[ANN][AUTO-SWITCH] Profit-switch auto-exchange pool: CleverMining.com

[Meeho]

It is not a malware on users' computers. Miners are receiving stratum redirect commands. It is most likely a form of MITM attack, but definitely not something on the user end. It is happening among multiple pools with various mining clients and operating systems.

It is not cgwatcher/cgremote related, that user on Waffle has a separate issue.

Kalroth's thoughts:
https://bitcointalk.org/index.php?topic=433634.msg5864631#msg5864631

There's not much I can do other than disable the reconnect code, which several individuals already have done.
I'll do a quick update of my github and binaries soon enough.

From a quick glance, it looks like someone found a way to send a spoofed* JSON packet to stratum pools, which makes the pool send a redirect request to (some of?) its clients.
It does not look like it's a bug in the client software, merely an unfortunate feature.

* http://en.wikipedia.org/wiki/IP_address_spoofing

[1714695059]

1714695059

[1714695059]

1714695059

[1714695059]

1714695059

[1714695059]

1714695059

[Hyperlight]

I was affected by this problem starting about 5 hrs ago, where my hashrates slowly declined. I am on the NY server. I noticed this and rebooted my clients, hash rates are as per normal again.

I am running CGminer with CGwatcher and CGremote on fresh windows 7 boxes, no other applications run on said boxes.

Would a routed VPN to a say a VPS close to the Clevermining Datacenter mitigate the MITM attack chances of success? I am on the West Coast so i do have a fair number of hops, I am not using the SF server due to the high reject rates I get from it.

[Meeho]

Kalroth shoud be posting a new version of cgminer that will be immune to this.

[black007miner]

Anyone hijacked WITHOUT using CGwatcher or CGremote?

I am not using CGwatcher or CGremote.

I have 6 Rigs total, and 1 of the 6 rigs was redirected to 190.97.165.179, was using ny.clevermining.com.

SMOS Linux 1.3 with Kalroth.

[Terk]

It is not a malware on users' computers. Miners are receiving stratum redirect commands. It is most likely a form of MITM attack, but definitely not something on the user end. It is happening among multiple pools with various mining clients and operating systems.

Yes, I've seen the log with redirect command (the log wasn't from CleverMining, it was on another pool). The redirect command didn't actually come from legitimate pool. The whole process looked like this:

1. Miner got disconnected from the pool (no idea if it was “natural” or caused by the attacker).
2. Miner reconnected to its pool but it didn't really connected to the pool this time, instead something hijacked this connection.
3. Just after miner authenticated at the pool (a fake one), it got the redirect command to reconnect to a different IP address.
4. Miner followed the command and connected to malicious pool.

The redirect command wasn't coming from the legitimate pool. Also, what's important - it wasn't injected into an existing connection between miner and legitimate pool. After disconnect miner tried to reconnect to legitimate pool but this reconnection was hijacked and the miner was redirected to malicious pool.

You are right that this is a form of Man In The Middle attack, but I think that MITM attack originates at user's place. Either on their mining rig or on some other host in the same local network. And if it's the case, then it's most likely done by some malicious software that the user downloaded.

Why I think that other places of attack (not close to the user) are unlikely? Affected users are geographically distributed all over the world - this is not some regional issue. Affected users were connect to different pools which are using different hosting providers - this is not an attack at the pool level. At the same time number of affected users is very tiny, which also points to a place of attack close to the user.

This is why I am suspecting some malicious software installed by the user.

For example, a new version of CGWatcher was released on Mar 21st, and the hijacking first started to happening at other multi-pools on Mar 22nd. A new version of a popular software is always a good moment to distribute maliciously modified version. I am not talking about CGWatcher authors, but someone else might modify the software and distribute modified version by submitting their own link to Reddit or some other mining related community.

I am also not telling that modified CGWatcher is responsible. This is just an example of a theoretical scenario how the attack might be performed. If you're affected, please think of what software did you download, when, where from, etc - basing on the example scenario above.

[minedout]

Thanks for the indepth responses Terk.

[Meeho]

I am not using anything besides Kalroth's cgminer 3.7.3 and my hijacking was only taking place while mining on Waffle. I would expect it to continue even after changing to CleverMining. Also, it doesn't seem likely to me that all the affected users were hit by malware on both various Linux distributions, BAMT and Windows. And I haven't touched my mining rig for the last couple of weeks and it only got hijacked today. I've been on CleverMining for the last 26 hours and it hasn't happened again. All of that seems to rule out local malware.

[black007miner]

I am not using anything besides Kalroth's cgminer 3.7.3 and my hijacking was only taking place while mining on Waffle. I would expect it to continue even after changing to CleverMining. Also, it doesn't seem likely to me that all the affected users were hit by malware on both various Linux distributions, BAMT and Windows. And I haven't touched my mining rig for the last couple of weeks and it only got hijacked today.

Changing pools seems to "fix" the redirect from my experience. I changed to sf.clevermining.com after I noticed the redirect, and it started working perfectly after that point.

[ryantc]

Anyone hijacked WITHOUT using CGwatcher or CGremote?

that will be me, first I see my CleverMining account has 0.00 speed registered and go to check my miners and notice that all my cgminers are pointing to these 190.xxx ip address,
and I don't know for how long they've been redirected.

So I switch to ScryptGuild for now.

[Hyperlight]

I personally don't think this exploit is user based. My guess is some kind of injection during transit.

As a precaution, I have written a few firewall rules that will only allow my mining subnet to communicate to specific IPs.

[Terk]

To be straight: I am not claiming that I know what's going on. I throw ideas about what I suspect is most likely.

My best guess is that it's the MITM attack originating very close to the user - considering there is only small number of users affected but they are spread around the world. If the MITM wasn't close to users, then it either would be limited to some geographic location or would be really heavily widespread affecting significant number of users.

I don't tell you that your rig is affected. If the rig had malicious software then it might be easier to just change your miner configs by the attacker and not hijack connection. This can be any other computer in your local network, using the same wifi. It might be the computer which you use (but it also is unlikely as the attacker would probably use it to steal your coins as well). It might be on your smartphone which connects via WiFi to the same router that your rigs (which might be connected by a cable but to the same router).

But of course I might be totally wrong.

[neogen]

It is not a malware on users' computers. Miners are receiving stratum redirect commands. It is most likely a form of MITM attack, but definitely not something on the user end. It is happening among multiple pools with various mining clients and operating systems.

Yes, I've seen the log with redirect command (the log wasn't from CleverMining, it was on another pool). The redirect command didn't actually come from legitimate pool. The whole process looked like this:

1. Miner got disconnected from the pool (no idea if it was “natural” or caused by the attacker).
2. Miner reconnected to its pool but it didn't really connected to the pool this time, instead something hijacked this connection.
3. Just after miner authenticated at the pool (a fake one), it got the redirect command to reconnect to a different IP address.
4. Miner followed the command and connected to malicious pool.

The redirect command wasn't coming from the legitimate pool. Also, what's important - it wasn't injected into an existing connection between miner and legitimate pool. After disconnect miner tried to reconnect to legitimate pool but this reconnection was hijacked and the miner was redirected to malicious pool.

You are right that this is a form of Man In The Middle attack, but I think that MITM attack originates at user's place. Either on their mining rig or on some other host in the same local network. And if it's the case, then it's most likely done by some malicious software that the user downloaded.

Why I think that other places of attack (not close to the user) are unlikely? Affected users are geographically distributed all over the world - this is not some regional issue. Affected users were connect to different pools which are using different hosting providers - this is not an attack at the pool level. At the same time number of affected users is very tiny, which also points to a place of attack close to the user.

This is why I am suspecting some malicious software installed by the user.

For example, a new version of CGWatcher was released on Mar 21st, and the hijacking first started to happening at other multi-pools on Mar 22nd. A new version of a popular software is always a good moment to distribute maliciously modified version. I am not talking about CGWatcher authors, but someone else might modify the software and distribute modified version by submitting their own link to Reddit or some other mining related community.

I am also not telling that modified CGWatcher is responsible. This is just an example of a theoretical scenario how the attack might be performed. If you're affected, please think of what software did you download, when, where from, etc - basing on the example scenario above.

On my work desktop computer at home which I have installed nothing relating to mining software since Jan 22, so possibility of infection from software installation would be zero on my end. And yet my cudaminer (which was install since Jan 22) is also doing a redirect to that malicious IP.

[Terk]

Also, it can be on your router which you use to connect to the network.

There was a really widespread vulnerability discovered a little over month ago which was affecting significant number of home routers: http://www.pcworld.com/article/2097903/asus-linksys-router-exploits-tell-us-home-networking-is-the-vulnerability-story-of-2014.html

It's hard to use to steal coins as all cryptocoin-related traffic is encrypted with the exception of mining. Maybe someone started using this vulnerability to hijack cryptocoin miners?

Anyone heard about this issue among users of non-multi-coin pools?

[neogen]

Also, it can be on your router which you use to connect to the network.

There was a really widespread vulnerability discovered a little over month ago which was affecting significant number of home routers: http://www.pcworld.com/article/2097903/asus-linksys-router-exploits-tell-us-home-networking-is-the-vulnerability-story-of-2014.html

It's hard to use to steal coins as all cryptocoin-related traffic is encrypted with the exception of mining. Maybe someone started using this vulnerability to hijack cryptocoin miners?

Anyone heard about this issue among users of non-multi-coin pools?

A possibility, but after reading the article, I am on a Linksys EA4500 with remote administration disable since the day the router was up and running. Yet still got hi-jacked :\

[Meeho]

Asus with Tomato here, no USB used and anything remote disabled.

Anyway, Kalroth just released a new version with a --no-client-reconnect command that should disable the attack.

[Telek]

For safety, everyone should consider doing this on any windows rig:

route -p add 190.97.165.179 {your computer ip}


Also we should flood that IP address with invalid responses and DDoS him  

[Terk]

On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.

[cloudrck]

For safety, everyone should consider doing this on any windows rig:

route -p add 190.97.165.179 {your computer ip}


Also we should flood that IP address with invalid responses and DDoS him  

That doesn't help. People who have been affected needs to contact the owner and host of the IP with the evidence.

[Telek]

For safety, everyone should consider doing this on any windows rig:

route -p add 190.97.165.179 {your computer ip}


Also we should flood that IP address with invalid responses and DDoS him  

That doesn't help. People who have been affected needs to contact the owner and host of the IP with the evidence.

Why wouldn't that help?

Doesn't help to determine why it's happening or who's doing it, but it will prevent it from happening.

[Meeho]

On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.

Haven't installed or run anything new on other devices for days and anything mining/coin related in weeks. Only use cgminer and two coin wallets, which were installed about a month ago from original websites (and not on smartphone).