How to Save your ASICs: breaking virus update

Not a long time ago we informed the community about the virus that affected Antminer S17 with firmware without a signature. The number of cases is growing. Regardless of fact that using firmware without signature can lead to the ASICs’ infection, developers still build such firmware and, in this way, put their users at risk. Is the reason for this the lack of technical programming skills or is this done on purpose? This question is rhetorical, and at the moment it remains open.

To help users to prevent the infection and save their farm and money, we carefully tracked all the “symptoms”.

That’s what we found out:

  • The virus is dangerous not only to S17. It supports the entire lineup of Antminer 17 and 15 and other Xilinx based models. Besides, this virus was previously found on S9, T9, L3, and similar models.
  • ASICs with firmware that has no signature and the tar vulnerability check, with a standard or simple password, are getting infected.
  • ASICs with open SSH, with a standard or simple password, are vulnerable as well.
  • All the ASICs in the network can get infected from a single ASIC with the virus.

We found out how to protect your ASICs. But first, we recommend you to learn more about the symptoms and potential ways of infection.

Virus for the Antminer models: detailed description

The analysis was carried out on an uninfected ASIC using the stock firmware dated August 20, 2019. Next to it, an infected ASIC was installed on the same network. As a result, the uninfected ASIC became infected:

The virus is rather old: earlier, it has been affecting S9/T9/L3 and similar models. It identifies the model and infects the device according to it. Moreover, the virus has been updated, so now it also “supports” the 15 and 17 Antminer series.

Wallets and pools the virus uses for mining

stratum+tcp://scrypt.hk.nicehash.com:3333#xnsub
3BjMWfED7RJvtBPPikJpweDT6A9xRW952x
stratum+tcp://scrypt.jp.nicehash.com:3333#xnsub
3BjMWfED7RJvtBPPikJpweDT6A9xRW952x
Stratumtcp.com:8888
Stcp
Stratumtcp.com:3333
strtcp

How the virus infects an ASIC

Virus from the ASIC “knocks” all the Antminer models via SSH and via the ASIC web interface, using tar vulnerability or absence of signature verification.

When http is detected, the virus uses the tar vulnerability when flashing ASICs. If there is no signature protection, it simply gets through the ASIC firmware script.

The list of ASICs with this vulnerability:

  • All Antminers with the official Bitmain firmware (released before December 1, 2019), with a standard or simple password in the web interface.
  • All Antminers with the unofficial firmware that has no certificate signature protection and the tar vulnerability check, with a standard or simple password in the web interface.
  • All Antminers with open SSH, with a standard or simple password.

After getting to the ASIC, the virus does the following:

  • Replaces web-cgi firmware scripts and the config download script. Also scripts for resetting the settings and editing configs.
  • Turns SSH on. Changes the password to SSH:
  • On the 17 series, it replaces the bootloader, in which booting from the SD card for recovery is prohibited. It also prohibits the input of commands to u-boot for recovery via UART.
  • On old Antminers it patches the bootloader and disables boot from SD.
  • Prescribes itself at autoloading in different places.
  • Replaces system binaries and scripts:
  • “Listens” for the password entered by the user in the web interface during authorization, saves it on ASIC and sends it to the server. The password interception puts all ASICs in the network at risk, because more than 90% of users use the same password for all devices.
  • It is also constantly looking for updates on the server and something else:

  • Changes the wallet not only in the config, but also patches cgminer or bmminer, if possible. In old Antminer models, patches binaries or configs:

  • After a patch or replacement of partitions, it deletes the binaries necessary for re-flashing:

mv /usr/sbin/mtd_debug /usr/sbin/mfd;

mv /usr/sbin/nandwrite /usr/sbin/nfd;

mv /usr/sbin/flash_erase /usr/sbin/fla;

rm -rf /usr/sbin/flash* /usr/sbin/nand* /usr/sbin/mtd*

The virus itself spreads as a single binary. Inside it, there is a bootloader in base64, exploit archives, and all scripts. The virus doesn’t download additional parts of viruses from the Internet. If the infected ASIC gets into the network, it will infect the others despite the firewall on the router. Moreover, there were viruses that simply launched commands on ASICs in order to download the additional parts, and the firewall “helped” them.

The example of tar archive for flashing via the web:

There are also several more encrypted binaries that are still being explored.

How to protect ASIC

To protect your ASICs from getting infected, install new Bitman firmware (released after December 1, 2019) or Hiveon ASIC powered by MSKMINER with a signature and without vulnerabilities in the update.

Hiveon ASIC firmware provides 99.9999% virus protection. The control system monitors and informs you about the problems on the dashboard.

The digital signature allows you to block the operation of the virus when installed on the infected control board, this depends on the level of infection (sometimes it is impossible to remove the virus without replacing the control board).

Always change default device password to strong. That’s important.

The network device password and ASIC password must be different.

To avoid infection risks and potential time and money expenses on the recovery, it’s essential to protect your devices in advance.

Keep your farms safe, and happy mining!

30.04.2020
TOP