link1911 link1912 link1913 link1914 link1915 link1916 link1917 link1918 link1919 link1920 link1921 link1922 link1923 link1924 link1925 link1926 link1927 link1928 link1929 link1930 link1931 link1932 link1933 link1934 link1935 link1936 link1937 link1938 link1939 link1940 link1941 link1942 link1943 link1944 link1945 link1946 link1947 link1948 link1949 link1950 link1951 link1952 link1953 link1954 link1955 link1956 link1957 link1958 link1959 link1960 link1961 link1962 link1963 link1964 link1965 link1966 link1967 link1968 link1969 link1970 link1971 link1972 link1973 link1974 link1975 link1976 link1977 link1978 link1979 link1980 link1981 link1982 link1983 link1984 link1985 link1986 link1987 link1988 link1989 link1990 link1991 link1992 link1993 link1994 link1995 link1996 link1997 link1998 link1999 link2000 link2001 link2002 link2003 link2004 link2005 link2006 link2007 link2008 link2009 link2010 link2011 link2012 link2013 link2014 link2015 link2016 link2017 link2018 link2019 link2020 link2021 link2022 link2023 link2024 link2025 link2026 link2027 link2028 link2029 link2030 link2031 link2032 link2033 link2034 link2035 link2036 link2037 link2038 link2039 link2040 link2041 link2042 link2043 link2044 link2045 link2046 link2047 link2048 link2049 link2050 link2051 link2052 link2053 link2054 link2055 link2056 link2057

Linux Malware Mines for Cryptocurrency Using Raspberry Pi Devices

Linux Malware Mines for Cryptocurrency Using Raspberry Pi Devices

    

A Linux trojan detected under the generic name of
Linux.MulDrop.14 is infecting Raspberry Pi

devices with the purpose of mining cryptocurrency. According to Russian antivirus maker Dr.Web, the malware was first spotted online in the second half of May in the form of a script that contains a compressed and encrypted application. Experts say the initial infection takes place when Raspberry Pi operators leave their devices' SSH ports open to external connections. Once a Raspberry Pi device is infected, the malware changes the password for the "pi" account to:

$6$U1Nu9qCp$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1

Malware targets only Raspberry Pi devices

After this, Linux.MulDrop.14 shuts down several processes and installs libraries required for its operation, including ZMap and sshpass. The malware then launches its cryptocurrency mining process and uses ZMap to continuously scan the Internet for other devices with an open SSH port. Once it finds one, the malware uses sshpass to attempt to log in using the username "pi" and the password "raspberry." Only this user/password combo is used, meaning the malware only targets Raspberry Pi single-board computers. This is somewhat out of the ordinary since most malware tries to target as many platforms as it can. Nonetheless, this version of the malware may be still under development, and other username & password combos may be added at a later date.

Still better than Mirai

Most users would dismiss the idea of using Raspberry Pi devices to mine for cryptocurrency, which is a very computational-heavy operation. While Raspberry Pi single-board computers do have some hardware resources at their disposal for the task the malware is attempting to perform, they are not as powerful as classic desktop or laptop computers, and nowhere near the efficiency of dedicated mining equipment. Nevertheless, people have used Raspberry Pi devices to mine for cryptocurrency in the past, with moderate success.

Either way, Linux.MulDrop.14 is certainly more equipped for the task at hand compared to a version of the Mirai IoT malware spotted in mid-April, which also tried to mine for cryptocurrency for a short period of time. At the time, Errata Security researcher Robert Graham estimated that if a Mirai botnet of 2.5 million bots mined for cryptocurrency, it would be earning only $0.25 per day because of the low computational power of the devices Mirai is capable of infecting (usually security cameras, DVRs, routers, and other IoT equipment).

Linux malware used to create a proxy network

Last but not least, Dr.Web researchers also said they discovered a second Linux malware strain, which they named Linux.ProxyM. As this malware's name implies, this Linux trojan is used to start a SOCKS proxy server on infected devices, which the trojan's author then uses to relay malicious traffic, disguising his real identity and location. No other details are available at this time about Linux.ProxyM, but researchers said the number of devices infected with this strain has grown to 10,000 systems after being first spotted in February 2017.

Chuck Reynolds
Contributor
Please click either Link to Learn more about –
TCC-Bitcoin.

Alan Zibluk Markethive Founding Member