Author

Topic: New virus on the loose affecting B7 and STU-U6 units based upon Mirai/Botnet... (Read 568 times)

newbie
Activity: 4
Merit: 0
STU-U2 Miner is dead and can be only use for loud heater. A want to experiment with miner and try to switch to Blake2sia or something. I think there is way to do that becouse all other miner switched for blake2b to blake2 sia only with firmware update. But StrongU don't care about old miner like STU-U2.  Cry
newbie
Activity: 33
Merit: 0
This is a really good example worth paying your lazy attention to.  Huh
newbie
Activity: 4
Merit: 0
Im trying to login intro StrongU STU-2 ssh and ftp to try change miner or something becouse STU-2 is dead there is no more coins on Blake2b algo, sia change to Blake2-sia. But i can't login becouse ssh is closed. I connect now STU-2 on serial port on main board via UART and im now stuck with so many questions....
i can't figure out how to open ssh and how to change root credentials  Sad Sad Sad

Can some one help me ?  Cry
newbie
Activity: 1
Merit: 0
...
So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.
...

Could you pls tell us how you did that?
I have my U6 turned off random times and have no ssh password (
newbie
Activity: 3
Merit: 0
I have a program to effectively remove all viruses. Write me in telegrams @CryptoMyLive


I have written.. Dodi Szaszi .. Thanks.
newbie
Activity: 2
Merit: 0
I have a program to effectively remove all viruses. Write me in telegrams @CryptoMyLive
newbie
Activity: 3
Merit: 0
Hello,

does anyone know how to get rid of strongu stu u6 virus?  my miner is no longer available...

Thanks.,
newbie
Activity: 1
Merit: 0


Cleanup for U6

U6 story is slightly different. For U6, StrongU has not published any ssh credentials. So most likely the virus author connected to a U6 locally using serial connection and cracked the ssh password.

Now to clean a U6, we need to be able to ssh into it. I contacted StrongU, through my vendor, and they simply refused and said ssh is disabled. In fact, of course it is not. So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.



I believe my STU U6 is infected. from this morning, after a while, it goes offline, but it seems that it is still undermining. I would like to ask you how you connected to the Miner and how you managed to change the root password and make the firmware changes to clean it. thank you very much
legendary
Activity: 2898
Merit: 1823
ASIC-botnets? I believe the pro-ASIC resistance people could use this for their future narrative as "another bad" for ASIC-based mining.

"You also have botnets!"
member
Activity: 531
Merit: 29

Thanks for the merits!

I expect the entry points to be other than SSH also.
cgminer's API is an entry point.
The upload/configuration restore mechanism is an entry point (bitmain has tried to patch this as of late with varying levels of success).
bitmain's latest additions to cgminer adds new functionality that isn't on the standard API port and probably needs some work....I'm still reverse engineering it but so far haven't seen any authentication/authorization.

Another entry point is... buying used miners. The last variant of this I found came through a reseller in China towards the end of a product cycle.





The B7 were used, from China. So that might be it.

The U6 were brand new. And given the default ssh password is non-trivial (I could not crack it), they might have been infected in other ways as you descrive.

member
Activity: 504
Merit: 51
I expect the entry points to be other than SSH also.
cgminer's API is an entry point.
The upload/configuration restore mechanism is an entry point (bitmain has tried to patch this as of late with varying levels of success).
bitmain's latest additions to cgminer adds new functionality that isn't on the standard API port and probably needs some work....I'm still reverse engineering it but so far haven't seen any authentication/authorization.

Another entry point is... buying used miners. The last variant of this I found came through a reseller in China towards the end of a product cycle.



legendary
Activity: 3136
Merit: 3213
Yeb awesome Information on that with the Virus and what to do if you got Infected and how can get rid of it !

The virus mostly likely enters through ssh. For example B7 units had ssh open by default with root/root credentials.

I would be not surprised id they already working on a modifacted version of the Virus so they get access via malware to the miners.
If you get any device or miner new , you should always change the root / password after you used it .

+1 Merit from me also  Cool

full member
Activity: 1424
Merit: 225
Excellent report.

ASIC miners aren't designed for security, so stupidity like default open root accessible
ssh ports must be assumed. All such devices should be firewalled in their own zone
seperate from anything else like coin wallets. Second hand devices should be reset to factory
defaults before connecting.
member
Activity: 504
Merit: 51
I found and reverse engineered a variant of this on Z series miners last year. The use of Tor was unexpected... those who ran the virus had SSH servers running on tor with the authentication keys in the malware. .... I was able to fix that for them. :-)

legendary
Activity: 1820
Merit: 1092
~Full-Time Minter since 2016~
this is legit, miners should be VERY aware of this, +merit good sir for this writeup
i was JUST talking yesterday with some security friends about this
yes, its based on mirai, scary!

we had'nt heard of anyone actually having their miners affected yet, but ugh, of course it's happening :/

nice job cleaning it up, StrongU wont give you basically any info on internals , but, yes there are other ways (its just dumb to be forced to do so)

member
Activity: 531
Merit: 29
There is a new virus around which infects Antminer B7 and StrongU STU-U6 units. Once infected the virus will at random times switch mining to these accounts:

BTMCOW on stratum-btm.antpool.com:6666
DASHCOW on dash.ss.poolin.com:443

Note that you will not see these accounts in the web GUI. You will have to reboot the miners to get back to original pools.

The virus mostly likely enters through ssh. For example B7 units had ssh open by default with root/root credentials.

What it does is that it installs two executables:

/sbin/dlogd
/usr/sbin/stratd

While these might sound like regular Linux process names, but they are NOT.

Modifies the ssh startup file to also start these processes with system startup:

/etc/init.d/dropbear

For U6 it modifies /etc/init.d/hwclock.sh.

Modifies these files so that you no longer upgrade firmware:

/www/pages/cgi-bin/upgrade.cgi
/www/pages/cgi-bin/upgrade_clear.cgi

In these files, the virus modifies so that "sh runme.sh" is not called during upgrade, effectively disabling the upgrade process.

Modifies the web GUI pool CGI page so that it no longer shows which pool the miner is mining on. So if you login you will see pools empty in status page:

/www/pages/cgi-bin/miner_pools.cgi

To clean this from B7 follow these steps:

Change root credentials

Delete this executables:

   rm -rf /sbin/dlogd
   rm -rf /usr/sbin/stratd

Clean up startup file
Clean the CGI pages

Reboot

Cleanup for U6

U6 story is slightly different. For U6, StrongU has not published any ssh credentials. So most likely the virus author connected to a U6 locally using serial connection and cracked the ssh password.

Now to clean a U6, we need to be able to ssh into it. I contacted StrongU, through my vendor, and they simply refused and said ssh is disabled. In fact, of course it is not. So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.

Future:

I doubt this virus is going to stop at B7/U6. It is going to travel to other units eventually.

The best safeguard is to change you ssh credentials and/or disable it.

More Details:
I confirmed that startd process establishes a Tor connection to its controlling server. I submitted the stratd file to https://www.hybrid-analysis.com/, and it flagged it as  "mirai,botnet". This was an older botnet virus with a central control mechanism. No doubt the Tor connection is being used for it. This mirai virus looks for devices on the network with known vulnerbilites and copy itself over. This can be routers/switches/PCs etc and now Miners.

Note:
No doubt he virus author will see this post and adapt. So at least executables name will change from stratd/dlogd. And also startup mechanism.
Jump to: