There is a new virus around which infects Antminer B7 and StrongU STU-U6 units. Once infected the virus will at random times switch mining to these accounts:
BTMCOW on stratum-btm.antpool.com:6666
DASHCOW on dash.ss.poolin.com:443
Note that you will not see these accounts in the web GUI. You will have to reboot the miners to get back to original pools.
The virus mostly likely enters through ssh. For example B7 units had ssh open by default with root/root credentials.
What it does is that it installs two executables:
/sbin/dlogd
/usr/sbin/stratd
While these might sound like regular Linux process names, but they are NOT.
Modifies the ssh startup file to also start these processes with system startup:
/etc/init.d/dropbear
For U6 it modifies /etc/init.d/hwclock.sh.
Modifies these files so that you no longer upgrade firmware:
/www/pages/cgi-bin/upgrade.cgi
/www/pages/cgi-bin/upgrade_clear.cgi
In these files, the virus modifies so that "sh runme.sh" is not called during upgrade, effectively disabling the upgrade process.
Modifies the web GUI pool CGI page so that it no longer shows which pool the miner is mining on. So if you login you will see pools empty in status page:
/www/pages/cgi-bin/miner_pools.cgi
To clean this from B7 follow these steps:Change root credentials
Delete this executables:
rm -rf /sbin/dlogd
rm -rf /usr/sbin/stratd
Clean up startup file
Clean the CGI pages
Reboot
Cleanup for U6U6 story is slightly different. For U6, StrongU has not published any ssh credentials. So most likely the virus author connected to a U6 locally using serial connection and cracked the ssh password.
Now to clean a U6, we need to be able to ssh into it. I contacted StrongU, through my vendor, and they simply refused and said ssh is disabled. In fact, of course it is not. So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.
Future:I doubt this virus is going to stop at B7/U6. It is going to travel to other units eventually.
The best safeguard is to change you ssh credentials and/or disable it.
More Details:I confirmed that startd process establishes a Tor connection to its controlling server. I submitted the stratd file to
https://www.hybrid-analysis.com/, and it flagged it as "mirai,botnet". This was an older botnet virus with a central control mechanism. No doubt the Tor connection is being used for it. This mirai virus looks for devices on the network with known vulnerbilites and copy itself over. This can be routers/switches/PCs etc and now Miners.
Note: No doubt he virus author will see this post and adapt. So at least executables name will change from stratd/dlogd. And also startup mechanism.
