Raspberry Pi sours thanks to mining malware Anti-virus vendor Dr. Web has found something nasty: malware named “Linux.MulDrop.14” that turns the Raspberry Pi into a cryptocurrency mining machine. To catch the malware you'll need to leave your rPi on with SSH ports open. If you've done so and the malware's scripts make their way in to your Pi, they'll install zmap, …
I wouldn't overestimate the abilities of your average raspberry pi user - it's become very easy to follow a simple set of instructions in an online forum and without understanding a lot about what you're doing, and in doing so open the thing wide open to abuse. An awful lot of them are connected to the net.
I had to double check that my one of mine, which is online and will accept SSH connections, is not visible from the public IP it's on. I've changed the default password as I do for all devices, but aside from a weekly cron job to perform an automatic update, it is sat there, as a VPN server. I think that I've firewalled everything off with iptables (apart from the VPN port used), but I set this up 3 years ago and I really cannot remember. I'm currently 7000km away from it without a computer so it's difficult to check right now... (posting from a mobile)
I imagine there are a lot of such devices out there connected to the net, as some ameteur project set up by an enthusiastic hobbyist. In my experience it was hard enough getting it working as intended, let alone hardening it against attackers beyond the basics of changing a password (which I think is enough to defeat this malware if I RTFA properly)...
Give a ten-year-old a small, battery-powered computer of their own and let them discover some interweb instructions about how to set up their pi-cam so that they can use it over the internet as a spying device.
Hmm ... I'd guess that an awful lot of pis are connected to the net with no thought to security at all.
"and within a few minutes there were failed login attempts showing up in the log"
I have a pi & my x86 fileserver both with ssh port forwarded. However I don't use the standard ports and both use rsa keys and indeed very unusual usernames..
My x86 server has had 1 login attempt in 10+ years. So although it is really sec. by ob. it cuts down the attempts by a huge factor as port 22 gets a few a day.
Just analysing my firewall logs for the last 4 months & I've had 36k hits on telnet and 6k hits on ssh port 22. Those are the top 2 TCP ports for hits, followed by 5358, 1433 & 7547. I occasionally see a hit on my obscure ssh login port - 1 every few months perhaps.
I've no idea how they are found so quickly.
They were likely MIRAI or a variant of it. They're running rampant all over the 'net looking for IoT devices to conscript into their botnet. They specifically target the telnet and ssh ports along with a few others.
1. Which cryptocurrency exactly? Bitcoin? The mythical Maycoin?*
2. Are there that many Raspberries out in the wild that, even assuming they are connected and still on their default settings, they could mine coin in a useful timeframe?
Somehow this smells like proof of concept.
* A cryptocurrency I have just made up. It is designed for post-brexit Britain, traceable by the authorities, but totally anonymous for anyone else thanks to the ingenious FlexiCrypt system. The FlexiCrypt system, which I have also just made up, uses deep learning AI algorithms that can recognise who is mining and using any given Maycoin and whether it is a legitimate use of it or not. If it is a legitimate use like a donation to the conservative party, the whole transaction stays completely anonymous. If it is used for something clearly related to terrorism like paying for a VPN service, all availiable data is automatically transferred to the relevant authorities.
"Are there that many Raspberries out in the wild that, even assuming they are connected and still on their default settings, they could mine coin in a useful timeframe?"
A quick Google suggests an RPi gets somewhere from 50-200 MFLOPS single precision depending on version. That would mean at least 30,000 of them to hit 6 TFLOPS, around the equivalent of a decent GPU (GTX 1070 for example). With 12.5 million sold according to the article, if you took control of every RPi ever sold, you'd have the equivalent of around 400 relatively up-to-date but not particularly impressive PCs. Depending on how those total sales break down by version, it might be closer to 100 PCs.
So yeah, not particularly useful by the looks of it. Even if there are tens of thousands of vulnerable RPis out there, you only need to compromise one or two home PCs to get just as much computing power at your disposal.
How many people do this? Really? Buy something, and then just throw it open to world+dog, and think it's all just fine and dandy.
When logging into the Raspberry Pi, it nags you to change the password!! Really, every single time you log in, there's a message nagging about changing user pi's password to something other than raspberry.
If somebody's too lazy to change the password, keeps it on, exposed to world+dog, then they should pay a stupid tax for their actions.
Not being funny but...
If you have a Pi this already puts you ahead of the daily mail reading celebrity spotting unwashed therefore you would instinctively change the password on first use as you did on that shiny router you bought. You would also have to enable ssh which again puts you above the general poo flicking human.
I can't see this infecting many pi's.
Why? I make a valid point. If you buy a pi then you must have some knowledge and if you have some knowledge you would know to change the password.
Furthermore how does this even get onto the pi? Would you not need to forward the port in the first place? Again this indicates knowledge.
Therefore poo flicking daily mail readers would probably not buy a pi in the first place.
Have you actually read the daily mail?
http://www.dailymail.co.uk/news/article-4597798/KATIE-HOPKINS-AmberRose-flashing-doesn-t-make-feminist.html
I rest my case.
Anon said—"If you have a Pi this already puts you ahead of the daily mail reading celebrity spotting unwashed therefore you would instinctively change the password on first use as you did on that shiny router you bought. You would also have to enable ssh which again puts you above the general poo flicking human."
I wonder why he got so many downvotes? Yes, it's a rather dismissive, insulting opinion of Daily Mail readers, but in what respect is it actually, um, wrong?
Or was it the reference to the Axis of Stupid Liars: "poo flicking human" that upset readers? (I assume it's a reference to Boris Johnson and Donald Trump, correct?)
Well, I suppose it doesn't matter if Daily Mail readers have IQs in single digits or occasionally even two, the important things in our world are, as ever: Strong Crypto+Strong Passwords!!
"I wonder why he got so many downvotes?"
Because he's literally talking as if simply owning a device designed for 8 year olds was proof of superior computing skills. It's like suggesting that purchasing a skateboard is indicative of superb Formula-1 driving ability. He misunderstands the purpose of the device, it's main audience, the skillset it aims to teach, and his own awesomeness for owning one. Oh, and he commits a logical fallacy in presuming the only possible people who could own one are either super-sysadmins or drooling Daily Mail readers, too.
So it's a factually incorrect argument, made badly. That's why he got downvotes.
@Naselus
I really am not.
I don't mind the downvotes however to get the thing onto the internet with an open port and enable SSH usually requires a knowledge above that of an 8 year old kid learning to program and even if they do have that knowledge I would hope the adult guiding them changes the password or advises them to do that themselves.
http://www.dailymail.co.uk/news/article-4596940/Dog-chills-shark-floatie-pool.html
EDIT: Who plugs the Pi into the network or connects to the wifi? Certainly not a Daily Mail Poo Flinger
"you would instinctively change the password on first use as you did on that shiny router you bought. You would also have to enable ssh"
These are aimed at kids (my 8-yo grandson for instance). They won't necessarily have basic sysadmin skills. Also, as he did, they might forget the P/W if changed. (Actually in his case it was a different OS with a different default P/W. An OS update appeared to have reset it probably back to the OS default. I'd tarred off his home directory and re-flashed the OS before I realised the default was different.)
You're right in that they'd have to enable ssh. On Raspbian that's done through the same menu as changing the password but unfortunately the two aren't linked.
When I use my Pi for anything that is going to be online for more than a few minutes I'll give it a proper p/w. Until then, it's just a few minutes messing about here or there. (It took me a couple of weeks sporadic use to find out that the little screen I bought won't install drivers if I used NOOBS).
And I'm guessing that since this is essentially a hobbyist sort of device, that's how most users will treat it. For me it's about trying to remember how to code, thirty odd years after my (amateur) programming days hit the buffers of having a proper job, home, family, mortgage.
If, at some point I/we decide to put it to work then setting up security will probably be more of a priority.
It does.
Things changed recently after the Pi Foundation appeared to become aware of the risks of de-facto enabled SSH and default password, but I believe any insistence the password is changed only occurs when SSH is enabled.
As far as I am aware there is still no general 'you must change/choose a password' prompt otherwise. Therefore it is still possible to expose a Pi to the Internet with the default password and all the risk associated with doing that. SSH isn't the only risk.
I understand the Pi is widely used, and for obvious reasons, in schools. I hope school It departments are paying attention today, because that is one environment where I *suspect* rules may be a bit lax: getting kids to change default passwords and remember new, strong ones sounds a little like cat-herding.
Once a single Pi is infected, there is the troubling prospect of transmission of malware over internal networks, which schools already under siege from idiot politicians really do not need right now.
To catch the malware you have to not only leave your pi on with SSH ports open to the internet, but you also have to leave your password on the default. The current version of Raspian will complain every time you log in if the SSH server is on and you haven't changed the password. What kind of fool uses default passwords?
The problem with malware like this is the fact that the Raspberry Pi has become one of those devices used to built lots of IoT devices out there. Malsubjects will continue to explore ways to break into every single connected device for all criminal purposes, this is just one of them! My advise, make sure that your devices has a security classification! https://uribe100.com/index.php?option=com_content&view=article&id=147:internet-of-things-iot
How many people plug a Raspberry Pi straight into the public Internet? And you have to configure a router deliberately to forward Port 22.
You would have to re-image all your machines at once, to be sure none of them were going to infect any of the others.
Might be fun to set up a honeypot, though .....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
