Topic: New virus on the loose affecting B7 and STU-U6 units based upon Mirai/Botnet... (Read 542 times)
September 06, 2023, 09:26:57 PM
STU-U2 Miner is dead and can be only use for loud heater. A want to experiment with miner and try to switch to Blake2sia or something. I think there is way to do that becouse all other miner switched for blake2b to blake2 sia only with firmware update. But StrongU don't care about old miner like STU-U2.
September 05, 2023, 10:26:11 AM
This is a really good example worth paying your lazy attention to. 
September 05, 2023, 06:50:09 AM
Im trying to login intro StrongU STU-2 ssh and ftp to try change miner or something becouse STU-2 is dead there is no more coins on Blake2b algo, sia change to Blake2-sia. But i can't login becouse ssh is closed. I connect now STU-2 on serial port on main board via UART and im now stuck with so many questions....
i can't figure out how to open ssh and how to change root credentials
Can some one help me ?
i can't figure out how to open ssh and how to change root credentials
Can some one help me ?
October 28, 2022, 03:23:28 PM
...
So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.
...
So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.
...
Could you pls tell us how you did that?
I have my U6 turned off random times and have no ssh password (
May 29, 2021, 05:23:21 AM
I have a program to effectively remove all viruses. Write me in telegrams @CryptoMyLive
I have written.. Dodi Szaszi .. Thanks.
May 27, 2021, 03:54:42 AM
I have a program to effectively remove all viruses. Write me in telegrams @CryptoMyLive
May 26, 2021, 10:36:53 AM
Hello,
does anyone know how to get rid of strongu stu u6 virus? my miner is no longer available...
Thanks.,
does anyone know how to get rid of strongu stu u6 virus? my miner is no longer available...
Thanks.,
April 19, 2021, 01:18:09 PM
Cleanup for U6
U6 story is slightly different. For U6, StrongU has not published any ssh credentials. So most likely the virus author connected to a U6 locally using serial connection and cracked the ssh password.
Now to clean a U6, we need to be able to ssh into it. I contacted StrongU, through my vendor, and they simply refused and said ssh is disabled. In fact, of course it is not. So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.
I believe my STU U6 is infected. from this morning, after a while, it goes offline, but it seems that it is still undermining. I would like to ask you how you connected to the Miner and how you managed to change the root password and make the firmware changes to clean it. thank you very much
July 10, 2020, 03:01:00 AM
ASIC-botnets? I believe the pro-ASIC resistance people could use this for their future narrative as "another bad" for ASIC-based mining.
"You also have botnets!"
"You also have botnets!"
July 06, 2020, 04:22:07 PM
Thanks for the merits!
I expect the entry points to be other than SSH also.
cgminer's API is an entry point.
The upload/configuration restore mechanism is an entry point (bitmain has tried to patch this as of late with varying levels of success).
bitmain's latest additions to cgminer adds new functionality that isn't on the standard API port and probably needs some work....I'm still reverse engineering it but so far haven't seen any authentication/authorization.
Another entry point is... buying used miners. The last variant of this I found came through a reseller in China towards the end of a product cycle.
cgminer's API is an entry point.
The upload/configuration restore mechanism is an entry point (bitmain has tried to patch this as of late with varying levels of success).
bitmain's latest additions to cgminer adds new functionality that isn't on the standard API port and probably needs some work....I'm still reverse engineering it but so far haven't seen any authentication/authorization.
Another entry point is... buying used miners. The last variant of this I found came through a reseller in China towards the end of a product cycle.
The B7 were used, from China. So that might be it.
The U6 were brand new. And given the default ssh password is non-trivial (I could not crack it), they might have been infected in other ways as you descrive.
July 06, 2020, 12:22:46 AM
I expect the entry points to be other than SSH also.
cgminer's API is an entry point.
The upload/configuration restore mechanism is an entry point (bitmain has tried to patch this as of late with varying levels of success).
bitmain's latest additions to cgminer adds new functionality that isn't on the standard API port and probably needs some work....I'm still reverse engineering it but so far haven't seen any authentication/authorization.
Another entry point is... buying used miners. The last variant of this I found came through a reseller in China towards the end of a product cycle.
cgminer's API is an entry point.
The upload/configuration restore mechanism is an entry point (bitmain has tried to patch this as of late with varying levels of success).
bitmain's latest additions to cgminer adds new functionality that isn't on the standard API port and probably needs some work....I'm still reverse engineering it but so far haven't seen any authentication/authorization.
Another entry point is... buying used miners. The last variant of this I found came through a reseller in China towards the end of a product cycle.
July 05, 2020, 09:04:11 PM
Yeb awesome Information on that with the Virus and what to do if you got Infected and how can get rid of it !
I would be not surprised id they already working on a modifacted version of the Virus so they get access via malware to the miners.
If you get any device or miner new , you should always change the root / password after you used it .
+1 Merit from me also
The virus mostly likely enters through ssh. For example B7 units had ssh open by default with root/root credentials.
I would be not surprised id they already working on a modifacted version of the Virus so they get access via malware to the miners.
If you get any device or miner new , you should always change the root / password after you used it .
+1 Merit from me also
July 05, 2020, 12:48:12 PM
Excellent report.
ASIC miners aren't designed for security, so stupidity like default open root accessible
ssh ports must be assumed. All such devices should be firewalled in their own zone
seperate from anything else like coin wallets. Second hand devices should be reset to factory
defaults before connecting.
ASIC miners aren't designed for security, so stupidity like default open root accessible
ssh ports must be assumed. All such devices should be firewalled in their own zone
seperate from anything else like coin wallets. Second hand devices should be reset to factory
defaults before connecting.
July 05, 2020, 12:20:25 PM
I found and reverse engineered a variant of this on Z series miners last year. The use of Tor was unexpected... those who ran the virus had SSH servers running on tor with the authentication keys in the malware. .... I was able to fix that for them. :-)
July 05, 2020, 11:20:29 AM
this is legit, miners should be VERY aware of this, +merit good sir for this writeup
i was JUST talking yesterday with some security friends about this
yes, its based on mirai, scary!
we had'nt heard of anyone actually having their miners affected yet, but ugh, of course it's happening :/
nice job cleaning it up, StrongU wont give you basically any info on internals , but, yes there are other ways (its just dumb to be forced to do so)
i was JUST talking yesterday with some security friends about this
yes, its based on mirai, scary!
we had'nt heard of anyone actually having their miners affected yet, but ugh, of course it's happening :/
nice job cleaning it up, StrongU wont give you basically any info on internals , but, yes there are other ways (its just dumb to be forced to do so)
July 05, 2020, 02:47:45 AM
There is a new virus around which infects Antminer B7 and StrongU STU-U6 units. Once infected the virus will at random times switch mining to these accounts:
BTMCOW on stratum-btm.antpool.com:6666
DASHCOW on dash.ss.poolin.com:443
Note that you will not see these accounts in the web GUI. You will have to reboot the miners to get back to original pools.
The virus mostly likely enters through ssh. For example B7 units had ssh open by default with root/root credentials.
What it does is that it installs two executables:
/sbin/dlogd
/usr/sbin/stratd
While these might sound like regular Linux process names, but they are NOT.
Modifies the ssh startup file to also start these processes with system startup:
/etc/init.d/dropbear
For U6 it modifies /etc/init.d/hwclock.sh.
Modifies these files so that you no longer upgrade firmware:
/www/pages/cgi-bin/upgrade.cgi
/www/pages/cgi-bin/upgrade_clear.cgi
In these files, the virus modifies so that "sh runme.sh" is not called during upgrade, effectively disabling the upgrade process.
Modifies the web GUI pool CGI page so that it no longer shows which pool the miner is mining on. So if you login you will see pools empty in status page:
/www/pages/cgi-bin/miner_pools.cgi
To clean this from B7 follow these steps:
Change root credentials
Delete this executables:
rm -rf /sbin/dlogd
rm -rf /usr/sbin/stratd
Clean up startup file
Clean the CGI pages
Reboot
Cleanup for U6
U6 story is slightly different. For U6, StrongU has not published any ssh credentials. So most likely the virus author connected to a U6 locally using serial connection and cracked the ssh password.
Now to clean a U6, we need to be able to ssh into it. I contacted StrongU, through my vendor, and they simply refused and said ssh is disabled. In fact, of course it is not. So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.
Future:
I doubt this virus is going to stop at B7/U6. It is going to travel to other units eventually.
The best safeguard is to change you ssh credentials and/or disable it.
More Details:
I confirmed that startd process establishes a Tor connection to its controlling server. I submitted the stratd file to https://www.hybrid-analysis.com/, and it flagged it as "mirai,botnet". This was an older botnet virus with a central control mechanism. No doubt the Tor connection is being used for it. This mirai virus looks for devices on the network with known vulnerbilites and copy itself over. This can be routers/switches/PCs etc and now Miners.
Note:
No doubt he virus author will see this post and adapt. So at least executables name will change from stratd/dlogd. And also startup mechanism.
BTMCOW on stratum-btm.antpool.com:6666
DASHCOW on dash.ss.poolin.com:443
Note that you will not see these accounts in the web GUI. You will have to reboot the miners to get back to original pools.
The virus mostly likely enters through ssh. For example B7 units had ssh open by default with root/root credentials.
What it does is that it installs two executables:
/sbin/dlogd
/usr/sbin/stratd
While these might sound like regular Linux process names, but they are NOT.
Modifies the ssh startup file to also start these processes with system startup:
/etc/init.d/dropbear
For U6 it modifies /etc/init.d/hwclock.sh.
Modifies these files so that you no longer upgrade firmware:
/www/pages/cgi-bin/upgrade.cgi
/www/pages/cgi-bin/upgrade_clear.cgi
In these files, the virus modifies so that "sh runme.sh" is not called during upgrade, effectively disabling the upgrade process.
Modifies the web GUI pool CGI page so that it no longer shows which pool the miner is mining on. So if you login you will see pools empty in status page:
/www/pages/cgi-bin/miner_pools.cgi
To clean this from B7 follow these steps:
Change root credentials
Delete this executables:
rm -rf /sbin/dlogd
rm -rf /usr/sbin/stratd
Clean up startup file
Clean the CGI pages
Reboot
Cleanup for U6
U6 story is slightly different. For U6, StrongU has not published any ssh credentials. So most likely the virus author connected to a U6 locally using serial connection and cracked the ssh password.
Now to clean a U6, we need to be able to ssh into it. I contacted StrongU, through my vendor, and they simply refused and said ssh is disabled. In fact, of course it is not. So I connected to U6 using serial connection and figured out a way to patch the U6 official firmware package to clean the virus and also change the root password.
Future:
I doubt this virus is going to stop at B7/U6. It is going to travel to other units eventually.
The best safeguard is to change you ssh credentials and/or disable it.
More Details:
I confirmed that startd process establishes a Tor connection to its controlling server. I submitted the stratd file to https://www.hybrid-analysis.com/, and it flagged it as "mirai,botnet". This was an older botnet virus with a central control mechanism. No doubt the Tor connection is being used for it. This mirai virus looks for devices on the network with known vulnerbilites and copy itself over. This can be routers/switches/PCs etc and now Miners.
Note:
No doubt he virus author will see this post and adapt. So at least executables name will change from stratd/dlogd. And also startup mechanism.
Jump to: