August 21, 2017
Miners Trojans are appearing regularly and Doctor Web’s virus analysts have noted a curious trend: the creators of these programs are now targeting the Linux platform. Of late, smart devices run on Linux have become very popular, and the owners of such devices are not changing the default settings, most notably the administrator login and password. This is why hacking into such devices is not a major problem for cybercriminals.
Linux.BtcMine.26 is yet another Miner Trojan for Linux devices. Its distribution scheme is similar to the infection mechanism of Linux.Mirai: cybercriminals connect to an attacked device using the Telnet protocol, after selecting the login and password, and then save the loader program on the device. Then, using a console command, they launch the loader from the terminal and Linux.BtcMine.26 is downloaded to the device.
An analysis of the miner loader has revealed a peculiar feature of this app: in its source code, krebsonsecurity.com is mentioned several times. This website is owned by well-known cybersecurity expert Bryan Krebs. Apparently, the author of the Trojan is his secret admirer.
The Trojan is designed to mine Monero (XMR), a cryptocurrency created in 2014. Currently Linux.BtcMine.26 builds are known to exist for the x86-64 and ARM hardware architectures. The following characteristic signs can reveal a miner is present: a decrease in device speed and an increase in heat emissions during device operation. The most reliable way to prevent devices from getting infected by such Trojans is to promptly change the default login and password. Complex passwords that cannot be compromised by a dictionary search are recommended. It is also recommended to place restrictions on any changes from being made to a device’s settings remotely when external connections are made to it.
The Linux.BtcMine.26 signature has been added to the Dr.Web for Linux anti-virus database so this Trojan does not pose a threat to our users.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.