Linux.MulDrop.14 Malware Mines for Cryptocurrency Using Raspberry Pi Devices

[Zarathustra[H]]

A few weeks ago we reported on Adylkuzz, a malware that uses the same attack vector as the WannaCry ransomware, but rather than extort you for money by holding your data hostage, it installs cryptocurrency mining software on your machine, and mines cryptocurrency to the benefit of its creator. This appears to be an increasingly popular form of malware. The most recent development is the discovery of the Linux.MulDrop.14 Malware. The most interesting part of this may not be that it attacks Linux instead of Windows, but rather that it only targets Raspberry Pi devices, and that someone actually had the idea to mine cryptocurrency on a low-powered ARM device.

I'm kind of curious how much they have been taking home doing this, as each infected Raspberry Pi won't yield very much. The goal must either be to infect a very large number of Pi devices, or it is only to see if they can do it, not necessarily to make money.

Either way, Linux.MulDrop.14 is certainly more equipped for the task at hand compared to a version of the Mirai IoT malware spotted in mid-April, which also tried to mine for cryptocurrency for a short period of time.

At the time, Errata Security researcher Robert Graham estimated that if a Mirai botnet of 2.5 million bots mined for cryptocurrency, it would be earning only $0.25 per day because of the low computational power of the devices Mirai is capable of infecting (usually security cameras, DVRs, routers, and other IoT equipment).

 

[CaptNumbNutz]

I'm leaning on this was done just to see if they could do it.

Anyone using a Raspberry Pi is likely a bit more intelligent than your average joe running Windows or Mac. They are fully aware that if something isn't working right, all they have to do is spend 2 minutes reflashing the OS to an SD card. It may take them longer to re-configure it, but an OS wipe to eliminate the infection is dead simple.

 

[Burticus]

Hmmm. I wonder what the mining potential is on a Pi. I mean you can get 20 of them and shove them in a shoebox, no noise and very little heat. Interesting...

Someday someone is going to figure out how to push something like this to Android, then watch out. Everybody and their dog will be mining on their phones for someone else and probably won't ever know it. Except if their phones explode in their pockets maybe.

 

[Zarathustra[H]]

Someday someone is going to figure out how to push something like this to Android, then watch out. Everybody and their dog will be mining on their phones for someone else and probably won't ever know it. Except if their phones explode in their pockets maybe.

People will start whining when phone mining reduces their battery life to about 30minutes from a full charge

A cleverly written piece of malware - however - would check fo the power cord and only run while the phone is charging. This way the owner would never know, and if they don't know, they have no reason to try to re-flash the device.

 

[Zarathustra[H]]

Hmmm. I wonder what the mining potential is on a Pi. I mean you can get 20 of them and shove them in a shoebox, no noise and very little heat. Interesting...

Looks like this has been discussed here:

https://bitcoin.stackexchange.com/q...an-a-raspberry-pi-achieve-can-the-gpu-be-used

Raspberry Pi's CPU only score is 0.2Mhash/s.

Would take quite a few of them in a cluster to amount to anything. Probably just easier and more effective to use desktop hardware.

 

[Chuklr]

Sounds like this could be a "proof of concept" test with the next step how to move it to the desktop, maybe?

 

[Todd Walter]

Yay! Linux users are finally important enough to be victims of malware! The year of the Linux desktop has arrived!

 

[GoldenTiger]

Yay! Linux users are finally important enough to be victims of malware! The year of the Linux desktop has arrived!

Oh joy!

 

[Spire3660]

What is the attack vector? Do i need to disable Samba? IS Samba on by default in Raspbian.

 

[Todd Walter]

Oh joy!

I'm safe though; I'll just emerge -e @world and their malware won't see a free thread for weeks!

 

[lcpiper]

Hmmm. I wonder what the mining potential is on a Pi. I mean you can get 20 of them and shove them in a shoebox, no noise and very little heat. Interesting...

Someday someone is going to figure out how to push something like this to Android, then watch out. Everybody and their dog will be mining on their phones for someone else and probably won't ever know it. Except if their phones explode in their pockets maybe.

OK, so some guy wants to do exactly that, push cryptocurrency mining malware to cellphones, but they don't have to software optimized yet, it's rough, slow.

Now if I try and develop my software and run trials on phone OS's all the attempts as I work through the issues are going to raise defenses that I must then find ways around.

But if I develop and test my software on another platform I cut down the warning time for cellphone OS's while ensuring that when I do drop that payload, I get much more bang for the buck.

 

[Todd Walter]

What is the attack vector? Do i need to disable Samba? IS Samba on by default in Raspbian.

Remotely executing a script using the default SSH password. As long as you've changed it, it's not a problem.

 

[Zarathustra[H]]

Remotely executing a script using the default SSH password. As long as you've changed it, it's not a problem.

Yeah, it always amazes me how many people just leave things with the default password.

I change that shit within 10 seconds of having a new machine up.

 

[Spire3660]

Remotely executing a script using the default SSH password. As long as you've changed it, it's not a problem.

Thanks. i set passwd before i even set localization options (mostly so i know im working with the US keyset)

 

[Todd Walter]

Yeah, it always amazes me how many people just leave things with the default password.

I change that shit within 10 seconds of having a new machine up.

I did it before booting; I chrooted the SD on my workstation and then booted it. It was faster to replace with Gentoo that way.

 

[Mugato]

People will start whining when phone mining reduces their battery life to about 30minutes from a full charge

A cleverly written piece of malware - however - would check fo the power cord and only run while the phone is charging. This way the owner would never know, and if they don't know, they have no reason to try to re-flash the device.

I swear this already happened, batteries were drained and the phone was super hot is how they noticed. Remembering something about a fake banking app...no one else remembers this?

 

[xX_Jack_Carver_Xx]

Couldn't someone just make a nice App that would be popular, sell it at a ridiculously low price/free, and deep down it uses the Phone's computer resources ... X 10-50-200 million units?

Work smart so any one phone, it works X% of the time, and dormant, so the user would never put 2+2 together about any unusual battery usage. Since after release into the world, it's all FREE MONEY ... not your phone, not your electricity, not your data .... I mean, the App instead of making you watch Ad's as compensation, just leaches off resources like a Tick in your phone?

Surprised this hasn't become a thing already .... unimaginative bastards I guess.