HotHardware.com is reporting that there's a Linux malware in the wild that takes over Raspberry Pi devices and uses them to mine for cryptocurrency...
Linux.MulDrop.14 [scans] for RPis with an open (and default) SSH port, the "pi" user is logged into (if the password is left default), and the password is subsequently changed. After that, the malware installs ZMap and sshpass software, and then it configures itself... to make digital money for someone else, namely the author or the malware, using your Raspberry Pi.
The article focuses on how much your power bill will go up in the course of making money for someone else due to the 100%-CPU-usage nature of mining software.
The existence of such a malware raises the question: Are there enough Raspberry Pi devices connected to the network, but not really monitored, such that there are enough to mine a single unit of cryptocurrency? ARM dev boards are not known for processing power, and the RPIs are no exception.
On the subject of default root passwords for devices intended to be connected to Internet, must this be the case with the RPI, or could they take the route of having an actually installable GNU/Linux instead of an image of an already installed system with insecure passwords?
Related Stories
Well, we've seen past stories on viruses co-opting Raspberry Pi units to mine cryptocurrency, and websites mining a few coins on their viewers' systems, but it took some crafty boffins in Russia to really give the issue some scale. International Business Times has the story, dated 9 Feb 2018...
Russian security officials arrested a number of scientists working at a secret Russian nuclear weapons facility for allegedly using lab equipment to mine for cryptocurrencies, according to Russia's Interfax News Agency.
[The facility's computers are] supposed to be isolated; they are kept disconnected from the internet in order to prevent any outside intrusion or hacking efforts. That was violated by the engineers who decided to use the supercomputer rigs to mine for cryptocurrency.
Mining for cryptocurrency requires a considerable amount of processing power—something the average computer might struggle to provide but a supercomputer designed for work on nuclear weapons surely has the capacity for.
The story does not specify the cryptocurrency or cryptocurrencies the scientists were trying to mine, nor whether any mining was successful.
(Score: 3, Funny) by Anonymous Coward on Monday June 12 2017, @02:05AM (2 children)
Harnessing Raspberry Pis for crypto-currency mining sounds a lot like investing in a team of shambler zombies for Olympic track-racing events.
(Score: 2) by stretch611 on Monday June 12 2017, @07:55AM (1 child)
But, if they are looking to win a marathon, zombies do not need to sleep and an run(?or walk) 24x7.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 1, Funny) by Anonymous Coward on Monday June 12 2017, @09:15AM
Marathon runners typically don't sleep during the Marathon either. And if some do, those certainly won't win.
(Score: 2, Informative) by Booga1 on Monday June 12 2017, @02:37AM (7 children)
Well, leave your default passwords on default usernames on internet connected devices and there really shouldn't be any surprise if it gets taken over.
Until people are forced to change passwords on first use, this isn't going to change. Doesn't matter if it's the router, the Pi, the webcam, or any internet-of-things toys.
(Score: 2) by frojack on Monday June 12 2017, @03:58AM
I can't imagine writing any malware trying to take over a Pi. Even if you hack half a million of them, you still don't have any crypto powerhouse at your disposal. They would all melt down if you put them to that much work. They need heat sinks [broadviewtech.com] for that kind of work.
That said I'm posting this from a Pi 3 Model B, which makes a passable web browser email reader chat platform. Its behind a router on cat5, and since it has wifi built in it is also serving as my backup wifi gateway in my office. Runs Chrome and Claws.
No, you are mistaken. I've always had this sig.
(Score: 2) by VLM on Monday June 12 2017, @12:23PM (5 children)
Technically you can change the pi password on every boot automatically, then automatically insert that pi password into the console login screen because anyone with physical access essentially has root anyway. The first time you run passwd successfully, this "scramble at every reboot" can be disabled. As a gross simplification every boot you'd eat the output of `pwgen -N 1` into a shell variable then run passwd on it and insert the new password into a newly generated /etc/issue file (making some huge assumptions about the base install of a pi...) Obviously anyone who can read /etc/issue has access to the box, so try to prevent that. Also I'm sure systemd has replaced getty so by description of how to do it on a Unix-like OS is no longer applicable to a non-Unix-like OS. However windows does it is probably how systemd does it, and presumably its possible somehow.
Another interesting solution is nobody gets to SSH in remotely until the password is set, but by playing some games with PAM libraries the physical console login can for all time be "raspberry". As a side dish its probably possible to create a "special" PAM library that causes auto-fail if the uname/pword is the unchanged default and insert that into just the sshd pam file. Probably.
I could do either solution later in the day but I'm sleepy right now. PAM is arcane wizardry and I need to obtain a sacrificial chicken before doing battle with PAM although the first option sounds relatively simple...
(Score: 2) by VLM on Monday June 12 2017, @12:24PM
Ah I got a better idea about 2 seconds after I hit "submit". Leave the scrambler in for all eternity to encourage the use of key based authentication.
(Score: 2) by requerdanos on Monday June 12 2017, @12:52PM (3 children)
The Raspberry Pi folks almost, but not quite [raspberrypi.org] figured this out according to a Nov. 2016 post on the official Raspberry Pi blog:
So their current solution is to tell the novices that the product is intended for, "dude, you should, like, really change your password or something."
I am sure many respond with "Well, that's like, just your opinion, man."
(Score: 2) by VLM on Monday June 12 2017, @01:20PM
Ouch, that's a highly questionable design choice. Like did some Russian or acronym organization pay for it, level of questionable.
(Score: 2) by maxwell demon on Monday June 12 2017, @07:52PM (1 child)
Of course if you are operating your Pi headless, you'll never get to see this boot message in the first place ...
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by requerdanos on Monday June 12 2017, @11:23PM
Yes, the message is displayed on any login. If your login is GUI, there's a message box; if not, then it's above the initial prompt, according to their blog post. I don't know the mechanism of delivery.
(Score: -1, Troll) by Anonymous Coward on Monday June 12 2017, @03:06AM
Have fun with your strawberry pie, Linux whores.
(Score: 2) by Lagg on Monday June 12 2017, @03:13AM
When I had a use for the pi and ran one, basically anything that took up cycles would make it so that even dash got stalled. This seems like an old piece of malware that happened to be redistributed enough to be noticed again. Or perhaps that someone purposefully decided to redistribute.
http://lagg.me [lagg.me] 🗿
(Score: 3, Insightful) by ledow on Monday June 12 2017, @12:45PM (3 children)
"The article focuses on how much your power bill will go up in the course of making money for someone else due to the 100%-CPU-usage nature of mining software."
On a 5v 2/3A device? 15W total? My PC probably takes more than that in standby.
You could leave it on for a year and barely reach the same cost as a couple of months of a standard lightbulb being on.
And how much would it generate them? Given the RPi's base clock, not a lot at all.
CPU miners were dead years ago.
GPU miners are dead even.
ASIC miners are only just holding their own and making profit.
You could install it on a million RPi's, make no money out of it, and individual owners wouldn't even notice the difference on the electricity bill, most likely.
(Score: 2) by VLM on Monday June 12 2017, @01:23PM
The local power company would notice. So is it capitalism at work and the botnet authors work for your local electrical company, or is it ecoterrorism where the goal is to make one pi virus emit 1000000 times as much CO2 as the Paris Accords would have reduced or is it a combo of the above as a piece of performance art?
(Score: 3, Informative) by JNCF on Monday June 12 2017, @02:07PM
That's true of Bitcoin. It isn't true of Zcoin yet, or any number of other small cryptocurrencies which can be traded for bitcoins. The only source I found saying that this malware mines bitcoins has redacted the claim (Hackaday). I don't know what it uses, but I doubt it's Bitcoin.
(Score: 0) by Anonymous Coward on Tuesday June 13 2017, @05:06PM
there's nothing insightful about this post. any half-assed attempt at learning about the cryptocurrency space will immediately reveal that there are many coins that are profitable to mine with GPUs. ledow is obviously a slave virus infected windows user.