Linux Malware Infects Raspberry Pi Devices And Makes Them Mine Cryptocurrency (hothardware.com)

← Back to Stories (view on slashdot.org)

Linux Malware Infects Raspberry Pi Devices And Makes Them Mine Cryptocurrency (hothardware.com)

Posted by EditorDavid on Saturday June 10, 2017 @07:18PM from the easy-as-Pi dept.

An anonymous reader quotes Hot Hardware: If you're a Raspberry Pi user who's never changed the default password of the "pi" user, then heed this warning: change it. A brand new piece of malware has hit the web, called "Linux.MulDrop.14", and it preys on those who haven't secured their devices properly... After scanning for RPis with an open (and default) SSH port, the "pi" user is logged into (if the password is left default), and the password is subsequently changed. After that, the malware installs ZMap and sshpass software, and then it configures itself. The ultimate goal of Linux.MulDrop.14 is to make digital money for someone else, namely the author of the malware, using your Raspberry Pi.

84 comments

Min score:

Reason:

Sort:

Is this even worth it? by ArylAkamov · 2017-06-10 19:22 · Score: 2

I know very little about cryptocurrency aside from having 20 bitcoins when it was new and losing the wallet with a reformat (Yes, I hate myself).
This really doesn't seem worth the risks to develop and deploy, given the processing power and the number of units you would need to infect. Then again, I might be underestimating the number of vulnerable devices. I'd love for someone who knows more than me to chime in and give their thoughts.
1. Re:Is this even worth it? by Anonymous Coward · 2017-06-10 19:34 · Score: 0
  
  I'm wondering the exact same thing, also what crypto currency were they mining?
  I suppose any amount of coins, no matter how little, is better than nothing.
2. Re:Is this even worth it? by Anonymous Coward · 2017-06-10 20:42 · Score: 0
  
  Same here! Got one bitcoin just for installing it. Mined five for a total of six and the decided... "This is stupid!" and threw them away. Don't get me wrong, it is still stupid and basically unusable. I would have preferred to have to money from some sucker for the coins though!
3. Re:Is this even worth it? by thegarbz · 2017-06-10 20:42 · Score: 2
  
  This really doesn't seem worth the risks to develop and deploy
  Risk is a combination of severity of consequence and a likelihood of it occurring. Raspberry Pis that are networked and have their default user names and passwords will generally not be in a position where the impact of this malware may be discovered and likely owned by users who don't have the ability to understand what's going on.
  The risks in this case are very low. The reward is low too, but that's kind of beside the point. I myself have one raspberry pi in the house that I would never be able to tell if it were part of a botnet. My media centre box may show it slightly if I noticed performance issues but then Linux is good at prioritising so even then I'm not sure I'd notice it.
4. Re: Is this even worth it? by KGIII · 2017-06-10 21:07 · Score: 4, Insightful
  
  I cheated and RTFA. Please don't hold it against me. Basically, the article says, "If you're functionally retarded, this could happen under a very limited set of circumstances."
  My comment history shows I am biased towards Linux but not a zealot. This is a problem if you're stupid. That's about it. Even stupid people are pretty well protected, as they are behind a NAT that disallows ingress.
  I have some Pi (pies?) so I looked at the article. Sorry... You'd have to expose it to the net AND keep default passwords the same. Then, maybe, if will effect you but only if you have those services running.
  I am trying to not minimize this but, really, it is a wee bit silly. Maybe I am missing something?
  
  --
  "So long and thanks for all the fish."
5. Re: Is this even worth it? by maple_shaft · 2017-06-10 23:06 · Score: 4, Informative
  
  In my opinion no. Having expiremented with creating a Pi miner for Litecoin, back before ASICs existed for mining Scrypt algo, I got an abysmal hashrate of 0.2MH, and that was with overclocking on a Model B. To put into more perspective I had a cheap second hand Radeon graphics card on my desktop that got hundreds of times better hashrate. When mining 24/7 on a pool I would still only get about .5 LTC which was worth scarcely a few dollars at the time. Now that is worth about $15 today though. Pis make terrible miners.
6. Re:Is this even worth it? by Anonymous Coward · 2017-06-10 23:50 · Score: 0
  
  I thought it was stupid, too, but then I got into it. Now I am an active trader and margin lender on a major exchange, and I make about $25,000/month in margin lending fees. Yes, I pay my taxes.
7. Re: Is this even worth it? by heson · 2017-06-10 23:58 · Score: 1
  
  When comparing stuff could you please use the same unit or I will conclude that "To put into perspective" was a lie.
8. Re: Is this even worth it? by adam.voss · 2017-06-11 02:04 · Score: 2
  
  I'd be most concerned about other products that use a Raspberry Pi internally. Can't be sure if the maker secured the thing and the consumer of these are likely to be less tech savvy and may not even know about the security concerns.
9. Re: Is this even worth it? by petermgreen · 2017-06-11 02:07 · Score: 2
  
  The problem is threefold.
  1. The raspberry pi foundation decided to enable ssh by default on their raspbian image despite a number of us telling them that it was reckless. They eventually back-peddled on this for later images but not before there were loads and loads of existing installations out there.
  2. There are still end-user networks out there, particularly in academic settings that are largely open to the internet.
  3. They have sold millions of Pis
  Put all those together and you have a sufficient pool of Pis out there running ssh servers on the open Internet and accepting a login of pi/raspberry to be worthwhile for script kiddies to target.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
10. Re: Is this even worth it? by Anonymous Coward · 2017-06-11 02:09 · Score: 1
  
  You'd have to expose it to the net AND keep default passwords the same. Then, maybe, if will effect you but only if you have those services running.
  Part of how this problem came about is the target audience, and another part is due to the devices original embedded nature.
  One of the more popular Linux distributions for the Pi is Raspbian, which is based off Debian but obviously targeting the specific architecture of the Pi.
  Debian solved this problem decades ago by having the installer prompt the user for a root password to use, as well as prompt for the initial user account username/password.
  The passwords are setup before first-boot when the selected services start up.
  Later with "tasksel" it was also possible to say you wanted services like SSH installed, but none of those services are started until that first-boot process once the passwords were set.
  Raspbian on the other hand is typically not "installed" in this way by the end user.
  The maintainers provide a pre-installed/pre-configured image file of a Raspbian system created and installed by someone else, and the end-user simply writes this image to an SD card as-is.
  It's not unlike OEM Windows installations of days past before sysprep was used properly by the OEMs.
  The OEM would install Windows and do the setup, including having an initial user account with admin rights and a pre-defined password (usually blank) and pre-installed software.
  In the same way the user inherits whatever user accounts and passwords were setup by someone else, and at a point past any OS installer that would set things up how the user wants.
  Microsoft addressed this by demanding OEMs use a feature called sysprep, which lets you end up with an image of a system in this half setup state.
  The OEM can load up drivers and any custom things they need, but on first-boot an installer setup program still runs and gets the rest of the settings from the user, including account name and password.
  Debian itself has such a feature too (actually a couple of them these days) however the Raspbian fork does not utilize any of them at all.
  Arguably this is the problem at its core.
  Debian Installer allows a great deal of customization by an "OEM" very similar to Windows sysprep.
  They allow for installer preseed files used to append software package names to apt-get, paths to .deb files to install, and pre-defined answers to various installer setup questions that can be either force-answered or to simply specify the default answer used when hitting enter.
  All of those resources are available to Raspbian, it's just a matter of Raspbian currently not using them for their base images.
  I'd also guess Raspbian is making some design choices here more specific to a Pi than a PC.
  For example, installing and setting up a Pi to function headless.
  Since the Debian installer uses the local console, and the Pi target audience was not computer users or technology enthusiasts who would have a spare keyboard or monitor, they chose to offer a way to install a system already configured for those people.
  Thus the image boots to a working system with zero prompts, which necessitated having a username/password already setup, and SSH already running, along with network and wifi autoconfig.
  Another issue with that is the primary target audience being "education", but not really defining that well.
  On one hand, at least to me, this sounds like the very thing that should be taught to new users by said educator.
  On the other hand that relies on the educator themselves to not be mostly ignorant of how the thing works that they are teaching other people to use. A situation all too common in a lot of educational settings these days it seems.
  Like with eternal September, the issue isn't that these problems haven't been realized, addressed, and solved decades ago - but more about "starting over" with a new user base that likely has no computer experience at all.
  Of course this new user base will need to relearn all those lessons over and over again from scratch, and this is exactly the expected (and only) result that can come of that.
11. Re: Is this even worth it? by Anonymous Coward · 2017-06-11 02:55 · Score: 0
  
  If you have access to thousands of those devices, without paying anything for the power, it can still make sense for some of the cpu-only cryptocurrencies.. Sure it may not be much profit, but the effort into creating this and automating the spread minimal and everything they get is pure profit..
  Let's say 100 RPi's has the hash-rate of a PC and the cryptocurrency is valued to 90% of the electricity-cost to mine.. Lets say $2 per day for a PC.... If this has become big enough to be noticed here it's probably more than 10000 devices affected.. So someone could be making upwards of $200 per day.. Not much, but it's still pure profit for minimal effort and risk. Even at $30 per day ($900/month) it would be enough to cover a person's living-expenses in some countries.
12. Re: Is this even worth it? by whoever57 · 2017-06-11 03:55 · Score: 1
  
  1. The raspberry pi foundation decided to enable ssh by default on their raspbian image despite a number of us telling them that it was reckless.
  
  But incredibly useful. I set up a Pi recently and not having to mess with monitor and keyboard made my task much easier. I took appropriate security measures as part of setting up the Pi.
  
  --
  The real "Libtards" are the Libertarians!
13. Re: Is this even worth it? by Walter+White · 2017-06-11 04:51 · Score: 1
  
  But incredibly useful. I set up a Pi recently and not having to mess with monitor and keyboard made my task much easier. I took appropriate security measures as part of setting up the Pi.
  It can still be done by modifying or adding a file in the boot partition, just no longer the default.
  The other flaw I would add is a default user and password and no encouragement to change. I can't imagine it would be that hard to craft a script that would prompt the user for a user name and password to use before the system can be accessed.
14. Re: Is this even worth it? by whoever57 · 2017-06-11 04:59 · Score: 1
  
  It can still be done by modifying or adding a file in the boot partition, just no longer the default.
  After posting, I realized that I had to add a file to the boot partition to enable ssh: it wasn't enabled by default.
  I also installed the Pi behind a NAT router and changed the default password so that it was doubly secure against this specific attack.
  
  --
  The real "Libtards" are the Libertarians!
15. Re:Is this even worth it? by Anonymous Coward · 2017-06-11 05:50 · Score: 0
  
  we believe you, tell us more
16. Re: Is this even worth it? by Anonymous Coward · 2017-06-11 05:54 · Score: 0
  
  I'd be most concerned about other products that use a Raspberry Pi internally. Can't be sure if the maker secured the thing and the consumer of these are likely to be less tech savvy and may not even know about the security concerns.
  You can be sure. Just try to log into it with the default password. If you fail, the "exploit" in the article will fail too.
  And I say "exploit" reluctantly.
17. Re: Is this even worth it? by Anonymous Coward · 2017-06-11 05:58 · Score: 0
  
  There's no point blaming a user. None of these devices are sold with big warning labels and insisting that they're ignorant...well...ignorant to who? There's a lot of software in there you won't even know about and it changes every month.
  We don't all have infinite time to fiddle around with something infinitely to see if we forgot one of these settings somewhere. Raspberry Pi is about becoming an inventor, not becoming a 24/7 unpaid admin.
18. Re: Is this even worth it? by Anonymous Coward · 2017-06-11 06:04 · Score: 0
  
  Let's say 100 RPi's has the hash-rate of a PC and the cryptocurrency is valued to 90% of the electricity-cost to mine.. Lets say $2 per day for a PC.... If this has become big enough to be noticed here it's probably more than 10000 devices affected.. So someone could be making upwards of $200 per day.. Not much, but it's still pure profit for minimal effort and risk. Even at $30 per day ($900/month) it would be enough to cover a person's living-expenses in some countries.
  I wouldn't say minimal risk. It's still illegal, so whoever does it is still comitting a crime.
  The level of experience required to pull this off is so low, that the perpetrator probably didn't have much in any case. The fact that it was detected attests to that. So, in anyone were pissed enough to push charges, chances are they guy will be easy to track due to inexperience hiding his tracks.
  Would you risk jail time for a few bucks a day?
  If you're going to commit a crime, make it worth the risk.
19. Re: Is this even worth it? by Anonymous Coward · 2017-06-11 06:37 · Score: 0
  
  99% of the people toying around with Raspberry Pis couldn't admin their way out of a wet paper bag. They load preconfigured blobs onto SD-cards and follow tutorials for the rest, tutorials written by people who figured stuff out by trial and error. If the tutorial says, open the port in the firewall so you can watch your videos on the go, a port will be opened in the firewall. It's just words to them, no meaning. You do this, you get what you want. So, nothing out of the ordinary. Just because it's Unix doesn't mean there isn't an average consumer at the keyboard.
20. Re: Is this even worth it? by PatientZero · 2017-06-11 07:05 · Score: 1
  
  Just try to log into it with the default password. If you fail, the "exploit" in the article will fail too.
  Don't forget, the first thing the malware does after gaining access is change the default password of the pi user. You can't tell being immune from already infected based solely on being able to log in.
  
  --
  Freedom to fear. Freedom from thought. Freedom to kill.
  I guess the War on Terror really is about freedom!
21. Re: Is this even worth it? by Anonymous Coward · 2017-06-11 08:41 · Score: 0
  
  You are verifiably retarded. You can convert BTC to USD in a matter of minutes and currently 1 BTC is worth close to $3k. If you've acquired them legally then it's of no concern to withdraw the funds directly to your bank account. Congrats on throwing away nearly twenty grand because new technology is so confusing to you.
22. Re: Is this even worth it? by LinuxIsGarbage · 2017-06-11 09:22 · Score: 1
  
  99% of the people toying around with Raspberry Pis couldn't admin their way out of a wet paper bag. They load preconfigured blobs onto SD-cards and follow tutorials for the rest, tutorials written by people who figured stuff out by trial and error. If the tutorial says, open the port in the firewall so you can watch your videos on the go, a port will be opened in the firewall. It's just words to them, no meaning. You do this, you get what you want. So, nothing out of the ordinary. Just because it's Unix doesn't mean there isn't an average consumer at the keyboard.
  The best way to encourage new users to learn more is to insult them!
23. Re: Is this even worth it? by Anonymous Coward · 2017-06-11 10:05 · Score: 0
  
  I'm sorry that I offended you, LinuxIsGarbage.
24. Re: Is this even worth it? by zwarte+piet · 2017-06-18 02:06 · Score: 1
  
  He obviously did that 10-ish years ago when they were super easy to mine, and worth maybe 5 cents.
So... not "Linux malware" afterall by franzrogar · 2017-06-10 19:24 · Score: 3, Insightful

It's the same as saying that if you have an app with internet access and you left the default passwords (imagine one of e-commerce).
It's the user's fault and program's bad design (it should create a random pass on first install, never a "default" one).
1. Re:So... not "Linux malware" afterall by techno-vampire · 2017-06-10 19:41 · Score: 4, Insightful
  
  No, it shouldn't create a random password when you install it. Part of logging in for the first time should be a mandatory password change, leaving as little time for something like this as possible. And, remote access should be disabled until after the password has been changed.
  
  --
  Good, inexpensive web hosting
2. Re:So... not "Linux malware" afterall by thegarbz · 2017-06-10 20:35 · Score: 4, Insightful
  
  It's the same as saying that if you have an app with internet access and you left the default passwords (imagine one of e-commerce).
  Yes because when a Windows user purposefully executes malware and it takes over the system it's all Window's fault, but when a Linux user permits the same thing it's not Linux at all.
  Sorry but you don't get to laugh at Microsoft's attempts at limiting the user's ability to accidentally execute malware and excuse a Linux OS for something as mindbogglingly stupid as not prompting the user for a username and password during setup.
  Malware is malware. Linux is Linux. This is by every definition of the word Linux Malware. Whether it's assisted by stupid users or stupid designers is irrelevant.
3. Re: So... not "Linux malware" afterall by KGIII · 2017-06-10 21:13 · Score: 1
  
  Linux User some four digit number here.
  Nah... Windows or Linux, once it is owned it is owned. The biggest security hole is the human. Someday, I'll tell you of my most recent hack. It was via VNC and I got to watch them. It was also my fault, entirely. I got lucky and could literally see them move the mouse and type commands. It was almost fun to watch them learn Linux. Point is, it was my fault and I know the path.
  
  --
  "So long and thanks for all the fish."
4. Re:So... not "Linux malware" afterall by Anonymous Coward · 2017-06-10 21:16 · Score: 1
  
  There has been a fix for new installations of Pixel (Raspbian) since 2016, https://www.raspberrypi.org/blog/a-security-update-for-raspbian-pixel/
5. Re:So... not "Linux malware" afterall by Anonymous Coward · 2017-06-10 23:50 · Score: 0
  
  most people use remote access to login to a raspberry pi for the first time.
6. Re: So... not "Linux malware" afterall by thegreatbob · 2017-06-11 00:08 · Score: 1
  
  Once, while watching the auth logs on a test box, observed a fairly strong SSH bruteforce to take some 4 hours to guess that user=test pass=test. Box then became, briefly, part of a DDoS botnet.
  
  --
  There is no XUL, only WebExtensions...
7. Re:So... not "Linux malware" afterall by F.Ultra · 2017-06-11 00:35 · Score: 1
  
  no the password should be outright disabled and the user should add his public key to .ssh/authorized_keys instead. Using passwords over SSH is just plain stupid.
8. Re:So... not "Linux malware" afterall by Anonymous Coward · 2017-06-11 01:45 · Score: 0
  
  Nope. It's by definition "stupid". This whole flaw is perfectly portable to Windows.
  1. Install a service which allows remote access.
  2. Use a default user and a default password.
  3. Do nothing to secure the device.
  Do that on your precious Windows box, and I guarantee you'll get pwned. So it has nothing to do with the OS as such
  The problem is probably rather that RPI was never conceived to become such a hit, to get such widespread use and to be kept running like many of the applications that use RPI's are. It was supposed to be a one off more or less, used in a lab for short stints by different people sitting at the device. Not to be used like some server. Which is kind of naïve considering that people are very good at finding new uses for stuff, and also very lazy with fixing the little things, like creating a new user or changing passwords.. but as I said, this is a social flaw, not a software one.
9. Re:So... not "Linux malware" afterall by Anonymous Coward · 2017-06-11 02:59 · Score: 0
  
  Lol.. Well in this case it's leaving the default password on a device connected straight to the internet and someone remotly logged in and install some software.. There was no attack or exploit used..
  It would be comparing it to leaving a windows-system connected, with VNC enabled without a password, and someone logged in and installed something..
  I don't consider either of those cases as exploiting the OS.. It's a normal, but unauthorized, use of the device.
10. Re:So... not "Linux malware" afterall by techno-vampire · 2017-06-11 06:14 · Score: 1
  
  OK, so tell me: if passwords are disabled, and your public key hasn't been sent yet, how do you connect to it to transfer the key?
  
  --
  Good, inexpensive web hosting
11. Re:So... not "Linux malware" afterall by Anonymous Coward · 2017-06-11 07:20 · Score: 0
  
  You put the key into the image before you write it on the SD card?
12. Re:So... not "Linux malware" afterall by F.Ultra · 2017-06-11 08:54 · Score: 1
  
  Sorry for not being more clear but I meant that as a reply to what you wrote about what to do after first login. Using password on SSH should be something that you do at maximum once per system. Myself I always transfer my public rsa key to a flash drive and put it into any machine that I installs and thus never use a insecure ssh session but I do understand that this is seen as an inconvenience for the majority of users, but using keys instead of passwords after first login will not only make the connection secure, it will also greatly enhance the usability (i.e no more need to input a password on the device).
How long does it take? by AHuxley · 2017-06-10 19:25 · Score: 1

Per Raspberry Pi? Or if a few Raspberry Pi devices got networked?

--
Domestic spying is now "Benign Information Gathering"
Get Rich Slowly... by Powercntrl · 2017-06-10 19:32 · Score: 5, Informative

I'm not too familiar with the Raspberry Pi, but a cursory view of the specs tells me even a huge botnet of 'em still wouldn't make you wealthy through mining crypto any sooner than the heat death of the universe. Most crypto mining these days is done on specialized hardware or large banks of high-end video cards. Seems to be the reason why most malicious software intent on acquiring wealth through Bitcoins simply encrypts your files for ransom.

--

---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
1. Re:Get Rich Slowly... by thegarbz · 2017-06-10 20:38 · Score: 1
  
  Compared to what? The entire WannaCry scheme made less than $80k. It's spread was huge, it's impact on critical files was high, and it only made $80k. By comparison this thing could chug away in the corner and someone may not ever notice it. What's faster? A huge botnet of Pis crunching away for a year, or sitting down and writing another spreadable ransomware program?
2. Re:Get Rich Slowly... by religionofpeas · 2017-06-10 20:47 · Score: 5, Insightful
  
  Depends on what cryptocurrency they are mining, how suitable the Pi is for that, and what the value of that currency is.
  Take bitcoin for example. One PI can do about 0.2 Mhash/second. A botnet consisting of 1 million devices can mine about $6.50 in a month. And you don't even get to keep all that, because a million devices mining will produce a great deal of very small transactions, which take up a lot of space in the blockchain, and you'll have to pay quite a large transaction fee. You'd be lucky to keep half of that money.
  Instead of the developing the malware, you could make more money as a Walmart greeter.
3. Re:Get Rich Slowly... by thegarbz · 2017-06-10 21:09 · Score: 1
  
  Rightio, I didn't realise it was quite that low. Still even for $100/m it is likely worthwhile. Remember the devices being infected are unlikely to get noticed by the owners. Unlike some more overt methods of extracting money via malware this one will probably still be going after a year or maybe even longer, and has the side benefit of not having the federal services from multiple nations looking for you.
4. Re:Get Rich Slowly... by Anonymous Coward · 2017-06-10 21:13 · Score: 0
  
  Not in Bulgaria - same reason the real "fake news" sites were run there.
5. Re:Get Rich Slowly... by Anonymous Coward · 2017-06-10 21:30 · Score: 0
  
  incorrect - there are various crypto that are mineable by cpu/gpu - no asics
6. Re:Get Rich Slowly... by Anonymous Coward · 2017-06-10 21:38 · Score: 0
  
  bitcoin is the worst example to use
7. Re:Get Rich Slowly... by Anonymous Coward · 2017-06-10 23:22 · Score: 0
  
  If you use a mining pool the number of nodes is irrelevant. You will get the full return minus pool fee.
8. Re:Get Rich Slowly... by tommeke100 · 2017-06-11 00:46 · Score: 1
  
  I would actually think it would get noticed pretty quickly. If you leave the standard password, it means that's probably the only account you're using. If you use it as a media-player, next time you'll want to upload some media, account doesn't work. If you use it to play around, account doesn't work either. If it's mining all the time, everything will be crawling slow too.
  Given most Pi's are used by hobbyists, they'll notice it, unless it's really just running somewhere in the basement not doing anything.
9. Re:Get Rich Slowly... by unixisc · 2017-06-11 12:31 · Score: 1
  
  But it is the most accepted of the cryptocurrencies, to the point that they're accepted at all
WOW! by swdave · 2017-06-10 20:03 · Score: 1

Looks like someone is gonna get rich...
Not new... by Anonymous Coward · 2017-06-10 20:24 · Score: 0, Informative

I've been seeing raspbian boxes trying to find other raspbian boxes for over a month now, possibly dating as far back as March at the minimum. Good news is that they're easy to block, since SSH is clear text for the beginning of the session, all you need to do is string scan for "SSH-2.0-OpenSSH_6.7p1 Raspbian" and drop.
1. Re: Not new... by Anonymous Coward · 2017-06-10 20:37 · Score: 0
  
  You mean ...left open to the internet??
  That can only be done intentionally !!
Stupidity - The real ultimate goal. by geekmux · 2017-06-10 21:19 · Score: 1

" After scanning for RPis with an open (and default) SSH port, the "pi" user is logged into (if the password is left default), and the password is subsequently changed...The ultimate goal of Linux.MulDrop.14 is to make digital money for someone else, namely the author of the malware, using your Raspberry Pi."
Oh, so this is about cryptocurrency mining? That's a laugh, especially on Pi-ware.
Sure as hell sounds like the real ultimate goal here is to demonstrate how utterly fucking stupid (by default) some admins can actually be.
Re: Lol by KGIII · 2017-06-10 21:22 · Score: 2

I don't know who you are, but I kinda love you. Seriously, keep people off Linux. I kinda like it here.

--
"So long and thanks for all the fish."
Re:So by Anonymous Coward · 2017-06-10 21:43 · Score: 0

Damn crackers.
Remember Synology by Anonymous Coward · 2017-06-10 21:54 · Score: 1

Remember Synology, this happened to Synology insecured NAS devices.
If you have the savvy to become vulnerable.. by neurosine · 2017-06-10 22:33 · Score: 1

This is one of the articles which makes me sick about Alarmist claims of Malware....and it applies to most malware. For it to work the user would have to point port 22 to their device...and if they have the savvy to do this, they would of course password the device as well...we're in much less danger than we're lead to believe..
1. Re:If you have the savvy to become vulnerable.. by tomxor · 2017-06-11 00:41 · Score: 1
  
  Well, you are assuming the attack vector is always from outside a gateway... but the first thing it does is install zmap and sshpass, so it's obviously intended to be self propagating inside a network. It would likely be more dangerous if it first piggybacked on some other more likely vector to first get inside a network and then target pi.
ELI5 please? by Anonymous Coward · 2017-06-10 23:45 · Score: 0

Whenever I've bought an Rpi, it has never had an O/S pre-installed on it, let alone with a default, insecure user and password combination?
Is there some secret default O/S running in the background on a Pi that I need to destroy?
Not all Raspberry Pi Distros are Created Equal by kjhambrick · 2017-06-10 23:48 · Score: 1

All --
I don't believe that this vulnerability applies to Slackware ARM on a Raspberry Pi http://sarpi.fatdog.eu/ as it does not include a pi user ...
-- kjh
FYI raspian defaults: by tomxor · 2017-06-10 23:48 · Score: 1

raspian defaults changed last year to SSH off, so it forces you to login over serial and enable SSH + change the password (closing the window of opportunity)... It's also possible to enable it by adding a file to the boot partition though.
I suppose the problem is that newbies still don't know the importance of changing default passwords and raspian is not installed but dd'ed to a disk much like a VPS but without the friendly UI forcing you to set a custom password.
$1 / month for each Raspberry Pi 3 by xororand · 2017-06-10 23:57 · Score: 1

Several crypto coins have been designed specifically to thwart GPU and FPGA mining.
The Raspberry Pi 3 seems to get 10 Hash/s of Monero mining.
10 H/s of XMR yields about $1.10 per day.
So the cracker isn't getting rich, but they can generate a modest supplementing income. I assume many Raspberry Pi on the Internet are installed and forgotten about. Nobody notices 100% CPU load if the cracker uses nice -n19.
1. Re:$1 / month for each Raspberry Pi 3 by religionofpeas · 2017-06-11 01:05 · Score: 2
  
  10 H/s of XMR yields about $1.10 per day [cryptocompare.com].
  I'm only getting $1.05 per month, using 1W power consumption.
2. Re:$1 / month for each Raspberry Pi 3 by allo · 2017-06-11 06:54 · Score: 1
  
  But it's not your power bill, when you're a hacker.
3. Re:$1 / month for each Raspberry Pi 3 by Fnord666 · 2017-06-12 07:14 · Score: 1
  
  But it's not your power bill, when you're a hacker.
  ding ding ding!
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
IoT by Anonymous Coward · 2017-06-11 00:37 · Score: 0

Another example of unsecured appliances falling victim to others will. I'm hoping we'll see a network of IoT helping research process information instead.
Can't change OpenELEC's default password by Anonymous Coward · 2017-06-11 01:29 · Score: 0

What is the SSH login?
Currently the login into OpenELEC has fixed settings.
Login: root
Password: openelec
Note that these values are case-sensitive.

How do I change the SSH password?
At the moment it's not possible to change the root password as it's held in a read-only filesystem. However, for the really security conscious advanced user, you can change the password if you build OpenELEC from source. Also you can consider logging in with ssh keys and disabling password logins.

OpenELEC_8.0.4:~ # passwd
There is no working 'passwd'.
The 'passwd' command changes passwords for user accounts.
With OpenELEC it is not possible to change the system password
SSH is included only as a last support resort. SSH is off by default. Most users never need SSH and need help using it so we need a default password. If you need to keep SSH always on then this is unsupported but can be secured with certificates.
TIP: disable password authentication in ssh and use public key authentication.

But Kodi security is a bad joke anyway. Any addon has full control, so powning any repository that autoupdates these addons with virtually zero security can lead to millions of devices infected pretty quickly.
So, yeah.
1. Re:Can't change OpenELEC's default password by Sadsfae · 2017-06-11 01:58 · Score: 1
  
  But Kodi security is a bad joke anyway. Any addon has full control, so powning any repository that autoupdates these addons with virtually zero security can lead to millions of devices infected pretty quickly.
  So, yeah.
  Only if you run a canned, lightweight Kodi distribution like LibreElec or OpenElec. You can easily setup Kodi with Fedora for example and it will use a local non-privileged user.
  
  --
  Have a squat over at the hobo house.
2. Re:Can't change OpenELEC's default password by Anonymous Coward · 2017-06-11 04:26 · Score: 0
  
  Still any addon has full access to all your kodi processes, including your storage and network. No need to run as root.
This isn't malware by Sadsfae · 2017-06-11 01:52 · Score: 1

How is this malware? Looks like a simple, automated SSH probe to me for people who don't follow obvious best practices. If you're going to leave SSH open to the world then do at least a few of the below:
1) Change default password
2) Enable keyauth only
3) Change the default listening port.

--
Have a squat over at the hobo house.
1. Re:This isn't malware by Anonymous Coward · 2017-06-12 07:52 · Score: 0
  
  This is pretty clearly malicious software == malware. Your pro-linux cognitive dissonance is showing. lol
Fails to mention by Anonymous Coward · 2017-06-11 02:46 · Score: 0

The article doesn't mention how the malware originally was installed on the clients network. Obviously windows is the problem which have access to the unsecured Linux boxes.
Thats stupid news about something stupid...... by Anonymous Coward · 2017-06-11 06:19 · Score: 0

Its stupid news because you "cant" infect hardware... you can infect software... so if some distro of Raspberry Pi is infectactable then other devices will also be, not just the pi.... also fix is simple, build you f.uking kernel(and packages) for a change or use and updated distro like arch linux...
Its something stupid because 1 computer with a $200 graphic card can mine more bit coins then 1000 PIs.... why would any one mine on a PI????? why not use it as bot net member and just keep it sleeping until then??? Also, you cant even mine anything usefull with a Nvidia 1090. Every gaining cash from mining is using racks of dedicated hardware...
WHY?? Why use a PI to mine???? you will need millions of PIs and allot of time to get a bitcoin. WHY???
1. Re:Thats stupid news about something stupid...... by Anonymous Coward · 2017-06-11 07:31 · Score: 0
  
  It's sad that I have to scroll to the very bottom until finally someone points this out.
  One raspi is FUCKING SLOW.
  A million raspis put together are .. STILL FUCKING SLOW.
Raspberry Pi Malware by PatientZero · 2017-06-11 07:23 · Score: 1

Yes because when a Windows user purposefully executes malware and it takes over the system it's all Window's fault, but when a Linux user permits the same thing it's not Linux at all.
No, the reason this isn't Linux malware is that it only works on the Raspberry Pi with the default password. You could easily build a Windows-based version with the same flaw, but that wouldn't make it Windows malware. Your Windows malware example only requires Windows, making it Windows malware. This is Raspberry Pi (model A?) malware.
When people use the term Windows malware correctly, they mean malware that requires only a Windows host to function. You cannot deny that there are hundreds of malware programs that can infect a generic Windows install.
For the record, I use Windows and Linux for both work and play.

--
Freedom to fear. Freedom from thought. Freedom to kill.
I guess the War on Terror really is about freedom!
1. Re:Raspberry Pi Malware by thegarbz · 2017-06-11 20:19 · Score: 1
  
  No, the reason this isn't Linux malware is that it only works on the Raspberry Pi with the default password.
  
  Not at all. It works on any ARM based Linux distribution and spreads by SSH with a specific set of credentials. Like a lot of Raspberry Pi "specific" stuff its very cross platform to a variety of Linux setups running on Pis and on various other small single board computers.
  Just because the malware spreads on a specific set of credentials that are most likely to be present on a Raspberry Pi doesn't make it any less Linux malware.
2. Re:Raspberry Pi Malware by PatientZero · 2017-06-12 12:37 · Score: 1
  
  By that logic, it's ARM, computer, and binary malware. Are all binary-based computers threatened? I don't think so. It could be ported, or you could set up your Linux PC to have the same common credentials, but the only Linux box that comes configured that way is the Pi.
  
  --
  Freedom to fear. Freedom from thought. Freedom to kill.
  I guess the War on Terror really is about freedom!
3. Re:Raspberry Pi Malware by thegarbz · 2017-06-13 01:37 · Score: 1
  
  Yes so we should stop calling Windows malware Windows malware and specifically x86 Malware right?
  Every ARM PC is threatened if the credentials are setup in a certain way.
  
  but the only Linux box that comes configured that way is the Pi.
  Only when you didn't read what I wrote: let me quote myself:
  
  very cross platform to a variety of Linux setups running on Pis and on various other small single board computers.
  The Pi isn't the only one that is setup the way the Pi is thanks greatly to the massive popularity of the distribution and the many other people who are riding on the work of that team.
Initial Raspberry Pi setup to protect against Linu by Anonymous Coward · 2017-06-11 10:57 · Score: 0
Looks like there is a gist already up to protect against this sort of thing during initial setup:

#!/usr/bin/env bash [[ -z "$1" ]] && \ printf 'need a username as the first argument.\n\n' && \ printf '(prefer lowercase and letters only, read more:\n' && \ printf 'http://bit.ly/2siqPGt\n\n' && \ printf '(wrap the username in quotes, read more:\n' && \ printf 'http://wiki.bash-hackers.org/syntax/quoting)\n\n' && \ exit 1 [[ -z "$2" ]] && \ printf 'need a password as the second argument.\n\n' && \ printf '(wrap the password in quotes, read more:\n' && \ printf 'http://wiki.bash-hackers.org/syntax/quoting)\n\n' && \ exit 1 USERNAME="$1" PASSWORD="$2" # add new user sudo useradd "$USERNAME" sudo usermod -p $(printf '%s' "$PASSWORD" | openssl passwd -1 -stdin) "$USERNAME" sudo cp -pR /home/pi "/home/$USERNAME" sudo chown -R "$USERNAME:$USERNAME" "/home/$USERNAME" # add the same groups to the new user that the pi user has for group in $(sudo groups pi | cut -d ":" -f 2); do if [[ "$group" == "pi" ]]; then continue else sudo usermod -a -G "$group" "$USERNAME" fi done # zip up the pi user's home directory, remove it and any mail cd /home sudo tar -cJpvf pi.tar.xz pi sudo deluser pi --remove-home # change sudo access from pi to new user sudo sed -i 's/pi/$USERNAME/g' /etc/sudoers

Looks like it:
- - creates a new user with the supplied name and password
- - copies the pi's default groups to the new user
- - zips up the pi's home directory for safe keeping
- - and swaps out the pi user for the new user in /etc/sudoers