back to article Coin-mining malware jumps from Arm IoT gear to Intel servers

A coin-mining malware infection previously only seen on Arm-powered IoT devices has made the jump to Intel systems. Akamai senior security researcher Larry Cashdollar says one of his honeypot systems recently turned up what appears to be an IoT malware that targets Intel machines running Linux. "I suspect it’s probably a …

  1. Blackjack

    So..

    How long until all antivirus programs detect coin mining as malware?

    "Your computer/phone/plane/toaster has beeb detected to be mining a Cryptocurrency, you might be infected with malicious program."

    1. Pascal Monett Silver badge

      Re: So..

      IoT will have to be running anti-virus programs before they'll ask themselves the question.

      Given that IoT and the notion of security are currently light-years apart, it won't happen any time soon.

      1. doublelayer Silver badge

        Re: So..

        In many cases, it already does. If you ever try mining on Windows, you'll probably have to whitelist the directory where you put your miner. In fact, Windows Defender even treats the Monero binaries as malware, even though you can't use them to mine, only to transact. But there are fewer traditional antivirus products for Linux, and they're less common, so I don't know if they also treat mining as suspicious.

  2. Henry Wertz 1 Gold badge

    More processing power

    More processing power, that's for sure. They DO make pretty fast ARMs, but the NAS boxes, wireless access points, and so-called "iot" stuff will largely be using the low-powered sub-ghz models.

  3. EvaQ
    Happy

    Larry Cashdollar

    Coin-mining and Larry Cashdollar ... nice!

  4. macjules Silver badge

    How Librarating ..

    It seems that this attack was a matter of scumbags seeing an untapped market to expand their cryptocurrency mining operations into

    That’s no way to refer to Facebook - they already have billions of unassuming minions to tap into.

  5. dnicholas Bronze badge

    Arrgh!

    Secure your ports, me hearties

  6. Anonymous Coward
    Linux

    IoT malware targets Intel machines running Linux

    Akamai senior security researcher Larry Cashdollar says one of his honeypot systems recently turned up what appears to be an IoT malware that targets Intel machines running Linux.”

    How does this malware initially get onto the Intel Linux machines?

    The honeypot allows logins using known default login credentials for root.”

    No self respecting Linux user would leave the system with the ‘default login credentials for root’, whatever that is supposed to mean. As on installation you are prompted for a unique root password. Besides, any self respecting Linux user would disable SSHing into root.

    1. doublelayer Silver badge

      Re: IoT malware targets Intel machines running Linux

      It's stated that the access method is SSH, so some options include:

      1. SSHing with poor or default credentials to root because not all Linux users are, in your words, self-respecting.

      2. SSHing with poor or default credentials to something that isn't root, then elevating to root if the user has sudo privs.

      3. SSHing with poor or default credentials to something that isn't root, and therefore installing as a user process. It's not as effective, but it'll mine sometimes and that can't hurt the criminals because why should they care?

      I have a public-facing server with SSH enabled. Root can't log in, and anything that can log in has an undisclosed username* and either a seriously difficult password or keys only. Lots of automated login attempts occur, but not all of them are people fruitlessly trying to log in as root. Many are trying things like "admin", "system", "user", or the machine's domain name. The people trying this must be doing it because it sometimes works.

      *Undisclosed username: This is not a security measure; I know that security by obscurity doesn't work. What it does let me do is set up a monitor for the SSH logs that can inform me if someone is trying to log into an actual account, thus filtering noise from the pointless attempts. If someone does get a real username, I will know about it and I can figure out where that information came from and where this at least a bit more sophisticated attack is coming from. Unless that filter activates, I don't have to worry about the automatic SSH bots. And while we're on the subject, *checks logs*, nobody's guessed any real usernames since the server was set up two years ago.

  7. joeldillon

    Technically '686' processors /are/ x86, not an 'and'. That's what the x is for you see. Presumably the binaries are compiled to run on anything from a Pentium Pro on up, but wont necessarily work on your 386/486/OG Pentium that you are definitely using as a server in 2019.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019