ANTBLEED VIRUS!!! CLONE

[LordPower]

I recently purchased some Antminer S9's from eBay with bitmain firmware on them,  I started seeing some abnormals in hash reporting vs actual hash rate at the pool.

I have seen numerous threads with people with the same problem but no resolve.

What I found:   

Code:

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:22:36.264415 IP (tos 0x0, ttl 64, id 9890, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.45.36302 > 192.169.6.241.48748: Flags [S], cksum 0xb9fd (correct), seq 2314096459, win 29200, options [mss 1460,sackOK,TS val 8285329 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 26a2 4000 4006 8aaa c0a8 012d  E..<&.@.@......-
        0x0010:  c0a9 06f1 8dce be6c 89ee 4f4b 0000 0000  .......l..OK....
        0x0020:  a002 7210 b9fd 0000 0204 05b4 0402 080a  ..r.............
        0x0030:  007e 6c91 0000 0000 0103 0305            .~l.........
11:22:37.245654 IP (tos 0x0, ttl 64, id 4740, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x6562 (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285566 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 1284 4000 4006 9ec5 c0a8 0130  E..<..@.@......0
        0x0010:  c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000  .......l........
        0x0020:  a002 7210 6562 0000 0204 05b4 0402 080a  ..r.eb..........
        0x0030:  007e 6d7e 0000 0000 0103 0305            .~m~........
11:22:38.244593 IP (tos 0x0, ttl 64, id 4741, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x64fe (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285666 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 1285 4000 4006 9ec4 c0a8 0130  E..<..@.@......0
        0x0010:  c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000  .......l........
        0x0020:  a002 7210 64fe 0000 0204 05b4 0402 080a  ..r.d...........
        0x0030:  007e 6de2 0000 0000 0103 0305            .~m.........
11:22:40.244595 IP (tos 0x0, ttl 64, id 4742, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x6436 (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285866 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 1286 4000 4006 9ec3 c0a8 0130  E..<..@.@......0
        0x0010:  c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000  .......l........
        0x0020:  a002 7210 6436 0000 0204 05b4 0402 080a  ..r.d6..........
        0x0030:  007e 6eaa 0000 0000 0103 0305            .~n.........
^C
4 packets captured
5 packets received by filter
0 packets dropped by kernel

This is a ANTBLEED VIRUS CLONE!

What this does:

The infected ant miner will boot up and connect to 192.169.6.241  on port:  48748  once connected:  the miner will receive remote hashing and pool switching,  AKA dev fee (BOT NETWORK)
"192.169.6.241" IS NOT YOUR LOCAL NETWORK... This is a hosted company hosting for the virus
The Virus will then change any SSH password on the local device and then begin a network subnet scan and try to install itself on other miners

You can tell in several ways this virus is on your network of miners, 

1. that the WEBUI for the miner will show its status page VERY SLOW!  this is due to the 100% CPU load and the MODIFIED bminer software that is on it.   
2.  Your miner with show HW errors on all chains, this is due to the modified bminer overclocking the miner to get better hash rate for the attacker!

Check your miner or router for ESTABLISHED CONNECTION to:  192.169.6.241   - If its there you have the virus

Solutions:

1. BLOCK ALL TRAFFIC  to 192.169.6.0/24 on your network,  and if you cannot block subnets, BLOCK 192.169.6.241  all protocols
2.  Pull your miners off your network
3. CHANGE PASSWORDS on all your miners, don't leave default password
4. SD Card your miner and install latest firmware from your miner manufacture.

Where did the virus come from?  Unknown I only purchased 3 Antminer S9's off eBay and had them on the test bench when I noticed it.  It appeared to be running latest bitmain firmware from May/2019

LP

[1714925877]

1714925877

[1714925877]

1714925877

[1714925877]

1714925877

[1714925877]

1714925877

[taserz]

You need to sd card flash and wipe the miner and reflash it and yes change password is wise but knock off all your miners as you do it so it doesn't get reinfected or

If you install our firmware from asic.to and run the virus scanner it can't disinfect that. You're describing the NightSwitcher virus. 90% chance that S9 came from china preloaded with malware.

[LordPower]

I will investigate more,  I am wondering if this virus may have created a hidden partition on boot up, I will check partition layout on good ant miner.    I have seen others post that they have installed latest firmware from bitmain and the virus comes back after a day or two.

I am wondering if this partition does not get wipe durning a firmware upgrade and when the miner is rebooted that partition boots first and then loads the miner software.

Also:  I have seen other threads showing this active connection to :  192.169.6.241,  that is a USA hosting company,  filing a complaint against that HOST.

Thoughts?

[DaveF]

When booting with an SD card it should wipe all partitions and start again.
At least that is the way it used to work.

Since you got them from eBay who knows what else was done to them.

Also, this is not antbleed but just one of the many hacked firmwares that are out there.

People will install anything.

* If you did not change the root / root password on other miners on your network check them too.

-Dave

[mikeywith]

Here is all you need to know about 192.169.6.241, it is pretty smart to use 192.169, a public IP that looks pretty identical to the private IP range 192.168 and attracts no suspicion.

As taserz explained, I am sure the miners you bought from Ebay came with that virus because I had the same exact thing happen to me, you should report the seller to Ebay and explain the issue.

You need to turn off every miner, SDcard each of them one by one, perform a full virus scan on all devices in your network, preferably use a Linux based system to access your miners for better security.

[DaveF]

For US based IP addresses. You can get the contact info from ARIN:

https://search.arin.net/rdap/?query=192.169.6.241

The abuse contact for that IP range is on the bottom of the page.

-Dave


It's been going on for a while. These threads have popped up from time to time.

Biggest issue is that a lot of times miners pass though a lot of hands.

Case in point for a miner I am selling. Bitmain --> bought by someone on this forum --> sold to me --> mixed with parts from other miners that
I have bought from others --> on this forum sold to xxx on this forum

I think the control board is legit, but as of now; since *I* who is someone who knows his way around a miner can't tell you where the controller came from there might be something lurking that I don't know about. There were 3 miners that I built into 1 working one. So even "legit" can be bad.

Sad but true.

-Dave

[philipma1957]

Yep I have purchased from you and sold to you. I have mixed and matched tons of parts. from many sources.

In fact tomorrow I get Three controllers for l3+ units.  but i will run them on an empty mining ⛏ modem for a week before i try them on the big farm.

all the old gear may have firmware issues. lots of tricks for them.

[Artemis3]

You need to sd card flash and wipe the miner and reflash it and yes change password is wise but knock off all your miners as you do it so it doesn't get reinfected or

If you install our firmware from asic.to and run the virus scanner it can't disinfect that. You're describing the NightSwitcher virus. 90% chance that S9 came from china preloaded with malware.

So this virus is called NightSwitcher? Does it replicate itself, looking for miners with default passwords? Does it attack windows computers as well?

What else can you share about it?

I agree with wiping the nand using SD. What do you know about a malware that supposedly damages the nand storage entirely? Some people even claim it won't let boot from sd card anymore (i have always believed thats just a faulty sd reader slot).

People leaving the default password are a major part of the problem, there are even some countries planning to legislate against devices having a single default password (ie. wifi access points). I wonder if asic sales in those countries would then become illegal?

Human lazyness, the attackers favorite meal...

[kano]

For US based IP addresses. You can get the contact info from ARIN:

https://search.arin.net/rdap/?query=192.169.6.241

The abuse contact for that IP range is on the bottom of the page.

-Dave


...

The server supplier for that IP address is (as it says) CrownCloud

The OzCoin pool (that no longer exists) was run by the same person who runs CrownCloud
CrownCloud's web site is: https://crowncloud.net/

It 'should' be easy to contact them and get them to take down the server that is being used for this virus if you provide the details shown by others above.

Code:

whois 192.169.6.241

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
#


NetRange:       192.169.6.0 - 192.169.7.255
CIDR:           192.169.6.0/23
NetName:        CROWNCLOUD-3
NetHandle:      NET-192-169-6-0-1
Parent:         NET192 (NET-192-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Crowncloud US LLC (CUL-34)
RegDate:        2015-03-13
Updated:        2015-03-13
Comment:        All IP addresses in this range are statically assigned to end customers. Report any abuse to admin@crowncloud.us
Ref:            https://rdap.arin.net/registry/ip/192.169.6.0


OrgName:        Crowncloud US LLC
OrgId:          CUL-34
Address:        530 W 6th St
Address:        C/O Cid 4573 Quadranet Inc. Ste 901
City:           Los Angeles
StateProv:      CA
PostalCode:     90014-1207
Country:        US
RegDate:        2014-07-25
Updated:        2017-10-10
Ref:            https://rdap.arin.net/registry/entity/CUL-34


OrgAbuseHandle: CROWN9-ARIN
OrgAbuseName:   Crowncloud Support
OrgAbusePhone:  +1-940-867-4072 
OrgAbuseEmail:  admin@crowncloud.us
OrgAbuseRef:    https://rdap.arin.net/registry/entity/CROWN9-ARIN

OrgTechHandle: CROWN9-ARIN
OrgTechName:   Crowncloud Support
OrgTechPhone:  +1-940-867-4072 
OrgTechEmail:  admin@crowncloud.us
OrgTechRef:    https://rdap.arin.net/registry/entity/CROWN9-ARIN

Edit: I've sent them a message about it also, referencing this thread.

Edit2: I got a reply, they have suspended the server.

[mikeywith]

Edit: I've sent them a message about it also, referencing this thread.

Edit2: I got a reply, they have suspended the server.

That was quick, well done Kano.


as a general rule, one should always SDcard any used gear they buy BEFORE plugging it to the network, these viruses affect every other miner on the same network, so once you make that mistake of installing an infected miner, you will later have to fix every other miner, specifically those who don't bother with changing the default root/root username and password or use words that are easy to brute force.

The same or similar viruses exist in most of these "Boost Firmware" you find online.

[LordPower]

good job!!! I imagine many people will see a boost in their hash rate at the pools on there SHA256 miners.. I tried to find the thread earlier, there was something talking about 4/5TH loss at the pool and their TCPDUMP showed same connection to the 192.169.6.241 address, that thread was about 8 months old so this virus has been out for sometime.

Awesome to see the community come together,

edit:  was able to find the thread

https://bitcointalk.org/index.php?topic=5172514.0