back to your unique wallet ID publicly proclaimed on every transaction as a feature. Like if the FBI and the paparazzi were to jointly design a digital currency. But I damn well missed out on what turned out to be free money.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s