New Vulnerability: Raspberry Pi Malware Mines Cryptocurrency

Raspberry Pi Malware Mines

What is Raspberry Pi?

Raspberry Pi is an open source, computer hardware and software company, project, and user community that designs and manufactures single-board microcontrollers and microcontroller kits for building digital devices and interactive objects that can sense and control objects in the physical world. The project’s products are distributed as open-source hardware and software. Raspberry Pi designs use a variety of microprocessors and controllers, and are available commercially in preassembled form, or as do-it-yourself kits.

What is Cryptocurrency?

A cryptocurrency (or crypto currency) is a digital asset designed to work as a medium of exchange using cryptography to secure the transactions and to control the creation of additional units of the currency. Cryptocurrencies are a subset of alternative currencies, or specifically of digital currencies.

Bitcoin, perhaps the most popular one, became the first decentralized cryptocurrency in 2009. Since then, numerous cryptocurrencies have been created. These are frequently called altcoins, as a blend of bitcoin alternative. Bitcoin and its derivatives use decentralized control as opposed to centralized electronic money/centralized banking systems. The decentralized control is related to the use of bitcoin’s blockchain transaction database in the role of a distributed ledger.

What is the Vulnerability?

A new malware called Linux.MulDrop.14 is targeting Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses a Raspberry Pi to mine some form of cryptocurrency. The other trojan sets up a proxy server.

Linux Trojan is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.

It then changes the password of the user “Pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1”.

In addition to that, the malware searches for network machines with open port 22 and tries to log in using the default Raspberry Pi credentials to spread itself.

Embedded systems are a particularly inviting target for hackers. Most of the times, it is for the value of the physical system they monitor or control. Other times, it is for the computation power which can be used to carry out denial of service attacks, spam campaigns, or in this case mining. We wonder how large does a Raspberry Pi botnet need to be to compete in the mining realm?

Like for all other devices, we strongly advise you to change the default passwords on your Pi, if you have one. To up the security further, set up two factor authentication. You can do other things too, like change the SSH port, run fail2ban, or implement port knocking. Of course, if you use Samba to share Windows files and printers, you ought to read about that vulnerability, as well. 

Research by M. Vidyasagar