Bitcoin Forum
June 16, 2024, 07:52:17 PM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: New virus on the loose affecting B7 and STU-U6 units based upon Mirai/Botnet...  (Read 544 times)
yrk1957 (OP)
Member
**
Offline Offline

Activity: 529
Merit: 29


View Profile
July 05, 2020, 06:47:45 AM
Last edit: July 05, 2020, 09:29:09 AM by yrk1957
Merited by CjMapope (2), vapourminer (1), philipma1957 (1), NotFuzzyWarm (1), Lafu (1), gt_addict (1)
 #1

There is a new virus around which infects Antminer B7 and StrongU STU-U6 units. Once infected the virus will at random times switch mining to these accounts:

BTMCOW on stratum-btm.antpool.com:6666
DASHCOW on dash.ss.poolin.com:443

Note that you will not see these accounts in the web GUI. You will have to reboot the miners to get back to original pools.

The virus mostly likely enters through ssh. For example B7 units had ssh open by default with root/root credentials.

What it does is that it installs two executables:

/sbin/dlogd
/usr/sbin/stratd

While these might sound like regular Linux process names, but they are NOT.

Modifies the ssh startup file to also start these processes with system startup:

/etc/init.d/dropbear

For U6 it modifies /etc/init.d/hwclock.sh.

Modifies these files so that you no longer upgrade firmware:

/www/pages/cgi-bin/upgrade.cgi
/www/pages/cgi-bin/upgrade_clear.cgi

In these files, the virus modifies so that "sh runme.sh" is not called during upgrade, effectively disabling the upgrade process.

Modifies the web GUI pool CGI page so that it no longer shows which pool the miner is mining on. So if you login you will see pools empty in status page:

/www/pages/cgi-bin/miner_pools.cgi

To clean this from B7 follow these steps:

Change root credentials

Delete this executables:

   rm -rf /sbin/dlogd
   rm -rf /usr/sbin/stratd

Clean up startup file
Clean the CGI pages

Reboot

Cleanup for U6

U6 story is slightly different. For U6, StrongU has not published any ssh credentials. So most likely the virus author connected to a U6 locally using serial connection and cracked the ssh password.

Now to clean a U6, we need to be able to ssh into it. I contacted StrongU, through my vendor, and they simply refused and said ssh is disabled. In fact, of course it is not. So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.

Future:

I doubt this virus is going to stop at B7/U6. It is going to travel to other units eventually.

The best safeguard is to change you ssh credentials and/or disable it.

More Details:
I confirmed that startd process establishes a Tor connection to its controlling server. I submitted the stratd file to https://www.hybrid-analysis.com/, and it flagged it as  "mirai,botnet". This was an older botnet virus with a central control mechanism. No doubt the Tor connection is being used for it. This mirai virus looks for devices on the network with known vulnerbilites and copy itself over. This can be routers/switches/PCs etc and now Miners.

Note:
No doubt he virus author will see this post and adapt. So at least executables name will change from stratd/dlogd. And also startup mechanism.
CjMapope
Legendary
*
Offline Offline

Activity: 1820
Merit: 1092


~Full-Time Minter since 2016~


View Profile WWW
July 05, 2020, 03:20:29 PM
 #2

this is legit, miners should be VERY aware of this, +merit good sir for this writeup
i was JUST talking yesterday with some security friends about this
yes, its based on mirai, scary!

we had'nt heard of anyone actually having their miners affected yet, but ugh, of course it's happening :/

nice job cleaning it up, StrongU wont give you basically any info on internals , but, yes there are other ways (its just dumb to be forced to do so)


~Got this girl in my bed, a roof over my head, i mint a couple coins a week, and thats how i make bread~
~On the 12th day of Hatzvah, OGminer said to me: "compute root of the merkle hash tree!"~
Prohashing  -- Simply the best Multipool!
efudd
Member
**
Offline Offline

Activity: 504
Merit: 51


View Profile
July 05, 2020, 04:20:25 PM
 #3

I found and reverse engineered a variant of this on Z series miners last year. The use of Tor was unexpected... those who ran the virus had SSH servers running on tor with the authentication keys in the malware. .... I was able to fix that for them. :-)


JayDDee
Full Member
***
Offline Offline

Activity: 1400
Merit: 222


View Profile
July 05, 2020, 04:48:12 PM
Merited by vapourminer (1)
 #4

Excellent report.

ASIC miners aren't designed for security, so stupidity like default open root accessible
ssh ports must be assumed. All such devices should be firewalled in their own zone
seperate from anything else like coin wallets. Second hand devices should be reset to factory
defaults before connecting.

Lafu
Legendary
*
Offline Offline

Activity: 3010
Merit: 3127



View Profile
July 06, 2020, 01:04:11 AM
 #5

Yeb awesome Information on that with the Virus and what to do if you got Infected and how can get rid of it !

The virus mostly likely enters through ssh. For example B7 units had ssh open by default with root/root credentials.

I would be not surprised id they already working on a modifacted version of the Virus so they get access via malware to the miners.
If you get any device or miner new , you should always change the root / password after you used it .

+1 Merit from me also  Cool


efudd
Member
**
Offline Offline

Activity: 504
Merit: 51


View Profile
July 06, 2020, 04:22:46 AM
Merited by vapourminer (1)
 #6

I expect the entry points to be other than SSH also.
cgminer's API is an entry point.
The upload/configuration restore mechanism is an entry point (bitmain has tried to patch this as of late with varying levels of success).
bitmain's latest additions to cgminer adds new functionality that isn't on the standard API port and probably needs some work....I'm still reverse engineering it but so far haven't seen any authentication/authorization.

Another entry point is... buying used miners. The last variant of this I found came through a reseller in China towards the end of a product cycle.




yrk1957 (OP)
Member
**
Offline Offline

Activity: 529
Merit: 29


View Profile
July 06, 2020, 08:22:07 PM
 #7


Thanks for the merits!

I expect the entry points to be other than SSH also.
cgminer's API is an entry point.
The upload/configuration restore mechanism is an entry point (bitmain has tried to patch this as of late with varying levels of success).
bitmain's latest additions to cgminer adds new functionality that isn't on the standard API port and probably needs some work....I'm still reverse engineering it but so far haven't seen any authentication/authorization.

Another entry point is... buying used miners. The last variant of this I found came through a reseller in China towards the end of a product cycle.





The B7 were used, from China. So that might be it.

The U6 were brand new. And given the default ssh password is non-trivial (I could not crack it), they might have been infected in other ways as you descrive.

Wind_FURY
Legendary
*
Offline Offline

Activity: 2954
Merit: 1839



View Profile
July 10, 2020, 07:01:00 AM
 #8

ASIC-botnets? I believe the pro-ASIC resistance people could use this for their future narrative as "another bad" for ASIC-based mining.

"You also have botnets!"

██████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
██████████████████████
.SHUFFLE.COM..███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
█████████████████████
████████████████████
██████████████████████
████████████████████
██████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
██████████████████████
██████████████████████
██████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
.
...Next Generation Crypto Casino...
cyb3r4x
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
April 19, 2021, 05:18:09 PM
 #9



Cleanup for U6

U6 story is slightly different. For U6, StrongU has not published any ssh credentials. So most likely the virus author connected to a U6 locally using serial connection and cracked the ssh password.

Now to clean a U6, we need to be able to ssh into it. I contacted StrongU, through my vendor, and they simply refused and said ssh is disabled. In fact, of course it is not. So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.



I believe my STU U6 is infected. from this morning, after a while, it goes offline, but it seems that it is still undermining. I would like to ask you how you connected to the Miner and how you managed to change the root password and make the firmware changes to clean it. thank you very much
bimmer12312
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
May 26, 2021, 02:36:53 PM
 #10

Hello,

does anyone know how to get rid of strongu stu u6 virus?  my miner is no longer available...

Thanks.,
iBuzz
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
May 27, 2021, 07:54:42 AM
 #11

I have a program to effectively remove all viruses. Write me in telegrams @CryptoMyLive
bimmer12312
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
May 29, 2021, 09:23:21 AM
 #12

I have a program to effectively remove all viruses. Write me in telegrams @CryptoMyLive


I have written.. Dodi Szaszi .. Thanks.
mealexat
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
October 28, 2022, 07:23:28 PM
 #13

...
So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.
...

Could you pls tell us how you did that?
I have my U6 turned off random times and have no ssh password (
BI00dy
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
September 05, 2023, 10:50:09 AM
 #14

Im trying to login intro StrongU STU-2 ssh and ftp to try change miner or something becouse STU-2 is dead there is no more coins on Blake2b algo, sia change to Blake2-sia. But i can't login becouse ssh is closed. I connect now STU-2 on serial port on main board via UART and im now stuck with so many questions....
i can't figure out how to open ssh and how to change root credentials  Sad Sad Sad

Can some one help me ?  Cry
UspesenRudar
Newbie
*
Offline Offline

Activity: 33
Merit: 0


View Profile
September 05, 2023, 02:26:11 PM
 #15

This is a really good example worth paying your lazy attention to.  Huh
BI00dy
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
September 07, 2023, 01:26:57 AM
 #16

STU-U2 Miner is dead and can be only use for loud heater. A want to experiment with miner and try to switch to Blake2sia or something. I think there is way to do that becouse all other miner switched for blake2b to blake2 sia only with firmware update. But StrongU don't care about old miner like STU-U2.  Cry
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!