Stories
Slash Boxes
Comments

SoylentNews is people

Coin-mining Malware Jumps From ARM IoT Gear to Intel Servers

posted by chromas on Monday September 02 2019, @02:39AM   Printer-friendly
from the it's-free-real-estate dept.

upstart writes for Fnord666:

Coin-mining malware jumps from ARM IoT gear to Intel servers

Akamai senior security researcher Larry Cashdollar says one of his honeypot systems recently turned up what appears to be an IoT malware that targets Intel machines running Linux.

"I suspect it’s probably a derivate of other IoT crypto mining botnets," Cashdollar told The Register. "This one seems to target enterprise systems."

In addition to being fine-tuned for Intel x86 and 686 processors, the malware looks to establish an SSH Port 22 connection and deliver itself as a gzip archive. From there, the malware checks to see if the machine has already been infected (at which point the installation stops) or if an earlier version is running and needs to be terminated. From there, three different directories are created with different versions of the same files.

"Each directory contains a variation of the XMrig v2.14.1 cryptocurrency miner in either x86 32bit or 64bit format," the Akamai security ace explained. "Some of the binaries are named after common Unix utilities, like ps, in an attempt to blend into a normal process list."

Following that step, the malware looks to install the cryptocurrency mining tool itself and modify the host system's crontab file to make sure the malware runs even after a reboot. Additionally, the malware installs a shell script that allows it to communicate with the command and control server.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Coin-mining Malware Jumps From ARM IoT Gear to Intel Servers | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Monday September 02 2019, @03:15AM (9 children)

    by Anonymous Coward on Monday September 02 2019, @03:15AM (#888709)

    Well this blows the "not affected by malware" claims of so many distros. I hope this begins a process of consolidation and tightening up in Linuxland. Less distros, but of higher quality.
    disclosure: I run Linux at home and have worked almost exclusively on Unix systems for 30 years.

  • (Score: 4, Insightful) by legont on Monday September 02 2019, @03:26AM (8 children)

    by legont (4179) on Monday September 02 2019, @03:26AM (#888710)

    Wide open port 22... hmm... I'd think rogue crypto miner is the least of worries at this point.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.

    • (Score: 0) by Anonymous Coward on Monday September 02 2019, @04:06AM (1 child)

      by Anonymous Coward on Monday September 02 2019, @04:06AM (#888713)

      Spare a 🟡 for an old beggar? Blessing of Akatosh upon ye!

      • (Score: 2) by maxwell demon on Monday September 02 2019, @01:07PM

        by maxwell demon (1608) on Monday September 02 2019, @01:07PM (#888807) Journal

        You want a large yellow circle?

        --
        The Tao of math: The numbers you can count are not the real numbers.

    • (Score: 2) by maxwell demon on Monday September 02 2019, @01:03PM (1 child)

      by maxwell demon (1608) on Monday September 02 2019, @01:03PM (#888805) Journal

      Unless you (a) enabled password authentication, and (b) use a weak password, I don't see how an open port 22 is a major security risk.

      --
      The Tao of math: The numbers you can count are not the real numbers.

      • (Score: 2, Insightful) by shrewdsheep on Monday September 02 2019, @01:27PM

        by shrewdsheep (5215) on Monday September 02 2019, @01:27PM (#888810)

        But he said it's wide open!

    • (Score: 3, Insightful) by RS3 on Monday September 02 2019, @02:14PM (3 children)

      by RS3 (6367) on Monday September 02 2019, @02:14PM (#888829)

      FTFA, it's a "honeypot"- intentional. Enables investigation into malware and its sources.

      I run a few servers and it's laughable the constant port 22 attacks. I use software that, after X number of wrong guesses, blocks the source IP. Yep, the blocklist is very long.

      Also from article:

      The honeypot allows logins using known default login credentials for root.

      I wasn't aware of any "known default" passwords for "root". Maybe he meant frequently used?

      • (Score: 0) by Anonymous Coward on Monday September 02 2019, @07:02PM (2 children)

        by Anonymous Coward on Monday September 02 2019, @07:02PM (#888923)

        the article said "seems to target enterprise" so those suited whores probably pay thousands of dollars for bastardized linux appliances with insecure default setups.

        • (Score: 2) by RS3 on Tuesday September 03 2019, @01:50AM (1 child)

          by RS3 (6367) on Tuesday September 03 2019, @01:50AM (#889065)

          A bit cynical, but you're probably right. I'm still not sure where "default" passwords come into play. I've seen them on "live" bootable images, but otherwise every Linux install I've done asks for a root password during install. All that said, I've not installed every Linux flavor (yikes!) so maybe some are incredibly stupid?

          • (Score: 0) by Anonymous Coward on Tuesday September 03 2019, @06:07PM

            by Anonymous Coward on Tuesday September 03 2019, @06:07PM (#889244)

            Cynical? a little more than that. I pretty much hate most medium/big companies.

            However, i said something like "bastardized appliances", IIRC. So $big_dumb_company takes linux kernel or distro and bastardizes the shit out of it (port 22 SSH w/ password auth and worse) and flashes it to their embedded device.