Linux Malware Evolves to Mine Cryptocurrencies

Cyrptocurrency mining malware has previously targeted Windows PCs. Now Linux owners are getting a taste of malware misery too.

AccessTimeIconMar 24, 2014 at 2:22 p.m. UTC
Updated Sep 3, 2021 at 11:02 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

While cryptocurrency mining malware has generally been targeted at PCs running the Windows OS, owners of Linux-based machines are now experiencing a taste of malware misery too.

Computer security company Symantec has identified a new version of an old worm that has been going after Linux-based routers and set-top boxes for some time.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • The Darlloz worm, as it is called, has evolved to attack Linux desktops and to press them into service as unwilling cryptocurrency miners, IDG News Service reports.

    Darlloz is a rather unusual piece of malware, as it was originally developed to wreak havoc on embedded device architectures – computer systems within mechanical devices, such as printers.

    In its latest incarnation, however, the coin-mining worm seeks out Intel-based computers running Linux, installs the 'cpuminer' program and sets the PC to mining for either dogecoins or mincoins.

    Attractive altcoins

    Since bitcoin can no longer be effectively mined by personal computers, the developers of the Darlloz worm sensibly opted for scrypt mining instead. Scrypt is the 'proof of work' algorithm used by many altcoins, such as litecoin and dogecoin, whereas bitcoin uses SHA-256.

    Symantec researcher Kaoru Hayashi said scrypt-based altcoins can still be successfully mined on standard PCs, hence malicious developers now find them a more attractive proposition than bitcoin.

    Fortunately, the worm appears to be propagating slowly and it is not doing much damage. Hayashi cited one attacker who used Darlloz to mine 42,438 dogecoins and 282 mincoins, with a combined value of less than $200.

    However, Hayashi cautioned that the situation could get worse:

    "These amounts are relatively low for the average cybercrime activity, so we expect the attacker to continue to evolve their threat for increased monetization."

    Internet of Things

    Staying true to its roots, Darlloz is still targeting plenty of devices that cannot be used for mining. Symantec identified over 30,000 devices infected with the worm last month, with half of the infections being in the US, China, India, South Korea and Taiwan.

    More than a third of all infections had nothing to do with PCs, Symantec said, as they involved Internet of Things (IoT) gear, including printers, routers, set-top boxes and IP cameras.

    These devices tend to be vulnerable to attack as they are not patched as regularly as PCs. Hayashi said that updating firmware and changing default passwords can go a long way towards protecting such devices. Blocking connections to port 23 and port 80 helps too.

    Other dangers

    Although this is a curious case of mining malware for Linux, it should be pointed out that the vast majority of cryptocurrency related malware is designed to target Microsoft Windows.

    Dell SecureWorks recently published a report on cryptocurrency stealing malware (CCSM), which found that 147 strains of CCSM in the wild. Less than 1% of all cryptocurrency malware, however, is designed to attack Mac OS X or Linux.

    Another danger for owners of cryptocurrency is ransomware that demands on bitcoin for payment. The latter also comes in a hybrid form, which blackmails the user into paying a bitcoin ransom, while at the same time mining for bitcoins.

    The heyday of bitcoin-mining malware has long gone, but coin-stealing malware and bitcoin ransomware is on the rise.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.