Brief: Some Raspberry Pi devices are susceptible to a malware that enslaves the devices to mine cryptocurrency. If you are running a Raspberry Pi device with the default login credential, you are at risk.
A Linux malware, Linux.MulDrop.14, that infects Raspberry Pi devices has been detected. The malware was spotted around the mid of May 2017 with the aim of mining cryptocurrency on Raspberry Pi devices with Rasberry Pi 2 being the most vulnerable.
According to Dr. Web, the Russian antivirus maker, the malware comes in the form of a Bash script which contains a mining program that is compressed with gzip and is encrypted with base64. After it is launched, the script shuts down many processes and installs libraries such as Zmap and sshpass required for its operation.
Which Raspberry Pi devices are susceptible?
The malware targets Raspberry Pi devices with SSH ports open to external connections. It gains access to the device by using the default Raspberry Pi login “pi” and password “raspberry”.
The malware changes the user’s password and goes on installing the cryptocurrency mining programs. Afterward, it installs Zmap, the Internet-scanning tool, to scan the Internet for other vulnerable Raspberry Pi devices with open SSH port and default login credentials.
Basically, it targets Raspberry Pi boards that are using default login and password and have open SSH port. Considering that the default user still has admin access to install applications, the malware can use this vulnerability to install any type of program.
How to protect your Raspberry Pi device from this malware attack
Older versions of Raspberry Pi devices that have not been updated for a while could be more vulnerable to Linux.MulDrop.14 because they have SSH port open by default.
There are two ways you can use to protect your device from this malware:
- Update the operating system. By doing this, the SSH port id is disabled. Raspbian disabled the SSH server by default in November 2016 in other to force users to change the default password.
- Change the default password. The best way to stop the malware attack is by changing your default password and login since they infect by using the Raspberry Pi default user and password. This secures a device that has not been attacked yet from the malware.
Linux.MulDrop.14 is coming after the another, Linux.ProxM, was spotted in February 2017. This Linux malware starts SOCKS proxy server on infected devices. This lets the Trojan author use it to relay malicious traffic, disguising his location and real identity. Researchers say it had infected more than 10,000 systems before it was first spotted.
At risk?
As Abhishek said, “If you are using default login password, you can get a lot worse than being infected by this malware”. Lesson from thisLinux.MulDrop.14 episode: never use default login password.