Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security The Almighty Buck Linux

Linux Malware Infects Raspberry Pi Devices And Makes Them Mine Cryptocurrency (hothardware.com) 84

An anonymous reader quotes Hot Hardware: If you're a Raspberry Pi user who's never changed the default password of the "pi" user, then heed this warning: change it. A brand new piece of malware has hit the web, called "Linux.MulDrop.14", and it preys on those who haven't secured their devices properly... After scanning for RPis with an open (and default) SSH port, the "pi" user is logged into (if the password is left default), and the password is subsequently changed. After that, the malware installs ZMap and sshpass software, and then it configures itself. The ultimate goal of Linux.MulDrop.14 is to make digital money for someone else, namely the author of the malware, using your Raspberry Pi.
This discussion has been archived. No new comments can be posted.

Linux Malware Infects Raspberry Pi Devices And Makes Them Mine Cryptocurrency

Comments Filter:
  • by ArylAkamov ( 4036877 ) on Sunday June 11, 2017 @02:22AM (#54595005)

    I know very little about cryptocurrency aside from having 20 bitcoins when it was new and losing the wallet with a reformat (Yes, I hate myself).

    This really doesn't seem worth the risks to develop and deploy, given the processing power and the number of units you would need to infect. Then again, I might be underestimating the number of vulnerable devices. I'd love for someone who knows more than me to chime in and give their thoughts.

    • This really doesn't seem worth the risks to develop and deploy

      Risk is a combination of severity of consequence and a likelihood of it occurring. Raspberry Pis that are networked and have their default user names and passwords will generally not be in a position where the impact of this malware may be discovered and likely owned by users who don't have the ability to understand what's going on.

      The risks in this case are very low. The reward is low too, but that's kind of beside the point. I myself have one raspberry pi in the house that I would never be able to tell if

    • by KGIII ( 973947 ) <uninvolved@outlook.com> on Sunday June 11, 2017 @04:07AM (#54595225) Journal

      I cheated and RTFA. Please don't hold it against me. Basically, the article says, "If you're functionally retarded, this could happen under a very limited set of circumstances."

      My comment history shows I am biased towards Linux but not a zealot. This is a problem if you're stupid. That's about it. Even stupid people are pretty well protected, as they are behind a NAT that disallows ingress.

      I have some Pi (pies?) so I looked at the article. Sorry... You'd have to expose it to the net AND keep default passwords the same. Then, maybe, if will effect you but only if you have those services running.

      I am trying to not minimize this but, really, it is a wee bit silly. Maybe I am missing something?

      • I'd be most concerned about other products that use a Raspberry Pi internally. Can't be sure if the maker secured the thing and the consumer of these are likely to be less tech savvy and may not even know about the security concerns.
      • The problem is threefold.

        1. The raspberry pi foundation decided to enable ssh by default on their raspbian image despite a number of us telling them that it was reckless. They eventually back-peddled on this for later images but not before there were loads and loads of existing installations out there.
        2. There are still end-user networks out there, particularly in academic settings that are largely open to the internet.
        3. They have sold millions of Pis

        Put all those together and you have a sufficient pool of

        • 1. The raspberry pi foundation decided to enable ssh by default on their raspbian image despite a number of us telling them that it was reckless.

          But incredibly useful. I set up a Pi recently and not having to mess with monitor and keyboard made my task much easier. I took appropriate security measures as part of setting up the Pi.

          • But incredibly useful. I set up a Pi recently and not having to mess with monitor and keyboard made my task much easier. I took appropriate security measures as part of setting up the Pi.

            It can still be done by modifying or adding a file in the boot partition, just no longer the default.

            The other flaw I would add is a default user and password and no encouragement to change. I can't imagine it would be that hard to craft a script that would prompt the user for a user name and password to use before the system can be accessed.

            • It can still be done by modifying or adding a file in the boot partition, just no longer the default.

              After posting, I realized that I had to add a file to the boot partition to enable ssh: it wasn't enabled by default.

              I also installed the Pi behind a NAT router and changed the default password so that it was doubly secure against this specific attack.

      • by Anonymous Coward

        You'd have to expose it to the net AND keep default passwords the same. Then, maybe, if will effect you but only if you have those services running.

        Part of how this problem came about is the target audience, and another part is due to the devices original embedded nature.

        One of the more popular Linux distributions for the Pi is Raspbian, which is based off Debian but obviously targeting the specific architecture of the Pi.

        Debian solved this problem decades ago by having the installer prompt the user for a root password to use, as well as prompt for the initial user account username/password.
        The passwords are setup before first-boot when the selected se

    • by maple_shaft ( 1046302 ) on Sunday June 11, 2017 @06:06AM (#54595413)
      In my opinion no. Having expiremented with creating a Pi miner for Litecoin, back before ASICs existed for mining Scrypt algo, I got an abysmal hashrate of 0.2MH, and that was with overclocking on a Model B. To put into more perspective I had a cheap second hand Radeon graphics card on my desktop that got hundreds of times better hashrate. When mining 24/7 on a pool I would still only get about .5 LTC which was worth scarcely a few dollars at the time. Now that is worth about $15 today though. Pis make terrible miners.
      • by heson ( 915298 )
        When comparing stuff could you please use the same unit or I will conclude that "To put into perspective" was a lie.
  • by franzrogar ( 3986783 ) on Sunday June 11, 2017 @02:24AM (#54595011)

    It's the same as saying that if you have an app with internet access and you left the default passwords (imagine one of e-commerce).

    It's the user's fault and program's bad design (it should create a random pass on first install, never a "default" one).

    • by techno-vampire ( 666512 ) on Sunday June 11, 2017 @02:41AM (#54595055) Homepage
      No, it shouldn't create a random password when you install it. Part of logging in for the first time should be a mandatory password change, leaving as little time for something like this as possible. And, remote access should be disabled until after the password has been changed.
      • no the password should be outright disabled and the user should add his public key to .ssh/authorized_keys instead. Using passwords over SSH is just plain stupid.
        • OK, so tell me: if passwords are disabled, and your public key hasn't been sent yet, how do you connect to it to transfer the key?
          • Sorry for not being more clear but I meant that as a reply to what you wrote about what to do after first login. Using password on SSH should be something that you do at maximum once per system. Myself I always transfer my public rsa key to a flash drive and put it into any machine that I installs and thus never use a insecure ssh session but I do understand that this is seen as an inconvenience for the majority of users, but using keys instead of passwords after first login will not only make the connectio
    • by thegarbz ( 1787294 ) on Sunday June 11, 2017 @03:35AM (#54595147)

      It's the same as saying that if you have an app with internet access and you left the default passwords (imagine one of e-commerce).

      Yes because when a Windows user purposefully executes malware and it takes over the system it's all Window's fault, but when a Linux user permits the same thing it's not Linux at all.

      Sorry but you don't get to laugh at Microsoft's attempts at limiting the user's ability to accidentally execute malware and excuse a Linux OS for something as mindbogglingly stupid as not prompting the user for a username and password during setup.

      Malware is malware. Linux is Linux. This is by every definition of the word Linux Malware. Whether it's assisted by stupid users or stupid designers is irrelevant.

      • Linux User some four digit number here.

        Nah... Windows or Linux, once it is owned it is owned. The biggest security hole is the human. Someday, I'll tell you of my most recent hack. It was via VNC and I got to watch them. It was also my fault, entirely. I got lucky and could literally see them move the mouse and type commands. It was almost fun to watch them learn Linux. Point is, it was my fault and I know the path.

        • Once, while watching the auth logs on a test box, observed a fairly strong SSH bruteforce to take some 4 hours to guess that user=test pass=test. Box then became, briefly, part of a DDoS botnet.
      • Yes because when a Windows user purposefully executes malware and it takes over the system it's all Window's fault, but when a Linux user permits the same thing it's not Linux at all.

        No, the reason this isn't Linux malware is that it only works on the Raspberry Pi with the default password. You could easily build a Windows-based version with the same flaw, but that wouldn't make it Windows malware. Your Windows malware example only requires Windows, making it Windows malware. This is Raspberry Pi (model A?) malware.

        When people use the term Windows malware correctly, they mean malware that requires only a Windows host to function. You cannot deny that there are hundreds of malware progra

        • No, the reason this isn't Linux malware is that it only works on the Raspberry Pi with the default password.

          Not at all. It works on any ARM based Linux distribution and spreads by SSH with a specific set of credentials. Like a lot of Raspberry Pi "specific" stuff its very cross platform to a variety of Linux setups running on Pis and on various other small single board computers.

          Just because the malware spreads on a specific set of credentials that are most likely to be present on a Raspberry Pi doesn't make it any less Linux malware.

          • By that logic, it's ARM, computer, and binary malware. Are all binary-based computers threatened? I don't think so. It could be ported, or you could set up your Linux PC to have the same common credentials, but the only Linux box that comes configured that way is the Pi.
            • Yes so we should stop calling Windows malware Windows malware and specifically x86 Malware right?

              Every ARM PC is threatened if the credentials are setup in a certain way.

              but the only Linux box that comes configured that way is the Pi.

              Only when you didn't read what I wrote: let me quote myself:

              very cross platform to a variety of Linux setups running on Pis and on various other small single board computers.

              The Pi isn't the only one that is setup the way the Pi is thanks greatly to the massive popularity of the distribution and the many other people who are riding on the work of that team.

    • by Anonymous Coward

      There has been a fix for new installations of Pixel (Raspbian) since 2016, https://www.raspberrypi.org/blog/a-security-update-for-raspbian-pixel/

  • Per Raspberry Pi? Or if a few Raspberry Pi devices got networked?
  • Get Rich Slowly... (Score:5, Informative)

    by Powercntrl ( 458442 ) on Sunday June 11, 2017 @02:32AM (#54595033)

    I'm not too familiar with the Raspberry Pi, but a cursory view of the specs tells me even a huge botnet of 'em still wouldn't make you wealthy through mining crypto any sooner than the heat death of the universe. Most crypto mining these days is done on specialized hardware or large banks of high-end video cards. Seems to be the reason why most malicious software intent on acquiring wealth through Bitcoins simply encrypts your files for ransom.

    • Compared to what? The entire WannaCry scheme made less than $80k. It's spread was huge, it's impact on critical files was high, and it only made $80k. By comparison this thing could chug away in the corner and someone may not ever notice it. What's faster? A huge botnet of Pis crunching away for a year, or sitting down and writing another spreadable ransomware program?

      • by religionofpeas ( 4511805 ) on Sunday June 11, 2017 @03:47AM (#54595193)

        Depends on what cryptocurrency they are mining, how suitable the Pi is for that, and what the value of that currency is.

        Take bitcoin for example. One PI can do about 0.2 Mhash/second. A botnet consisting of 1 million devices can mine about $6.50 in a month. And you don't even get to keep all that, because a million devices mining will produce a great deal of very small transactions, which take up a lot of space in the blockchain, and you'll have to pay quite a large transaction fee. You'd be lucky to keep half of that money.

        Instead of the developing the malware, you could make more money as a Walmart greeter.

        • Rightio, I didn't realise it was quite that low. Still even for $100/m it is likely worthwhile. Remember the devices being infected are unlikely to get noticed by the owners. Unlike some more overt methods of extracting money via malware this one will probably still be going after a year or maybe even longer, and has the side benefit of not having the federal services from multiple nations looking for you.

          • I would actually think it would get noticed pretty quickly. If you leave the standard password, it means that's probably the only account you're using. If you use it as a media-player, next time you'll want to upload some media, account doesn't work. If you use it to play around, account doesn't work either. If it's mining all the time, everything will be crawling slow too.
            Given most Pi's are used by hobbyists, they'll notice it, unless it's really just running somewhere in the basement not doing anything.
    • Several crypto coins have been designed specifically to thwart GPU and FPGA mining. [cpucoinlist.com]
      The Raspberry Pi 3 seems to get 10 Hash/s of Monero mining [reddit.com].
      10 H/s of XMR yields about $1.10 per day [cryptocompare.com].

      So the cracker isn't getting rich, but they can generate a modest supplementing income. I assume many Raspberry Pi on the Internet are installed and forgotten about. Nobody notices 100% CPU load if the cracker uses nice -n19.

  • Looks like someone is gonna get rich...
  • " After scanning for RPis with an open (and default) SSH port, the "pi" user is logged into (if the password is left default), and the password is subsequently changed...The ultimate goal of Linux.MulDrop.14 is to make digital money for someone else, namely the author of the malware, using your Raspberry Pi."

    Oh, so this is about cryptocurrency mining? That's a laugh, especially on Pi-ware.

    Sure as hell sounds like the real ultimate goal here is to demonstrate how utterly fucking stupid (by default) some admins can actually be.

  • by Anonymous Coward

    Remember Synology, this happened to Synology insecured NAS devices.

  • This is one of the articles which makes me sick about Alarmist claims of Malware....and it applies to most malware. For it to work the user would have to point port 22 to their device...and if they have the savvy to do this, they would of course password the device as well...we're in much less danger than we're lead to believe..
    • by tomxor ( 2379126 )
      Well, you are assuming the attack vector is always from outside a gateway... but the first thing it does is install zmap and sshpass, so it's obviously intended to be self propagating inside a network. It would likely be more dangerous if it first piggybacked on some other more likely vector to first get inside a network and then target pi.
  • All --

    I don't believe that this vulnerability applies to Slackware ARM on a Raspberry Pi http://sarpi.fatdog.eu/ [fatdog.eu] as it does not include a pi user ...

    -- kjh

  • raspian defaults changed last year to SSH off, so it forces you to login over serial and enable SSH + change the password (closing the window of opportunity)... It's also possible to enable it by adding a file to the boot partition though.

    I suppose the problem is that newbies still don't know the importance of changing default passwords and raspian is not installed but dd'ed to a disk much like a VPS but without the friendly UI forcing you to set a custom password.

  • How is this malware? Looks like a simple, automated SSH probe to me for people who don't follow obvious best practices. If you're going to leave SSH open to the world then do at least a few of the below:

    1) Change default password
    2) Enable keyauth only
    3) Change the default listening port.

This screen intentionally left blank.

Working...