According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine BitCoins some form of cryptocurrency. The other trojan sets up a proxy server.
According to the site:
Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.
It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1”.
In addition, the malware searches for network machines with open port 22 and tries to log in using the default Raspberry Pi credentials to spread itself.
Embedded systems are a particularly inviting target for hackers. Sometimes it is for the value of the physical system they monitor or control. In others, it is just the compute power which can be used for denial of service attacks on others, spam, or — in the case — BitCoin mining. We wonder how large does your Raspberry Pi botnet needs to be to compete in the mining realm?
We hope you haven’t kept the default passwords on your Pi. In fact, we hope you’ve taken our previous advice and set up two factor authentication. You can do other things too, like change the ssh port, run fail2ban, or implement port knocking. Of course, if you use Samba to share Windows files and printers, you ought to read about that vulnerability, as well.
This sounds like an incredible amount of work to steal a ridiculously small amount of value. Are there really _that_ many Raspberry Pi’s out there left running unattended growing this groups’ BTC assets 300 satoshis a day per device? [That’s a complete guess, I have no idea how much you could get with a device this small.]
LMAO probably not the best hardware to mine bitcoins. But still raspi botnet sounds like fun.
I imagine that was the thinking behind the miningware that used cell-phones.
there’s only one way to find out… I guess…
I suspect it’s more that you *know* there’s a million identically configured devices out there running identical systems, so it’s a dead easy target.
As for whether it’s worthwhile – even a few hundred little things beavering away making you money for free is making you more than nothing. No single snowflake is to blame for the avalanche.
> even a few hundred little things beavering away making you money for free is making you more than nothing
It’s not free if you have to write the malware.
It’s free if you were going to write some stupid code anyway.
More like 14 million now, and I think a lot of users have kept the default username/password
Ok, the Model B got 0.2 MH/s, to be optimistic let say the 3.0 get’s a solid 0.5, so we need just 160,000 Raspberries to meet your 300 Satioshies/Day goal. Fun fact, that would be right now 3.14 Dollars/Year.
Whhhooooot! We’re rich!
I wish I hopped on the “insecure passwords” wagon a year or two earlier =D It seems, every hardware hackathon I visit has an unsecured Pi or two, and I’m sure there are a lot of fun things that can be done with them – especially during demos ;-)
Amen! Sounds like a lotta fun..A Pi botnet
It seems to me that not too many bitcoins can be mined, even with several hundreds of PIs working together.
The whole point of a botnet is that it can automatically grow without bounds. The goal is probably 5 digit counts. At that point, surely it has some value. Though I would expect a spam operation would be more profitable than bitcoin mining at this point.
1 Bitcoin is around $2900 right now…
Mining Bitcoins with GPUs hasn’t been profitable for years. You need ASICs, and even then it’s often touch and go. Unless somebody’s written some amazing code, they’re not getting the Raspi’s GPU involved, just the CPU, which means it’s even LESS profitable, probably to the point that it costs more to corrupt a machine than the pennies you can get mining it. Maybe some of the newer crypto-currencies have been able to keep their designs ASIC-hostile, but most of them have at least fallen to GPU mining.
If you had the option of 1000 people paying a penny into your bank account every day, or not, which would you choose?
That would be cool, but at a hashrate of 200k/sec, 1000 devices combined would mine about a penny per month.
Note later they mentioned _a_ cryptocurrency rather than just bitcoin. Other cryptocurrencies lend themselves much better to cpu mining than bitcoin
No mention of key based ssh login?
More reliable than trying to setup up time based 2nd factor on a device with no hardware clock.
If it has Internet (or even network) access, it can use ntp to get the time. If it’s not networked, then the necessity of network security is obviously moot.
Learned about default passwords on Rpi the hard way…
I’m not sure I ever used the Rpi account… one of the first things I did when setting it up was create my own account.
When I opted to use the Rpi as my ssh server for the outside world and portal to my own network for me (via tunnels) I got hit with something… a reboot killed all the rouge processes and nothing started back up… but I ended up reimaging just to be sure… and deleted that stupid pi account completely.
How did you manage to setup your rapsberry pi without ever logging in to it?
One way is PiBakery. Not sure if that’s what the GP used, but I use it to set up embedded Pis for my clock board.
Probably just by zapping the sd card and install a new image. Then before connecting to the network change the password.
If you are on a UNIX OS you can generally mount the image file on loop back and make modifications. e.g.
use “wget” to download the image file from where ever.
unzip whatever_disk_image..zip
fdisk -l whatever.img
e.g.
$ /sbin/fdisk -l whatever.img
Disk whatever.img: 1.2 GiB, 1297862656 bytes, 2534888 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: junk
Disk identifier: 0xdeadbeef
Device Boot Start End Sectors Size Id Type
whatever.img1 8192 92159 83968 41M c W95 FAT32 (LBA)
whatever.img2 92160 2534887 2442728 1.2G 83 Linux
$
With the above information multiply the start sector by 512 to get the offset in bytes so sector 8192 becomes 4194304 bytes in for the start for the vfat partition and sector 92160 becomes 47185920 bytes in for the start for the ext4 partition.
$ mkdir -p /tmp/mnt/boot
$ sudo mount -v -o offset=47185920 -t ext4 whatever.img /tmp/mnt
mount: /dev/loop0 mounted on /tmp/mnt.
$ sudo mount -v -o offset=4194304 -t vfat whatever.img /tmp/mnt/boot
mount: /dev/loop1 mounted on /tmp/mnt/boot.
And then use “passwd -r files -R /tmp/mnt pi” to modify the mounted passwd and shadow files ( /tmp/mnt/etc/passwd and /tmp/mnt/etc/shadow )
And don’t forget to “sync && sudo umount /tmp/mnt/boot && sync && sudo umount /tmp/mnt” before writing the image file to an SD card.
Good advice,
????????????????????????????????????????????????????????????????????????????v
Yeah I read that stackoverflow post too…
There is one about “passwd -r files -R /tmp/mnt pi”
Or just use kpartx instead of calculating offsets.
I skip all that complexity by just writing the default image then changing stuff directly on the SD card (before putting it into the Pi).
That’s a great method if you want to deploy a batch with the same settings thought.
Same here. I wish Youtubers would mention changing the default password in their vids, or better still, there be an enforced change after the first login on Pi distros.
http://www.pibakery.org/ can make that a visual-flowchart-kinda-thing process for single machines. Only works with Raspbian though.
Use losetup instead of directly mounting, it has the ability to automatically scan for partitions, like so:
losetup -fP img.img
losetup # find the loop-device used, assume loop0 here with 2 partitions.
mount /dev/loop0p2 /mnt
mount /dev/loop0p2 /mnt/boot
“a reboot killed all the rouge processes”
How did you determine the colour of those processes?
Trust a “Steve” to come up with a joke that bad.
A proper password fixes all this but fail2ban and changing ports certainly keep the automated brute force attacks out of your logs.
Absolutely this. I have a VPS and use keys only for ssh (it doesn’t even let you *try* a password), but had to change the port number just to keep the logs from being dominated by script kiddies twisting doorknobs.
Here seems to be as good as any place to spread the word on a technique I like to call “knocking harder.” Fail2ban and most xt_recent methods are reactive; they don’t hide the port and just slow down hack attempts. Port-knocking is proactive, but tedious and complex for both server and client.
By configuring xt_recent to drop the first 3 SYN packets within 4 seconds, you’re forcing a real TCP stack to retransmit, but most scanners don’t. A real client will send the 4th SYN at around 3.5 seconds for most compliant TCP stacks, which is a manageable delay. See http://goo.gl/TvMKUO for details.
I’ve found that with this in effect, brute force attempts drop to nothing, even on default ports. However, it still plays well with Fail2ban if an attacker does discover they need a real TCP stack. And you still need PKI or a strong password, of course.
Me gusta!
I will research this further.
Better than simply changing the password is setting up SSH keys and disabling password-based login for SSH.
First, and many 2nd, generation custom ASIC miners are retired at this point. Mining difficulty vs time is best displayed in log scale.
I imagine the sun would burn out before a pi found a block at this point.
Imagine what time travel would do for cryptocurrency! Steal computers from 2060 and take them back to 2008ish, overclock infinitely by speeding up time, profit.
A trick like that, that early in the game, would doubtless tank the value of Bitcoins before they could even hold a value. You’d have to start the mining in 2012 to get anything of value, bonus points for preventing terrorist attacks by getting the coins before they can.
Lots of ways you could make money easier if you could time travel.
1) Go back and pick up a very small number of things like Superman comic #1 and other collectibles. Come back to present day and sell. But if you come back with 5,000 comics it will devalue them so you have to have different things.
2) Find a major bank robbery that was never solved. Time travel to that night about an hour before the criminals arrive but after the bank closes. You can clearly move in space and time (unless your time machine leaves you floating in empty space) so you can easily materialize in the vault. If not, go way back before the bank was built, move the machine to the right spot, then go forward. Now what money you take will be blamed on the real thieves.
3) Go back to buy stock in Microsoft, Apple, Google, etc. at predetermined times. Then sell them at other predetermined times.
I have often wanted to build a time machine for data. You connect it to a printer and your reports come out before you run them. Just remember to run them or…. oh oh….
Sounds like you have thought on this a lot, maybe even enough of an idea to pitch :)
Star Diarys by Stanislaw Lem. Jurney 7 when Ijon Tichy needs to repair his space vechicle and meets himself from future to help himself gives a lot to think about how many troubles you can cause by helping yourself in a past or future when only thing you need is second pair of hands.
Better idea buy one Gold ring hold on to it now take it back in time so you have two. Pick them up and take them back in time. Each time a small time earlier.
Eventually you have thousands sell .
Rinse repeat.
For #2, how do you know that you’re not the only bank robber there was?
Think about that one for a minute.
Damnit. That you ARE the only bank robber…
That’s an idea for a book: “The Time Traveller’s Almanac”.
A listing of major disasters / crimes / financial movements, starting with [for example] the Titanic. Worldwide.
Once you build the machine, you have a handy pocket reference – and the ethical dilemma begins. Do you allow history to play out, or do you intervene? Make sure the book lists the consequences linked to major events, so you know what’s at risk.
Personally, I doubt I could stand by and let Sandy Hook happen. Or Columbine. Heck, I’d probably try to evacuate the WTC, on the off-chance my warning calls about hijackers were ignored.
I doubt we’ll get a time machine. At best a time viewer, and maybe a limited range one at that.
No no. I already invented one next year.
There is the thought that we are stuck on one out of many timelines where time travel has not been invented.
Time to go back and rewatch Steins Gate…
You could use them for zcoins though, too much memory required for a “cheap” ASIC implementation.
Are they sure it is a BITCOIN miner?? Not a Ether miner by any chance? To create mining malware for a ASIC proof altcoin ok i can understand, but bitcoin? You would need to infect thousands of RPis just to earn a single Satoshi per day!!
I once had a bitcoin miner malware infection back when it was still profitable. It would try to be stealthy only running when my GPU wasn’t being used, but it didn’t stop me from noticing the Fans revving up suddenly time to time. I used wireshark to look for any suspicious packets and sure enough i spotted data going to a Mining Pool. Miner malware was new back then so none of my AV and AM knew of the strain i had.
I quarantined the malware. Sent it off to any malware submission site and Contacted the mining pool being abused.
Sure enough next day the malware was being included into detection lists and i was informed that the account used for mining was confiscated and with it a few thousand bitcoins. I felt proud that day. I rendered a Botnet useless, costed a hacker thousands of bitcoin and got it on the fast-track to being eradicated.
Well the original post says “cryptocurrency-mining” so maybe it isn’t BitCoin. That could be my reading too much into it.
Probably Monero safer to cash out
I once tried mining earnhoney with a Pi 3. The return ended up pretty good at around $10/week, if you were around to reboot it when it crashes. And that unfortunately was enough to kill the idea.
A friend had similar problem with a server. He made some AVR based “watchdog”. Everytime server did not send a restart signal the hardware cut off power for a second.
not ether either. you need 2-4GB of ram to mine ether.
I’d think that most Raspberry Pis out there ought to simply behind a good firewall.
Yes, there are lots of reasons you might connect a Pi to the actual Internet (and if you do that, then you *really* need to take the security advice), but if you don’t *have* to ride your bicycle on the freeway, it’s a good idea to simply not do so.
I used to stick a machine on the internet running a fakessh and log all attempted usernames, passwords. The first bang usually lands within a few minutes, then distributed analysis starts (how many attempts allowed before being disconnected, what is the allowed delay between each access), and finally a distributed swarm of bots amazingly synchronised go into a feeding frenzy for 24-72 hours. It is fun to watch for a while.
And after the frenzy then it settles down to attempts to brute force mostly the root account.
Oh and also running p0f to try and tell what OS the bots are running is fun. Not surprisingly most of the attacks were incoming from old 2.6 Linux kernels machines, and some windows 2008/2012 servers which I kind of thought was a bit odd, but they must have some form of ssh installed either by the people who own the servers (pay for electricity and networking) or the people who owned the servers.
As we move to IPv6 we won’t necessarily have NAT to keep us safe.
NAT != Firewall
I wonder if it can be reverse hacked so that you can steal the bitcoins from the malware makers!
How can we protect ourselves against this new bug? Or are you suggesting that we should probably stop using Raspberry Pi till this bug issue has been fixed???
Delete the default account or change it’s password, don’t expose the pi to the internet on the standard ssh port, move it to a different one, and use fail2ban.
Encrypted… with base64.
I spilled my morning coffee on that one :)
H4sIAJqAOlkAA/NILUpVL1Yozs9NLcnIzEtXSM0pTlVIzs8tKEotLk5NUSjPLMlQSK/KLFBIzEtRUErNSy6qLChJTVGCyCQlFqeamehxAQCQuMR1SAAAAA==
Compressed with gzip and encrypted with base64.
Did anyone try decoding/decrypting?
I got it to ‘WhatIdiotDoesntChangeTheDefaultLogin”
Do you get the same?
Do you know what base64 is?
Yep, otherwise I would have said decrypt/decode and not decode/decrypt. Never imagined anyone would try to use base64 to encrypt, imaginitive but where’s the key??? Does a good job at encoding though.
Personally I use it all the time to send SHA256 encrypted MQTT messages from an ESP8266 to Node-Red via Mosquitto; messages need to be base64 encoded as raw data doesn’t travel too well, especially when you have nulls in the data…
I guess an infected raspi can’t mine bitcoins If disconected from network/internet. am I right?
It can’t get the trojan at all if disconnected from the network.
When you just assemble stuff developped by others, this is what you get.
These systems (linux, winndows, etc.) have so many open doors that are never used even by programmers. Actually these accesses are used only by pirates.
Like communication standards… They should never being used inside your house or business but only to reach the outside world. Create your own internal network to make your IoT. And use IP just for Internet. So if an hacker ass breaches into your house, his journey will stop right there, he will never be able to cross your internal network since it’s proprietary (and secret) protocol.
Many people encourage me to do things by myself. They all give good arguments but I really can’t invent everything from scratch. It’s much easier to go with ready products and follow best practices.
I remember a time early on where I heard of someone mining a bitcoin with an old Sharp Zaurus SL-5500 boasting a strongARM SA-1110 206mhz and the bitcoin faucets dropped five coins per click. I thought it was a waste of time and energy because bitcoins were worthless and always would be. I still don’t get the appeal, it ls like having money with the old library checkout card history in the back, no privacy of any kind, permanent fingerprints on the ‘coin’ back to your unique wallet ID publicly proclaimed on every transaction as a feature. Like if the FBI and the paparazzi were to jointly design a digital currency. But I damn well missed out on what turned out to be free money.
it’s not what it does.. It’s how it spreads that typically dictates revenue and profit..
Great work!