On the whole malware is seen as a problem for people using Windows machines, and incidents like the Wanna Cry outbreak last month seem to underscore it.
However malware like Mirai, aimed at out-of-date Linux installations and the Internet of Things, have started to be a lot more common. IP cameras for instance have proven particularly vulnerable, although malware going after larger targets is probably a bit more of a cause of worry.
A lot of this malware makes use of trivial vulnerabilities—like default usernames and passwords—and a new worm, memorably named Linux.MulDrop.14, is now infecting Raspberry Pi devices and using them to mine cryptocurrency by doing just that.
The new worm takes advantage of users who have left the Raspberry Pi’s default account and password unchanged and then exposed the board, and an open SSH port, to the public Internet.
“Criminals started distributing Linux.MulDrop.14 in the second half of May. The Trojan is a script that contains a compressed and encrypted application designed to mine cryptocurrency. Linux.MulDrop.14 changes the password on the devices it infects, unpacks and launches a miner, and then, in an infinite loop, starts searching for network nodes with an open port 22. After establishing a connection with them via the SSH protocol, the Trojan attempts to run a copy of itself on them.”—Dr. Web
It was in anticipation of exactly this sort of incident that led the Raspberry Pi Foundation to update their Raspbian distribution last November so that SSH was not started by default. However, despite the fix, it’s obviously still possible to enable SSH manually without changing the default password. There are also plenty of boards that aren’t running the new version of the operating system and might be vulnerable.
Back in November the Foundation said that they were, “not aware of Pis being used in botnets,” with the arrival of new worm that’s all changed. Although that isn’t to say that the new worm will be particularly effective.
The Mirai worm also—at least temporarily—added a Bitcoin mining component, but it was removed after just a week as it wasn’t particularly effective.
Since a quick search on Shodan shows that there are only around 50,000 Raspberry Pi boards visible on the public Internet, even if all of them were vulnerable—which is hardly guaranteed—that’s far less than the 2.5 million cameras and other devices infected by Mirai. So while it may be cold comfort to anyone that does get infected, it is sort of reassuring to know that whoever is behind this really isn’t going to be making any money.
[h/t: Beeping Computer]